diff --git a/.github/actions/kind-create/action.yaml b/.github/actions/kind-create/action.yaml index 5e133cf13..f71e6f094 100644 --- a/.github/actions/kind-create/action.yaml +++ b/.github/actions/kind-create/action.yaml @@ -46,12 +46,12 @@ runs: chmod 600 $kubeconfig_path echo "kubeconfig=$(echo $kubeconfig_path)" >> $GITHUB_OUTPUT shell: bash - + - name: Install cloud-provider-kind id: cloud-provider-kind run: | echo "Install cloud-provider-kind" go install sigs.k8s.io/cloud-provider-kind@latest - kubectl label node e2e-kind-control-plane node.kubernetes.io/exclude-from-external-load-balancers- + kubectl label node e2e-kind-control-plane node.kubernetes.io/exclude-from-external-load-balancers- ~/go/bin/cloud-provider-kind & shell: bash diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 212077f83..39af143f4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -60,17 +60,17 @@ jobs: run: | # Build main module go build ./... - + # Build api module cd api go build ./... cd .. - + # Build properties module cd properties go build ./... cd .. - + # Build main binary go build -o bin/manager main.go diff --git a/.github/workflows/e2e-test.yaml b/.github/workflows/e2e-test.yaml index 8814b23dc..601e6f238 100644 --- a/.github/workflows/e2e-test.yaml +++ b/.github/workflows/e2e-test.yaml @@ -87,3 +87,5 @@ jobs: # Clean any existing go.work files to avoid workspace conflicts rm -f go.work go.work.sum IMG_E2E=$REPOSITORY:$GITHUB_SHA make test-e2e + + diff --git a/ADOPTERS.md b/ADOPTERS.md index e25e6b8d9..f8d293b24 100644 --- a/ADOPTERS.md +++ b/ADOPTERS.md @@ -1,8 +1,8 @@ # Adopters This is a list of production adopters of Banzai Cloud's Kafka Operator (in alphabetical order): - + - Adobe Experience Platform is using the Kafka Operator to enable consistent deployment, dynamic scaling, smooth upgrades and auto-balancing in our cross-cloud Kafka infrastructure. Adobe is also contributing to the open source version of the operator. - [Banzai Cloud](https://banzaicloud.com) is using the Kafka Operator to provision, configure and manage a secure, resilient and autoscaling production ready Apache Kafka for customers. -- AffirmedNetworks is looking to use Kafka Operator to provision, configure and manage life cycle of production ready Apache Kafka. One of the use cases we are looking at, is to use Kafka to manage Event Data/Detail Record that gets generated in our applications. +- AffirmedNetworks is looking to use Kafka Operator to provision, configure and manage life cycle of production ready Apache Kafka. One of the use cases we are looking at, is to use Kafka to manage Event Data/Detail Record that gets generated in our applications. diff --git a/api/assets/kafka/kraft-controller-healthcheck.sh b/api/assets/kafka/kraft-controller-healthcheck.sh index f65e88148..81f1b203e 100755 --- a/api/assets/kafka/kraft-controller-healthcheck.sh +++ b/api/assets/kafka/kraft-controller-healthcheck.sh @@ -33,7 +33,7 @@ MATCHING_METRIC=$(curl -s "$JMX_ENDPOINT" | grep "^${METRIC_PREFIX}" | awk '$2 = # If it's not empty, it means we found a metric with a value of 1.0. if [ -n "$MATCHING_METRIC" ]; then - # Determine the state of the controller using the last field name of the metric + # Determine the state of the controller using the last field name of the metric # Possible values are leader, candidate, voted, follower, unattached, observer STATE=$(echo "$MATCHING_METRIC" | rev | cut -d'_' -f1 | rev) diff --git a/api/go.mod b/api/go.mod index 103d3d3d2..bcd5b907f 100644 --- a/api/go.mod +++ b/api/go.mod @@ -5,7 +5,6 @@ go 1.25.0 require ( dario.cat/mergo v1.0.2 emperror.dev/errors v0.8.1 - github.com/banzaicloud/istio-client-go v0.0.17 github.com/cert-manager/cert-manager v1.19.1 k8s.io/api v0.34.1 k8s.io/apimachinery v0.34.1 diff --git a/api/go.sum b/api/go.sum index 2a2459628..f1c94f682 100644 --- a/api/go.sum +++ b/api/go.sum @@ -2,8 +2,6 @@ dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= emperror.dev/errors v0.8.1 h1:UavXZ5cSX/4u9iyvH6aDcuGkVjeexUGJ7Ij7G4VfQT0= emperror.dev/errors v0.8.1/go.mod h1:YcRvLPh626Ubn2xqtoprejnA5nFha+TJ+2vew48kWuE= -github.com/banzaicloud/istio-client-go v0.0.17 h1:wiplbM7FDiIHopujInAnin3zuovtVcphtKy9En39q5I= -github.com/banzaicloud/istio-client-go v0.0.17/go.mod h1:rpnEYYGHzisx8nARl2d30Oq38EeCX0/PPaxMaREfE9I= github.com/cert-manager/cert-manager v1.19.1 h1:Txh8L/nLWTDcb7ZnXuXbTe15BxQnLbLirXmbNk0fGgY= github.com/cert-manager/cert-manager v1.19.1/go.mod h1:8Ps1VXCQRGKT8zNvLQlhDK1gFKWmYKdIPQFmvTS2JeA= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= @@ -13,12 +11,10 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= -github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= @@ -26,23 +22,17 @@ github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= -github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= @@ -57,7 +47,6 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= -github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -81,7 +70,6 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4= @@ -95,12 +83,10 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k= golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= @@ -111,22 +97,18 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= -k8s.io/apimachinery v0.0.0-20190704094733-8f6ac2502e51/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0= k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= @@ -139,6 +121,5 @@ sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= -sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go index 902967438..df41632d0 100644 --- a/api/v1beta1/common_types.go +++ b/api/v1beta1/common_types.go @@ -199,12 +199,6 @@ const ( PKIBackendK8sCSR PKIBackend = "k8s-csr" ) -// IstioControlPlaneReference is a reference to the IstioControlPlane resource. -type IstioControlPlaneReference struct { - Name string `json:"name"` - Namespace string `json:"namespace"` -} - // GracefulActionState holds information about GracefulAction State type GracefulActionState struct { // CruiseControlState holds the information about graceful action state diff --git a/api/v1beta1/kafkacluster_types.go b/api/v1beta1/kafkacluster_types.go index c629d6b6e..9d675b756 100644 --- a/api/v1beta1/kafkacluster_types.go +++ b/api/v1beta1/kafkacluster_types.go @@ -24,8 +24,6 @@ import ( "dario.cat/mergo" - "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1" - cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" @@ -131,19 +129,6 @@ const ( // KafkaBroker.spec.container["kafka"].image defaultKafkaImage = "ghcr.io/adobe/koperator/kafka:2.13-3.9.1" // renovate: datasource=docker depName=ghcr.io/adobe/koperator/kafka - /* Istio Ingress Config */ - - // IstioMeshGateway.spec.deployment.resources - defaultIstioIngressRequestResourceCpu = "100m" - defaultIstioIngressRequestResourceMemory = "128Mi" - defaultIstioIngressLimitResourceCpu = "2000m" - defaultIstioIngressLimitResourceMemory = "1024Mi" - - // IstioMeshGateway.spec.deployment.replicas.count - // IstioMeshGateway.spec.deployment.replicas.min - // IstioMeshGateway.spec.deployment.replicas.max - defaultReplicas = 1 - /* Monitor Config */ // KafkaBrokerPod.spec.initContainer["jmx-exporter"].command @@ -184,11 +169,9 @@ type KafkaClusterSpec struct { RollingUpgradeConfig RollingUpgradeConfig `json:"rollingUpgradeConfig"` // Selector for broker pods that need to be recycled/reconciled TaintedBrokersSelector *metav1.LabelSelector `json:"taintedBrokersSelector,omitempty"` - // +kubebuilder:validation:Enum=envoy;contour;istioingress - // IngressController specifies the type of the ingress controller to be used for external listeners. The `istioingress` ingress controller type requires the `spec.istioControlPlane` field to be populated as well. + // +kubebuilder:validation:Enum=envoy;contour;envoygateway + // IngressController specifies the type of the ingress controller to be used for external listeners. IngressController string `json:"ingressController,omitempty"` - // IstioControlPlane is a reference to the IstioControlPlane resource for envoy configuration. It must be specified if istio ingress is used. - IstioControlPlane *IstioControlPlaneReference `json:"istioControlPlane,omitempty"` // If true OneBrokerPerNode ensures that each kafka broker will be placed on a different node unless a custom // Affinity definition overrides this behavior OneBrokerPerNode bool `json:"oneBrokerPerNode"` @@ -196,14 +179,14 @@ type KafkaClusterSpec struct { // when false, they will be kept so the Kafka cluster remains available for those Kafka clients which are still using the previous ingress setting. // +kubebuilder:default=false // +optional - RemoveUnusedIngressResources bool `json:"removeUnusedIngressResources,omitempty"` - PropagateLabels bool `json:"propagateLabels,omitempty"` - CruiseControlConfig CruiseControlConfig `json:"cruiseControlConfig"` - EnvoyConfig EnvoyConfig `json:"envoyConfig,omitempty"` - ContourIngressConfig ContourIngressConfig `json:"contourIngressConfig,omitempty"` - MonitoringConfig MonitoringConfig `json:"monitoringConfig,omitempty"` - AlertManagerConfig *AlertManagerConfig `json:"alertManagerConfig,omitempty"` - IstioIngressConfig IstioIngressConfig `json:"istioIngressConfig,omitempty"` + RemoveUnusedIngressResources bool `json:"removeUnusedIngressResources,omitempty"` + PropagateLabels bool `json:"propagateLabels,omitempty"` + CruiseControlConfig CruiseControlConfig `json:"cruiseControlConfig"` + EnvoyConfig EnvoyConfig `json:"envoyConfig,omitempty"` + ContourIngressConfig ContourIngressConfig `json:"contourIngressConfig,omitempty"` + EnvoyGatewayConfig EnvoyGatewayIngressConfig `json:"envoyGatewayConfig,omitempty"` + MonitoringConfig MonitoringConfig `json:"monitoringConfig,omitempty"` + AlertManagerConfig *AlertManagerConfig `json:"alertManagerConfig,omitempty"` // Envs defines environment variables for Kafka broker Pods. // Adding the "+" prefix to the name prepends the value to that environment variable instead of overwriting it. // Add the "+" suffix to append. @@ -509,42 +492,6 @@ type EnvoyCommandLineArgs struct { Concurrency int32 `json:"concurrency,omitempty"` } -// IstioIngressConfig defines the config for the Istio Ingress Controller -type IstioIngressConfig struct { - Resources *corev1.ResourceRequirements `json:"resourceRequirements,omitempty"` - // +kubebuilder:validation:Minimum=1 - Replicas int32 `json:"replicas,omitempty"` - NodeSelector map[string]string `json:"nodeSelector,omitempty"` - Tolerations []*corev1.Toleration `json:"tolerations,omitempty"` - // Annotations defines the annotations placed on the istio ingress controller deployment - Annotations map[string]string `json:"annotations,omitempty"` - TLSOptions *v1beta1.TLSOptions `json:"gatewayConfig,omitempty"` - VirtualServiceAnnotations map[string]string `json:"virtualServiceAnnotations,omitempty"` - // Envs allows to add additional env vars to the istio meshgateway resource - Envs []*corev1.EnvVar `json:"envs,omitempty"` - // If specified and supported by the platform, traffic through the - // cloud-provider load-balancer will be restricted to the specified client - // IPs. This field will be ignored if the - // cloud-provider does not support the feature." - // More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - // +optional - LoadBalancerSourceRanges []string `json:"loadBalancerSourceRanges,omitempty"` -} - -func (iIConfig *IstioIngressConfig) GetAnnotations() map[string]string { - return util.CloneMap(iIConfig.Annotations) -} - -// GetVirtualServiceAnnotations returns a copy of the VirtualServiceAnnotations field -func (iIConfig *IstioIngressConfig) GetVirtualServiceAnnotations() map[string]string { - return util.CloneMap(iIConfig.VirtualServiceAnnotations) -} - -// GetLoadBalancerSourceRanges returns LoadBalancerSourceRanges to use for Istio Meshagetway generated LoadBalancer -func (iIConfig *IstioIngressConfig) GetLoadBalancerSourceRanges() []string { - return iIConfig.LoadBalancerSourceRanges -} - // MonitoringConfig defines the config for monitoring Kafka and Cruise Control type MonitoringConfig struct { JmxImage string `json:"jmxImage,omitempty"` @@ -642,6 +589,24 @@ func (c EnvoyConfig) GetBrokerHostname(brokerId int32) string { return strings.Replace(c.BrokerHostnameTemplate, "%id", strconv.Itoa(int(brokerId)), 1) } +// GetBrokerHostname returns the broker hostname for the given broker ID +func (c EnvoyGatewayIngressConfig) GetBrokerHostname(brokerId int32) string { + return strings.Replace(c.BrokerHostnameTemplate, "%id", strconv.Itoa(int(brokerId)), 1) +} + +// GetGatewayClassName returns the GatewayClassName or default value +func (c EnvoyGatewayIngressConfig) GetGatewayClassName() string { + if c.GatewayClassName == "" { + return "eg" + } + return c.GatewayClassName +} + +// GetAnnotations returns the annotations for the Gateway resource +func (c EnvoyGatewayIngressConfig) GetAnnotations() map[string]string { + return util.CloneMap(c.Annotations) +} + // We use -1 for ExternalStartingPort value to enable TLS on envoy func (c ExternalListenerConfig) TLSEnabled() bool { return c.ExternalStartingPort == -1 @@ -725,7 +690,7 @@ type ExternalListenerConfig struct { // +optional AccessMethod corev1.ServiceType `json:"accessMethod,omitempty"` // Config allows to specify ingress controller configuration per external listener - // if set, it overrides the default `KafkaClusterSpec.IstioIngressConfig` or `KafkaClusterSpec.EnvoyConfig` for this external listener. + // if set, it overrides the default `KafkaClusterSpec.EnvoyConfig` for this external listener. // +optional Config *Config `json:"config,omitempty"` // TLS secret @@ -740,9 +705,9 @@ type Config struct { type IngressConfig struct { IngressServiceSettings `json:",inline"` - IstioIngressConfig *IstioIngressConfig `json:"istioIngressConfig,omitempty"` - EnvoyConfig *EnvoyConfig `json:"envoyConfig,omitempty"` - ContourIngressConfig *ContourIngressConfig `json:"contourIngressConfig,omitempty"` + EnvoyConfig *EnvoyConfig `json:"envoyConfig,omitempty"` + ContourIngressConfig *ContourIngressConfig `json:"contourIngressConfig,omitempty"` + EnvoyGatewayConfig *EnvoyGatewayIngressConfig `json:"envoyGatewayConfig,omitempty"` } type ContourIngressConfig struct { @@ -752,6 +717,25 @@ type ContourIngressConfig struct { BrokerFQDNTemplate string `json:"brokerFQDNTemplate"` } +type EnvoyGatewayIngressConfig struct { + // GatewayClassName is the name of the GatewayClass resource to use + // +optional + GatewayClassName string `json:"gatewayClassName,omitempty"` + // GatewayName is the name of the Gateway resource to create + // +optional + GatewayName string `json:"gatewayName,omitempty"` + // TLSSecretName is the name of the secret containing TLS certificates for TLS termination + // +optional + TLSSecretName string `json:"tlsSecretName,omitempty"` + // BrokerHostnameTemplate is the template for generating broker hostnames (e.g., "kafka-%id.example.com") + // The %id placeholder will be replaced with the broker ID + // +optional + BrokerHostnameTemplate string `json:"brokerHostnameTemplate,omitempty"` + // Annotations to add to the Gateway resource + // +optional + Annotations map[string]string `json:"annotations,omitempty"` +} + // InternalListenerConfig defines the internal listener config for Kafka type InternalListenerConfig struct { CommonListenerSpec `json:",inline"` @@ -858,23 +842,6 @@ func init() { SchemeBuilder.Register(&KafkaCluster{}, &KafkaClusterList{}) } -// GetResources returns the IstioIngress specific Kubernetes resources -func (iIConfig *IstioIngressConfig) GetResources() *corev1.ResourceRequirements { - if iIConfig.Resources != nil { - return iIConfig.Resources - } - return &corev1.ResourceRequirements{ - Requests: corev1.ResourceList{ - "cpu": resource.MustParse(defaultIstioIngressRequestResourceCpu), - "memory": resource.MustParse(defaultIstioIngressRequestResourceMemory), - }, - Limits: corev1.ResourceList{ - "cpu": resource.MustParse(defaultIstioIngressLimitResourceCpu), - "memory": resource.MustParse(defaultIstioIngressLimitResourceMemory), - }, - } -} - // GetListenerName returns the prepared listener name func (lP *CommonListenerSpec) GetListenerServiceName() string { if !strings.HasPrefix(lP.Name, "tcp-") { @@ -883,14 +850,6 @@ func (lP *CommonListenerSpec) GetListenerServiceName() string { return lP.Name } -// GetReplicas returns replicas used by the Istio Ingress deployment -func (iIConfig *IstioIngressConfig) GetReplicas() int32 { - if iIConfig.Replicas == 0 { - return defaultReplicas - } - return iIConfig.Replicas -} - // GetClientSSLCertSecretName returns the ClientSSLCertSecretName. It returns empty string if It's not specified func (k *KafkaClusterSpec) GetClientSSLCertSecretName() string { if k.ClientSSLCertSecret == nil { diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 20ddd8958..41103749f 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -22,7 +22,6 @@ limitations under the License. package v1beta1 import ( - networkingv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1" apismetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1" "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -541,6 +540,28 @@ func (in *EnvoyConfig) DeepCopy() *EnvoyConfig { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *EnvoyGatewayIngressConfig) DeepCopyInto(out *EnvoyGatewayIngressConfig) { + *out = *in + if in.Annotations != nil { + in, out := &in.Annotations, &out.Annotations + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyGatewayIngressConfig. +func (in *EnvoyGatewayIngressConfig) DeepCopy() *EnvoyGatewayIngressConfig { + if in == nil { + return nil + } + out := new(EnvoyGatewayIngressConfig) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ExternalListenerConfig) DeepCopyInto(out *ExternalListenerConfig) { *out = *in @@ -623,11 +644,6 @@ func (in *GracefulActionState) DeepCopy() *GracefulActionState { func (in *IngressConfig) DeepCopyInto(out *IngressConfig) { *out = *in in.IngressServiceSettings.DeepCopyInto(&out.IngressServiceSettings) - if in.IstioIngressConfig != nil { - in, out := &in.IstioIngressConfig, &out.IstioIngressConfig - *out = new(IstioIngressConfig) - (*in).DeepCopyInto(*out) - } if in.EnvoyConfig != nil { in, out := &in.EnvoyConfig, &out.EnvoyConfig *out = new(EnvoyConfig) @@ -638,6 +654,11 @@ func (in *IngressConfig) DeepCopyInto(out *IngressConfig) { *out = new(ContourIngressConfig) **out = **in } + if in.EnvoyGatewayConfig != nil { + in, out := &in.EnvoyGatewayConfig, &out.EnvoyGatewayConfig + *out = new(EnvoyGatewayIngressConfig) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressConfig. @@ -688,94 +709,6 @@ func (in *InternalListenerConfig) DeepCopy() *InternalListenerConfig { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioControlPlaneReference) DeepCopyInto(out *IstioControlPlaneReference) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioControlPlaneReference. -func (in *IstioControlPlaneReference) DeepCopy() *IstioControlPlaneReference { - if in == nil { - return nil - } - out := new(IstioControlPlaneReference) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioIngressConfig) DeepCopyInto(out *IstioIngressConfig) { - *out = *in - if in.Resources != nil { - in, out := &in.Resources, &out.Resources - *out = new(v1.ResourceRequirements) - (*in).DeepCopyInto(*out) - } - if in.NodeSelector != nil { - in, out := &in.NodeSelector, &out.NodeSelector - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.Tolerations != nil { - in, out := &in.Tolerations, &out.Tolerations - *out = make([]*v1.Toleration, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(v1.Toleration) - (*in).DeepCopyInto(*out) - } - } - } - if in.Annotations != nil { - in, out := &in.Annotations, &out.Annotations - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.TLSOptions != nil { - in, out := &in.TLSOptions, &out.TLSOptions - *out = new(networkingv1beta1.TLSOptions) - (*in).DeepCopyInto(*out) - } - if in.VirtualServiceAnnotations != nil { - in, out := &in.VirtualServiceAnnotations, &out.VirtualServiceAnnotations - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.Envs != nil { - in, out := &in.Envs, &out.Envs - *out = make([]*v1.EnvVar, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(v1.EnvVar) - (*in).DeepCopyInto(*out) - } - } - } - if in.LoadBalancerSourceRanges != nil { - in, out := &in.LoadBalancerSourceRanges, &out.LoadBalancerSourceRanges - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioIngressConfig. -func (in *IstioIngressConfig) DeepCopy() *IstioIngressConfig { - if in == nil { - return nil - } - out := new(IstioIngressConfig) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *KafkaCluster) DeepCopyInto(out *KafkaCluster) { *out = *in @@ -875,21 +808,16 @@ func (in *KafkaClusterSpec) DeepCopyInto(out *KafkaClusterSpec) { *out = new(metav1.LabelSelector) (*in).DeepCopyInto(*out) } - if in.IstioControlPlane != nil { - in, out := &in.IstioControlPlane, &out.IstioControlPlane - *out = new(IstioControlPlaneReference) - **out = **in - } in.CruiseControlConfig.DeepCopyInto(&out.CruiseControlConfig) in.EnvoyConfig.DeepCopyInto(&out.EnvoyConfig) out.ContourIngressConfig = in.ContourIngressConfig + in.EnvoyGatewayConfig.DeepCopyInto(&out.EnvoyGatewayConfig) out.MonitoringConfig = in.MonitoringConfig if in.AlertManagerConfig != nil { in, out := &in.AlertManagerConfig, &out.AlertManagerConfig *out = new(AlertManagerConfig) **out = **in } - in.IstioIngressConfig.DeepCopyInto(&out.IstioIngressConfig) if in.Envs != nil { in, out := &in.Envs, &out.Envs *out = make([]v1.EnvVar, len(*in)) diff --git a/charts/kafka-operator/crds/kafkaclusters.yaml b/charts/kafka-operator/crds/kafkaclusters.yaml index 4e36920cf..325b7d8a1 100644 --- a/charts/kafka-operator/crds/kafkaclusters.yaml +++ b/charts/kafka-operator/crds/kafkaclusters.yaml @@ -20780,6 +20780,31 @@ spec: type: object type: array type: object + envoyGatewayConfig: + properties: + annotations: + additionalProperties: + type: string + description: Annotations to add to the Gateway resource + type: object + brokerHostnameTemplate: + description: |- + BrokerHostnameTemplate is the template for generating broker hostnames (e.g., "kafka-%id.example.com") + The %id placeholder will be replaced with the broker ID + type: string + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass + resource to use + type: string + gatewayName: + description: GatewayName is the name of the Gateway resource to + create + type: string + tlsSecretName: + description: TLSSecretName is the name of the secret containing + TLS certificates for TLS termination + type: string + type: object envs: description: |- Envs defines environment variables for Kafka broker Pods. @@ -20944,407 +20969,12 @@ spec: type: boolean ingressController: description: IngressController specifies the type of the ingress controller - to be used for external listeners. The `istioingress` ingress controller - type requires the `spec.istioControlPlane` field to be populated - as well. + to be used for external listeners. enum: - envoy - contour - - istioingress + - envoygateway type: string - istioControlPlane: - description: IstioControlPlane is a reference to the IstioControlPlane - resource for envoy configuration. It must be specified if istio - ingress is used. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - istioIngressConfig: - description: IstioIngressConfig defines the config for the Istio Ingress - Controller - properties: - annotations: - additionalProperties: - type: string - description: Annotations defines the annotations placed on the - istio ingress controller deployment - type: object - envs: - description: Envs allows to add additional env vars to the istio - meshgateway resource - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - gatewayConfig: - properties: - caCertificates: - description: |- - REQUIRED if mode is `MUTUAL`. The path to a file containing - certificate authority certificates to use in verifying a presented - client side certificate. - type: string - cipherSuites: - description: |- - Optional: If specified, only support the specified cipher list. - Otherwise default to the default cipher list supported by Envoy. - items: - type: string - type: array - credentialName: - description: |- - The credentialName stands for a unique identifier that can be used - to identify the serverCertificate and the privateKey. The - credentialName appended with suffix "-cacert" is used to identify - the CaCertificates associated with this server. Gateway workloads - capable of fetching credentials from a remote credential store such - as Kubernetes secrets, will be configured to retrieve the - serverCertificate and the privateKey using credentialName, instead - of using the file system paths specified above. If using mutual TLS, - gateway workload instances will retrieve the CaCertificates using - credentialName-cacert. The semantics of the name are platform - dependent. In Kubernetes, the default Istio supplied credential - server expects the credentialName to match the name of the - Kubernetes secret that holds the server certificate, the private - key, and the CA certificate (if using mutual TLS). Set the - `ISTIO_META_USER_SDS` metadata variable in the gateway's proxy to - enable the dynamic credential fetching feature. - type: string - httpsRedirect: - description: |- - If set to true, the load balancer will send a 301 redirect for all - http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be - secured using TLS. The value of this field determines how TLS is - enforced. - type: string - privateKey: - description: |- - REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file - holding the server's private key. - type: string - serverCertificate: - description: |- - REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file - holding the server-side TLS certificate to use. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: |- - An optional list of hex-encoded SHA-256 hashes of the - authorized client certificates. Both simple and colon separated - formats are acceptable. - Note: When both verify_certificate_hash and verify_certificate_spki - are specified, a hash matching either value will result in the - certificate being accepted. - items: - type: string - type: array - verifyCertificateSpki: - description: |- - An optional list of base64-encoded SHA-256 hashes of the SKPIs of - authorized client certificates. - Note: When both verify_certificate_hash and verify_certificate_spki - are specified, a hash matching either value will result in the - certificate being accepted. - items: - type: string - type: array - type: object - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, traffic through the - cloud-provider load-balancer will be restricted to the specified client - IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - items: - type: string - type: array - nodeSelector: - additionalProperties: - type: string - type: object - replicas: - format: int32 - minimum: 1 - type: integer - resourceRequirements: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - tolerations: - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - virtualServiceAnnotations: - additionalProperties: - type: string - type: object - type: object kRaft: default: false description: |- @@ -21381,7 +21011,7 @@ spec: config: description: |- Config allows to specify ingress controller configuration per external listener - if set, it overrides the default `KafkaClusterSpec.IstioIngressConfig` or `KafkaClusterSpec.EnvoyConfig` for this external listener. + if set, it overrides the default `KafkaClusterSpec.EnvoyConfig` for this external listener. properties: defaultIngressConfig: type: string @@ -23006,6 +22636,33 @@ spec: type: object type: array type: object + envoyGatewayConfig: + properties: + annotations: + additionalProperties: + type: string + description: Annotations to add to the Gateway + resource + type: object + brokerHostnameTemplate: + description: |- + BrokerHostnameTemplate is the template for generating broker hostnames (e.g., "kafka-%id.example.com") + The %id placeholder will be replaced with the broker ID + type: string + gatewayClassName: + description: GatewayClassName is the name + of the GatewayClass resource to use + type: string + gatewayName: + description: GatewayName is the name of the + Gateway resource to create + type: string + tlsSecretName: + description: TLSSecretName is the name of + the secret containing TLS certificates for + TLS termination + type: string + type: object externalTrafficPolicy: description: |- externalTrafficPolicy denotes if this Service desires to route external @@ -23023,400 +22680,6 @@ spec: In case of external listeners using NodePort access method the broker instead of node public IP (see "brokerConfig.nodePortExternalIP") is advertised on the address having the following format: -. type: string - istioIngressConfig: - description: IstioIngressConfig defines the config - for the Istio Ingress Controller - properties: - annotations: - additionalProperties: - type: string - description: Annotations defines the annotations - placed on the istio ingress controller deployment - type: object - envs: - description: Envs allows to add additional - env vars to the istio meshgateway resource - items: - description: EnvVar represents an environment - variable present in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment - variable's value. Cannot be used if - value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a - ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether - the ConfigMap or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the - volume mount containing the - env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a - secret in the pod's namespace - properties: - key: - description: The key of the - secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether - the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - gatewayConfig: - properties: - caCertificates: - description: |- - REQUIRED if mode is `MUTUAL`. The path to a file containing - certificate authority certificates to use in verifying a presented - client side certificate. - type: string - cipherSuites: - description: |- - Optional: If specified, only support the specified cipher list. - Otherwise default to the default cipher list supported by Envoy. - items: - type: string - type: array - credentialName: - description: |- - The credentialName stands for a unique identifier that can be used - to identify the serverCertificate and the privateKey. The - credentialName appended with suffix "-cacert" is used to identify - the CaCertificates associated with this server. Gateway workloads - capable of fetching credentials from a remote credential store such - as Kubernetes secrets, will be configured to retrieve the - serverCertificate and the privateKey using credentialName, instead - of using the file system paths specified above. If using mutual TLS, - gateway workload instances will retrieve the CaCertificates using - credentialName-cacert. The semantics of the name are platform - dependent. In Kubernetes, the default Istio supplied credential - server expects the credentialName to match the name of the - Kubernetes secret that holds the server certificate, the private - key, and the CA certificate (if using mutual TLS). Set the - `ISTIO_META_USER_SDS` metadata variable in the gateway's proxy to - enable the dynamic credential fetching feature. - type: string - httpsRedirect: - description: |- - If set to true, the load balancer will send a 301 redirect for all - http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol - version.' - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol - version.' - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be - secured using TLS. The value of this field determines how TLS is - enforced. - type: string - privateKey: - description: |- - REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file - holding the server's private key. - type: string - serverCertificate: - description: |- - REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file - holding the server-side TLS certificate to use. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: |- - An optional list of hex-encoded SHA-256 hashes of the - authorized client certificates. Both simple and colon separated - formats are acceptable. - Note: When both verify_certificate_hash and verify_certificate_spki - are specified, a hash matching either value will result in the - certificate being accepted. - items: - type: string - type: array - verifyCertificateSpki: - description: |- - An optional list of base64-encoded SHA-256 hashes of the SKPIs of - authorized client certificates. - Note: When both verify_certificate_hash and verify_certificate_spki - are specified, a hash matching either value will result in the - certificate being accepted. - items: - type: string - type: array - type: object - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, traffic through the - cloud-provider load-balancer will be restricted to the specified client - IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - items: - type: string - type: array - nodeSelector: - additionalProperties: - type: string - type: object - replicas: - format: int32 - minimum: 1 - type: integer - resourceRequirements: - description: ResourceRequirements describes - the compute resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references - one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - tolerations: - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - virtualServiceAnnotations: - additionalProperties: - type: string - type: object - type: object serviceAnnotations: additionalProperties: type: string diff --git a/charts/kafka-operator/templates/operator-rbac.yaml b/charts/kafka-operator/templates/operator-rbac.yaml index 63b35e27e..67aaa9e67 100644 --- a/charts/kafka-operator/templates/operator-rbac.yaml +++ b/charts/kafka-operator/templates/operator-rbac.yaml @@ -139,6 +139,20 @@ rules: - patch - update - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - tcproutes + - tlsroutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - kafka.banzaicloud.io resources: @@ -189,12 +203,6 @@ rules: - patch - update - watch -- apiGroups: - - networking.istio.io - resources: - - '*' - verbs: - - '*' - apiGroups: - policy resources: @@ -219,18 +227,6 @@ rules: - patch - update - watch -- apiGroups: - - servicemesh.cisco.com - resources: - - istiomeshgateways - verbs: - - create - - delete - - get - - list - - patch - - update - - watch # RBAC_RULES_END --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/config/base/crds/kafka.banzaicloud.io_kafkaclusters.yaml b/config/base/crds/kafka.banzaicloud.io_kafkaclusters.yaml index 4e36920cf..325b7d8a1 100644 --- a/config/base/crds/kafka.banzaicloud.io_kafkaclusters.yaml +++ b/config/base/crds/kafka.banzaicloud.io_kafkaclusters.yaml @@ -20780,6 +20780,31 @@ spec: type: object type: array type: object + envoyGatewayConfig: + properties: + annotations: + additionalProperties: + type: string + description: Annotations to add to the Gateway resource + type: object + brokerHostnameTemplate: + description: |- + BrokerHostnameTemplate is the template for generating broker hostnames (e.g., "kafka-%id.example.com") + The %id placeholder will be replaced with the broker ID + type: string + gatewayClassName: + description: GatewayClassName is the name of the GatewayClass + resource to use + type: string + gatewayName: + description: GatewayName is the name of the Gateway resource to + create + type: string + tlsSecretName: + description: TLSSecretName is the name of the secret containing + TLS certificates for TLS termination + type: string + type: object envs: description: |- Envs defines environment variables for Kafka broker Pods. @@ -20944,407 +20969,12 @@ spec: type: boolean ingressController: description: IngressController specifies the type of the ingress controller - to be used for external listeners. The `istioingress` ingress controller - type requires the `spec.istioControlPlane` field to be populated - as well. + to be used for external listeners. enum: - envoy - contour - - istioingress + - envoygateway type: string - istioControlPlane: - description: IstioControlPlane is a reference to the IstioControlPlane - resource for envoy configuration. It must be specified if istio - ingress is used. - properties: - name: - type: string - namespace: - type: string - required: - - name - - namespace - type: object - istioIngressConfig: - description: IstioIngressConfig defines the config for the Istio Ingress - Controller - properties: - annotations: - additionalProperties: - type: string - description: Annotations defines the annotations placed on the - istio ingress controller deployment - type: object - envs: - description: Envs allows to add additional env vars to the istio - meshgateway resource - items: - description: EnvVar represents an environment variable present - in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment variable's value. - Cannot be used if value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the ConfigMap or its - key must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the schema the FieldPath - is written in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field to select in the - specified API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the volume mount containing - the env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: required for volumes, - optional for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output format of the - exposed resources, defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a secret in the pod's - namespace - properties: - key: - description: The key of the secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether the Secret or its key - must be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - gatewayConfig: - properties: - caCertificates: - description: |- - REQUIRED if mode is `MUTUAL`. The path to a file containing - certificate authority certificates to use in verifying a presented - client side certificate. - type: string - cipherSuites: - description: |- - Optional: If specified, only support the specified cipher list. - Otherwise default to the default cipher list supported by Envoy. - items: - type: string - type: array - credentialName: - description: |- - The credentialName stands for a unique identifier that can be used - to identify the serverCertificate and the privateKey. The - credentialName appended with suffix "-cacert" is used to identify - the CaCertificates associated with this server. Gateway workloads - capable of fetching credentials from a remote credential store such - as Kubernetes secrets, will be configured to retrieve the - serverCertificate and the privateKey using credentialName, instead - of using the file system paths specified above. If using mutual TLS, - gateway workload instances will retrieve the CaCertificates using - credentialName-cacert. The semantics of the name are platform - dependent. In Kubernetes, the default Istio supplied credential - server expects the credentialName to match the name of the - Kubernetes secret that holds the server certificate, the private - key, and the CA certificate (if using mutual TLS). Set the - `ISTIO_META_USER_SDS` metadata variable in the gateway's proxy to - enable the dynamic credential fetching feature. - type: string - httpsRedirect: - description: |- - If set to true, the load balancer will send a 301 redirect for all - http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be - secured using TLS. The value of this field determines how TLS is - enforced. - type: string - privateKey: - description: |- - REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file - holding the server's private key. - type: string - serverCertificate: - description: |- - REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file - holding the server-side TLS certificate to use. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: |- - An optional list of hex-encoded SHA-256 hashes of the - authorized client certificates. Both simple and colon separated - formats are acceptable. - Note: When both verify_certificate_hash and verify_certificate_spki - are specified, a hash matching either value will result in the - certificate being accepted. - items: - type: string - type: array - verifyCertificateSpki: - description: |- - An optional list of base64-encoded SHA-256 hashes of the SKPIs of - authorized client certificates. - Note: When both verify_certificate_hash and verify_certificate_spki - are specified, a hash matching either value will result in the - certificate being accepted. - items: - type: string - type: array - type: object - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, traffic through the - cloud-provider load-balancer will be restricted to the specified client - IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - items: - type: string - type: array - nodeSelector: - additionalProperties: - type: string - type: object - replicas: - format: int32 - minimum: 1 - type: integer - resourceRequirements: - description: ResourceRequirements describes the compute resource - requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - tolerations: - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - virtualServiceAnnotations: - additionalProperties: - type: string - type: object - type: object kRaft: default: false description: |- @@ -21381,7 +21011,7 @@ spec: config: description: |- Config allows to specify ingress controller configuration per external listener - if set, it overrides the default `KafkaClusterSpec.IstioIngressConfig` or `KafkaClusterSpec.EnvoyConfig` for this external listener. + if set, it overrides the default `KafkaClusterSpec.EnvoyConfig` for this external listener. properties: defaultIngressConfig: type: string @@ -23006,6 +22636,33 @@ spec: type: object type: array type: object + envoyGatewayConfig: + properties: + annotations: + additionalProperties: + type: string + description: Annotations to add to the Gateway + resource + type: object + brokerHostnameTemplate: + description: |- + BrokerHostnameTemplate is the template for generating broker hostnames (e.g., "kafka-%id.example.com") + The %id placeholder will be replaced with the broker ID + type: string + gatewayClassName: + description: GatewayClassName is the name + of the GatewayClass resource to use + type: string + gatewayName: + description: GatewayName is the name of the + Gateway resource to create + type: string + tlsSecretName: + description: TLSSecretName is the name of + the secret containing TLS certificates for + TLS termination + type: string + type: object externalTrafficPolicy: description: |- externalTrafficPolicy denotes if this Service desires to route external @@ -23023,400 +22680,6 @@ spec: In case of external listeners using NodePort access method the broker instead of node public IP (see "brokerConfig.nodePortExternalIP") is advertised on the address having the following format: -. type: string - istioIngressConfig: - description: IstioIngressConfig defines the config - for the Istio Ingress Controller - properties: - annotations: - additionalProperties: - type: string - description: Annotations defines the annotations - placed on the istio ingress controller deployment - type: object - envs: - description: Envs allows to add additional - env vars to the istio meshgateway resource - items: - description: EnvVar represents an environment - variable present in a Container. - properties: - name: - description: |- - Name of the environment variable. - May consist of any printable ASCII characters except '='. - type: string - value: - description: |- - Variable references $(VAR_NAME) are expanded - using the previously defined environment variables in the container and - any service environment variables. If a variable cannot be resolved, - the reference in the input string will be unchanged. Double $$ are reduced - to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. - "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". - Escaped references will never be expanded, regardless of whether the variable - exists or not. - Defaults to "". - type: string - valueFrom: - description: Source for the environment - variable's value. Cannot be used if - value is not empty. - properties: - configMapKeyRef: - description: Selects a key of a - ConfigMap. - properties: - key: - description: The key to select. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether - the ConfigMap or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - fieldRef: - description: |- - Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['']`, `metadata.annotations['']`, - spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. - properties: - apiVersion: - description: Version of the - schema the FieldPath is written - in terms of, defaults to "v1". - type: string - fieldPath: - description: Path of the field - to select in the specified - API version. - type: string - required: - - fieldPath - type: object - x-kubernetes-map-type: atomic - fileKeyRef: - description: |- - FileKeyRef selects a key of the env file. - Requires the EnvFiles feature gate to be enabled. - properties: - key: - description: |- - The key within the env file. An invalid key will prevent the pod from starting. - The keys defined within a source may consist of any printable ASCII characters except '='. - During Alpha stage of the EnvFiles feature gate, the key size is limited to 128 characters. - type: string - optional: - default: false - description: |- - Specify whether the file or its key must be defined. If the file or key - does not exist, then the env var is not published. - If optional is set to true and the specified key does not exist, - the environment variable will not be set in the Pod's containers. - - If optional is set to false and the specified key does not exist, - an error will be returned during Pod creation. - type: boolean - path: - description: |- - The path within the volume from which to select the file. - Must be relative and may not contain the '..' path or start with '..'. - type: string - volumeName: - description: The name of the - volume mount containing the - env file. - type: string - required: - - key - - path - - volumeName - type: object - x-kubernetes-map-type: atomic - resourceFieldRef: - description: |- - Selects a resource of the container: only resources limits and requests - (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. - properties: - containerName: - description: 'Container name: - required for volumes, optional - for env vars' - type: string - divisor: - anyOf: - - type: integer - - type: string - description: Specifies the output - format of the exposed resources, - defaults to "1" - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - description: 'Required: resource - to select' - type: string - required: - - resource - type: object - x-kubernetes-map-type: atomic - secretKeyRef: - description: Selects a key of a - secret in the pod's namespace - properties: - key: - description: The key of the - secret to select from. Must - be a valid secret key. - type: string - name: - default: "" - description: |- - Name of the referent. - This field is effectively required, but due to backwards compatibility is - allowed to be empty. Instances of this type with an empty value here are - almost certainly wrong. - More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - type: string - optional: - description: Specify whether - the Secret or its key must - be defined - type: boolean - required: - - key - type: object - x-kubernetes-map-type: atomic - type: object - required: - - name - type: object - type: array - gatewayConfig: - properties: - caCertificates: - description: |- - REQUIRED if mode is `MUTUAL`. The path to a file containing - certificate authority certificates to use in verifying a presented - client side certificate. - type: string - cipherSuites: - description: |- - Optional: If specified, only support the specified cipher list. - Otherwise default to the default cipher list supported by Envoy. - items: - type: string - type: array - credentialName: - description: |- - The credentialName stands for a unique identifier that can be used - to identify the serverCertificate and the privateKey. The - credentialName appended with suffix "-cacert" is used to identify - the CaCertificates associated with this server. Gateway workloads - capable of fetching credentials from a remote credential store such - as Kubernetes secrets, will be configured to retrieve the - serverCertificate and the privateKey using credentialName, instead - of using the file system paths specified above. If using mutual TLS, - gateway workload instances will retrieve the CaCertificates using - credentialName-cacert. The semantics of the name are platform - dependent. In Kubernetes, the default Istio supplied credential - server expects the credentialName to match the name of the - Kubernetes secret that holds the server certificate, the private - key, and the CA certificate (if using mutual TLS). Set the - `ISTIO_META_USER_SDS` metadata variable in the gateway's proxy to - enable the dynamic credential fetching feature. - type: string - httpsRedirect: - description: |- - If set to true, the load balancer will send a 301 redirect for all - http connections, asking the clients to use HTTPS. - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol - version.' - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol - version.' - type: string - mode: - description: |- - Optional: Indicates whether connections to this port should be - secured using TLS. The value of this field determines how TLS is - enforced. - type: string - privateKey: - description: |- - REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file - holding the server's private key. - type: string - serverCertificate: - description: |- - REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file - holding the server-side TLS certificate to use. - type: string - subjectAltNames: - description: |- - A list of alternate names to verify the subject identity in the - certificate presented by the client. - items: - type: string - type: array - verifyCertificateHash: - description: |- - An optional list of hex-encoded SHA-256 hashes of the - authorized client certificates. Both simple and colon separated - formats are acceptable. - Note: When both verify_certificate_hash and verify_certificate_spki - are specified, a hash matching either value will result in the - certificate being accepted. - items: - type: string - type: array - verifyCertificateSpki: - description: |- - An optional list of base64-encoded SHA-256 hashes of the SKPIs of - authorized client certificates. - Note: When both verify_certificate_hash and verify_certificate_spki - are specified, a hash matching either value will result in the - certificate being accepted. - items: - type: string - type: array - type: object - loadBalancerSourceRanges: - description: |- - If specified and supported by the platform, traffic through the - cloud-provider load-balancer will be restricted to the specified client - IPs. This field will be ignored if the - cloud-provider does not support the feature." - More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - items: - type: string - type: array - nodeSelector: - additionalProperties: - type: string - type: object - replicas: - format: int32 - minimum: 1 - type: integer - resourceRequirements: - description: ResourceRequirements describes - the compute resource requirements. - properties: - claims: - description: |- - Claims lists the names of resources, defined in spec.resourceClaims, - that are used by this container. - - This field depends on the - DynamicResourceAllocation feature gate. - - This field is immutable. It can only be set for containers. - items: - description: ResourceClaim references - one entry in PodSpec.ResourceClaims. - properties: - name: - description: |- - Name must match the name of one entry in pod.spec.resourceClaims of - the Pod where this field is used. It makes that resource available - inside a container. - type: string - request: - description: |- - Request is the name chosen for a request in the referenced claim. - If empty, everything from the claim is made available, otherwise - only the result of this request. - type: string - required: - - name - type: object - type: array - x-kubernetes-list-map-keys: - - name - x-kubernetes-list-type: map - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Limits describes the maximum amount of compute resources allowed. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: |- - Requests describes the minimum amount of compute resources required. - If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - otherwise to an implementation-defined value. Requests cannot exceed Limits. - More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ - type: object - type: object - tolerations: - items: - description: |- - The pod this Toleration is attached to tolerates any taint that matches - the triple using the matching operator . - properties: - effect: - description: |- - Effect indicates the taint effect to match. Empty means match all taint effects. - When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. - type: string - key: - description: |- - Key is the taint key that the toleration applies to. Empty means match all taint keys. - If the key is empty, operator must be Exists; this combination means to match all values and all keys. - type: string - operator: - description: |- - Operator represents a key's relationship to the value. - Valid operators are Exists and Equal. Defaults to Equal. - Exists is equivalent to wildcard for value, so that a pod can - tolerate all taints of a particular category. - type: string - tolerationSeconds: - description: |- - TolerationSeconds represents the period of time the toleration (which must be - of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, - it is not set, which means tolerate the taint forever (do not evict). Zero and - negative values will be treated as 0 (evict immediately) by the system. - format: int64 - type: integer - value: - description: |- - Value is the taint value the toleration matches to. - If the operator is Exists, the value should be empty, otherwise just a regular string. - type: string - type: object - type: array - virtualServiceAnnotations: - additionalProperties: - type: string - type: object - type: object serviceAnnotations: additionalProperties: type: string diff --git a/config/base/rbac/role.yaml b/config/base/rbac/role.yaml index c119e008f..82aa21c64 100644 --- a/config/base/rbac/role.yaml +++ b/config/base/rbac/role.yaml @@ -116,6 +116,20 @@ rules: - patch - update - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - tcproutes + - tlsroutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - apiGroups: - kafka.banzaicloud.io resources: @@ -166,12 +180,6 @@ rules: - patch - update - watch -- apiGroups: - - networking.istio.io - resources: - - '*' - verbs: - - '*' - apiGroups: - policy resources: @@ -196,15 +204,3 @@ rules: - patch - update - watch -- apiGroups: - - servicemesh.cisco.com - resources: - - istiomeshgateways - verbs: - - create - - delete - - get - - list - - patch - - update - - watch diff --git a/config/samples/banzaicloud_v1beta1_kafkacluster.yaml b/config/samples/banzaicloud_v1beta1_kafkacluster.yaml index 09d784675..ada481c75 100644 --- a/config/samples/banzaicloud_v1beta1_kafkacluster.yaml +++ b/config/samples/banzaicloud_v1beta1_kafkacluster.yaml @@ -15,7 +15,7 @@ spec: # - name: "remote-debug" # containerPort: 5005 # protocol: "TCP" - # Specify the usable ingress controller, only envoy and istioingress supported can be left blank + # Specify the usable ingress controller, only envoy and contour supported can be left blank ingressController: "envoy" # Specify the zookeeper addresses where the Kafka should store it's metadata # This configuration has no impact if the KafkaCluster is under KRaft mode @@ -306,7 +306,7 @@ spec: # defaultIngressConfig describes which ingress configuration to use # when non set on the brokerIngressMapping field inside BrokerConfig defaultIngressConfig: "az2" - # ingressConfig bundles the two available ingress configuration envoy and istio ingress + # ingressConfig bundles the available ingress configurations (envoy and contour) ingressConfig: # Ingress config name should be unique per external listener ingress-az1: @@ -369,42 +369,6 @@ spec: # cloud-provider does not support the feature." # More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ # loadBalancerSourceRanges: - ingress-az1-istio: - istioIngressConfig: - # annotations can be used to place annotations on the istio ingress controller deployment - annotations: istio-az1 - # resourceRequirements works exactly like Container resources, the user can specify the limit and the requests - # through this property - # resourceRequirements: - # limits: - # memory: "300Mi" - # cpu: "200m" - # requests: - # memory: "300Mi" - # cpu: "200m" - # replicas describes how many pods will be used for the created envoy proxy - # replicas: 1 - - # nodeSelector can be specified, which set the pod to fit on a node - # nodeSelector: - - # tolerations can be specified, which set the pod's tolerations - # tolerations: - - # allows to set the created gateway configuration - # gatewayConfig: - - # annotations will be placed on the created virtual service - # virtualServiceAnnotations: - - # annotations defines the annotations placed on the envoy ingress controller deployment - # annotations: - - # If specified and supported by the platform, this will restrict traffic through the cloud-provider - # load-balancer will be restricted to the specified client IPs. This field will be ignored if the - # cloud-provider does not support the feature." - # More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - # loadBalancerSourceRanges: # internalListeners specifies settings required to access kafka externally internalListeners: # type defines the used security type ssl, plaintext, sasl_plaintext, sasl_ssl diff --git a/config/samples/kraft/simplekafkacluster_kraft.yaml b/config/samples/kraft/simplekafkacluster_kraft.yaml index 793066691..2db1dd9c7 100644 --- a/config/samples/kraft/simplekafkacluster_kraft.yaml +++ b/config/samples/kraft/simplekafkacluster_kraft.yaml @@ -4,6 +4,7 @@ metadata: labels: controller-tools.k8s.io: "1.0" name: kafka + namespace: kafka spec: kRaft: true monitoringConfig: diff --git a/config/samples/kraft/simplekafkacluster_kraft_with_envoy.yaml b/config/samples/kraft/simplekafkacluster_kraft_with_envoy.yaml new file mode 100644 index 000000000..ed8835b94 --- /dev/null +++ b/config/samples/kraft/simplekafkacluster_kraft_with_envoy.yaml @@ -0,0 +1,278 @@ +apiVersion: kafka.banzaicloud.io/v1beta1 +kind: KafkaCluster +metadata: + labels: + controller-tools.k8s.io: "1.0" + name: kafka + namespace: kafka +spec: + kRaft: true + monitoringConfig: + jmxImage: "ghcr.io/adobe/koperator/jmx-javaagent:1.4.0" + headlessServiceEnabled: true + propagateLabels: false + oneBrokerPerNode: false + clusterImage: "ghcr.io/adobe/koperator/kafka:2.13-3.9.1" + ingressController: "envoy" + readOnlyConfig: | + auto.create.topics.enable=false + cruise.control.metrics.topic.auto.create=true + cruise.control.metrics.topic.num.partitions=1 + cruise.control.metrics.topic.replication.factor=2 + brokerConfigGroups: + default: + storageConfigs: + - mountPath: "/kafka-logs" + pvcSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + broker: + processRoles: + - broker + storageConfigs: + - mountPath: "/kafka-logs-broker" + pvcSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + brokerAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9020" + brokers: + - id: 0 + brokerConfigGroup: "broker" + - id: 1 + brokerConfigGroup: "broker" + - id: 2 + brokerConfigGroup: "broker" + - id: 3 + brokerConfigGroup: "default" + brokerConfig: + processRoles: + - controller + - id: 4 + brokerConfigGroup: "default" + brokerConfig: + processRoles: + - controller + - id: 5 + brokerConfigGroup: "default" + brokerConfig: + processRoles: + - controller + rollingUpgradeConfig: + failureThreshold: 1 + cruiseControlConfig: + cruiseControlTaskSpec: + RetryDurationMinutes: 5 + topicConfig: + partitions: 12 + replicationFactor: 3 + config: | + # Copyright 2017 LinkedIn Corp. Licensed under the BSD 2-Clause License (the "License"). See License in the project root for license information. + # + # This is an example property file for Kafka Cruise Control. See KafkaCruiseControlConfig for more details. + # Configuration for the metadata client. + # ======================================= + # The maximum interval in milliseconds between two metadata refreshes. + #metadata.max.age.ms=300000 + # Client id for the Cruise Control. It is used for the metadata client. + #client.id=kafka-cruise-control + # The size of TCP send buffer bytes for the metadata client. + #send.buffer.bytes=131072 + # The size of TCP receive buffer size for the metadata client. + #receive.buffer.bytes=131072 + # The time to wait before disconnect an idle TCP connection. + #connections.max.idle.ms=540000 + # The time to wait before reconnect to a given host. + #reconnect.backoff.ms=50 + # The time to wait for a response from a host after sending a request. + #request.timeout.ms=30000 + # Configurations for the load monitor + # ======================================= + # The number of metric fetcher thread to fetch metrics for the Kafka cluster + num.metric.fetchers=1 + # The metric sampler class + metric.sampler.class=com.linkedin.kafka.cruisecontrol.monitor.sampling.CruiseControlMetricsReporterSampler + # Configurations for CruiseControlMetricsReporterSampler + metric.reporter.topic.pattern=__CruiseControlMetrics + # The sample store class name + sample.store.class=com.linkedin.kafka.cruisecontrol.monitor.sampling.KafkaSampleStore + # The config for the Kafka sample store to save the partition metric samples + partition.metric.sample.store.topic=__KafkaCruiseControlPartitionMetricSamples + # The config for the Kafka sample store to save the model training samples + broker.metric.sample.store.topic=__KafkaCruiseControlModelTrainingSamples + # The replication factor of Kafka metric sample store topic + sample.store.topic.replication.factor=2 + # The config for the number of Kafka sample store consumer threads + num.sample.loading.threads=8 + # The partition assignor class for the metric samplers + metric.sampler.partition.assignor.class=com.linkedin.kafka.cruisecontrol.monitor.sampling.DefaultMetricSamplerPartitionAssignor + # The metric sampling interval in milliseconds + metric.sampling.interval.ms=120000 + metric.anomaly.detection.interval.ms=180000 + # The partition metrics window size in milliseconds + partition.metrics.window.ms=300000 + # The number of partition metric windows to keep in memory + num.partition.metrics.windows=1 + # The minimum partition metric samples required for a partition in each window + min.samples.per.partition.metrics.window=1 + # The broker metrics window size in milliseconds + broker.metrics.window.ms=300000 + # The number of broker metric windows to keep in memory + num.broker.metrics.windows=20 + # The minimum broker metric samples required for a partition in each window + min.samples.per.broker.metrics.window=1 + # The configuration for the BrokerCapacityConfigFileResolver (supports JBOD and non-JBOD broker capacities) + capacity.config.file=config/capacity.json + #capacity.config.file=config/capacityJBOD.json + # Configurations for the analyzer + # ======================================= + # The list of goals to optimize the Kafka cluster for with pre-computed proposals + default.goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.PotentialNwOutGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.TopicReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.LeaderBytesInDistributionGoal + # The list of supported goals + goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.PotentialNwOutGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.TopicReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.LeaderBytesInDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.kafkaassigner.KafkaAssignerDiskUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.PreferredLeaderElectionGoal + # The list of supported hard goals + hard.goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal + # The minimum percentage of well monitored partitions out of all the partitions + min.monitored.partition.percentage=0.95 + # The balance threshold for CPU + cpu.balance.threshold=1.1 + # The balance threshold for disk + disk.balance.threshold=1.1 + # The balance threshold for network inbound utilization + network.inbound.balance.threshold=1.1 + # The balance threshold for network outbound utilization + network.outbound.balance.threshold=1.1 + # The balance threshold for the replica count + replica.count.balance.threshold=1.1 + # The capacity threshold for CPU in percentage + cpu.capacity.threshold=0.8 + # The capacity threshold for disk in percentage + disk.capacity.threshold=0.8 + # The capacity threshold for network inbound utilization in percentage + network.inbound.capacity.threshold=0.8 + # The capacity threshold for network outbound utilization in percentage + network.outbound.capacity.threshold=0.8 + # The threshold to define the cluster to be in a low CPU utilization state + cpu.low.utilization.threshold=0.0 + # The threshold to define the cluster to be in a low disk utilization state + disk.low.utilization.threshold=0.0 + # The threshold to define the cluster to be in a low network inbound utilization state + network.inbound.low.utilization.threshold=0.0 + # The threshold to define the cluster to be in a low disk utilization state + network.outbound.low.utilization.threshold=0.0 + # The metric anomaly percentile upper threshold + metric.anomaly.percentile.upper.threshold=90.0 + # The metric anomaly percentile lower threshold + metric.anomaly.percentile.lower.threshold=10.0 + # How often should the cached proposal be expired and recalculated if necessary + proposal.expiration.ms=60000 + # The maximum number of replicas that can reside on a broker at any given time. + max.replicas.per.broker=10000 + # The number of threads to use for proposal candidate precomputing. + num.proposal.precompute.threads=1 + # the topics that should be excluded from the partition movement. + #topics.excluded.from.partition.movement + # Configurations for the executor + # ======================================= + # The max number of partitions to move in/out on a given broker at a given time. + num.concurrent.partition.movements.per.broker=10 + # The interval between two execution progress checks. + execution.progress.check.interval.ms=10000 + # Configurations for anomaly detector + # ======================================= + # The goal violation notifier class + anomaly.notifier.class=com.linkedin.kafka.cruisecontrol.detector.notifier.SelfHealingNotifier + # The metric anomaly finder class + metric.anomaly.finder.class=com.linkedin.kafka.cruisecontrol.detector.KafkaMetricAnomalyFinder + # The anomaly detection interval + anomaly.detection.interval.ms=10000 + # The goal violation to detect. + anomaly.detection.goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal + # The interested metrics for metric anomaly analyzer. + metric.anomaly.analyzer.metrics=BROKER_PRODUCE_LOCAL_TIME_MS_MAX,BROKER_PRODUCE_LOCAL_TIME_MS_MEAN,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_MAX,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_MEAN,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_MAX,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_MEAN,BROKER_LOG_FLUSH_TIME_MS_MAX,BROKER_LOG_FLUSH_TIME_MS_MEAN + ## Adjust accordingly if your metrics reporter is an older version and does not produce these metrics. + #metric.anomaly.analyzer.metrics=BROKER_PRODUCE_LOCAL_TIME_MS_50TH,BROKER_PRODUCE_LOCAL_TIME_MS_999TH,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_50TH,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_999TH,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_50TH,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_999TH,BROKER_LOG_FLUSH_TIME_MS_50TH,BROKER_LOG_FLUSH_TIME_MS_999TH + # The cluster configurations for the KafkaTopicConfigProvider + cluster.configs.file=config/clusterConfigs.json + # The maximum time in milliseconds to store the response and access details of a completed user task. + completed.user.task.retention.time.ms=21600000 + # The maximum time in milliseconds to retain the demotion history of brokers. + demotion.history.retention.time.ms=86400000 + # The maximum number of completed user tasks for which the response and access details will be cached. + max.cached.completed.user.tasks=500 + # The maximum number of user tasks for concurrently running in async endpoints across all users. + max.active.user.tasks=25 + # Enable self healing for all anomaly detectors, unless the particular anomaly detector is explicitly disabled + self.healing.enabled=true + # Enable self healing for broker failure detector + #self.healing.broker.failure.enabled=true + # Enable self healing for goal violation detector + #self.healing.goal.violation.enabled=true + # Enable self healing for metric anomaly detector + #self.healing.metric.anomaly.enabled=true + # configurations for the webserver + # ================================ + # HTTP listen port + webserver.http.port=9090 + # HTTP listen address + webserver.http.address=0.0.0.0 + # Whether CORS support is enabled for API or not + webserver.http.cors.enabled=false + # Value for Access-Control-Allow-Origin + webserver.http.cors.origin=http://localhost:8080/ + # Value for Access-Control-Request-Method + webserver.http.cors.allowmethods=OPTIONS,GET,POST + # Headers that should be exposed to the Browser (Webapp) + # This is a special header that is used by the + # User Tasks subsystem and should be explicitly + # Enabled when CORS mode is used as part of the + # Admin Interface + webserver.http.cors.exposeheaders=User-Task-ID + # REST API default prefix + # (dont forget the ending *) + webserver.api.urlprefix=/kafkacruisecontrol/* + # Location where the Cruise Control frontend is deployed + webserver.ui.diskpath=./cruise-control-ui/dist/ + # URL path prefix for UI + # (dont forget the ending *) + webserver.ui.urlprefix=/* + # Time After which request is converted to Async + webserver.request.maxBlockTimeMs=10000 + # Default Session Expiry Period + webserver.session.maxExpiryTimeMs=60000 + # Session cookie path + webserver.session.path=/ + # Server Access Logs + webserver.accesslog.enabled=true + # Location of HTTP Request Logs + webserver.accesslog.path=access.log + # HTTP Request Log retention days + webserver.accesslog.retention.days=14 + clusterConfig: | + { + "min.insync.replicas": 3 + } + listenersConfig: + internalListeners: + - type: "plaintext" + name: "internal" + containerPort: 29092 + usedForInnerBrokerCommunication: true + - type: "plaintext" + name: "controller" + containerPort: 29093 + usedForInnerBrokerCommunication: false + usedForControllerCommunication: true + externalListeners: + - type: "plaintext" + name: "external" + externalStartingPort: 19090 + containerPort: 9094 + diff --git a/config/samples/kraft/simplekafkacluster_kraft_with_envoygateway.yaml b/config/samples/kraft/simplekafkacluster_kraft_with_envoygateway.yaml new file mode 100644 index 000000000..9484f4b78 --- /dev/null +++ b/config/samples/kraft/simplekafkacluster_kraft_with_envoygateway.yaml @@ -0,0 +1,311 @@ +--- +# Self-signed issuer for creating TLS certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: envoygateway-selfsigned-issuer + namespace: kafka +spec: + selfSigned: {} +--- +# TLS certificate for Envoy Gateway +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: envoygateway-tls-cert + namespace: kafka +spec: + secretName: envoygateway-tls-secret + issuerRef: + name: envoygateway-selfsigned-issuer + kind: Issuer + dnsNames: + - "*.kafka.cluster.local" + - "kafka.cluster.local" + commonName: "kafka.cluster.local" +--- +apiVersion: kafka.banzaicloud.io/v1beta1 +kind: KafkaCluster +metadata: + labels: + controller-tools.k8s.io: "1.0" + name: kafka + namespace: kafka +spec: + kRaft: true + monitoringConfig: + jmxImage: "ghcr.io/adobe/koperator/jmx-javaagent:1.4.0" + headlessServiceEnabled: true + propagateLabels: false + oneBrokerPerNode: false + clusterImage: "ghcr.io/adobe/koperator/kafka:2.13-3.9.1" + ingressController: "envoygateway" + envoyGatewayConfig: + gatewayClassName: "eg" + tlsSecretName: "envoygateway-tls-secret" + brokerHostnameTemplate: "broker-%id.kafka.cluster.local" + listenersConfig: + internalListeners: + - type: "plaintext" + name: "internal" + containerPort: 29092 + usedForInnerBrokerCommunication: true + - type: "plaintext" + name: "controller" + containerPort: 29093 + usedForInnerBrokerCommunication: false + usedForControllerCommunication: true + externalListeners: + - accessMethod: LoadBalancer + containerPort: 29095 + externalStartingPort: -1 + name: envoyg + type: plaintext + usedForInnerBrokerCommunication: false + readOnlyConfig: | + auto.create.topics.enable=false + cruise.control.metrics.topic.auto.create=true + cruise.control.metrics.topic.num.partitions=1 + cruise.control.metrics.topic.replication.factor=2 + brokerConfigGroups: + default: + storageConfigs: + - mountPath: "/kafka-logs" + pvcSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + broker: + processRoles: + - broker + storageConfigs: + - mountPath: "/kafka-logs-broker" + pvcSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + brokerAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9020" + brokers: + - id: 0 + brokerConfigGroup: "broker" + - id: 1 + brokerConfigGroup: "broker" + - id: 2 + brokerConfigGroup: "broker" + - id: 3 + brokerConfigGroup: "default" + brokerConfig: + processRoles: + - controller + # - broker + - id: 4 + brokerConfigGroup: "default" + brokerConfig: + processRoles: + - controller + - id: 5 + brokerConfigGroup: "default" + brokerConfig: + processRoles: + - controller + rollingUpgradeConfig: + failureThreshold: 1 + cruiseControlConfig: + cruiseControlTaskSpec: + RetryDurationMinutes: 5 + topicConfig: + partitions: 12 + replicationFactor: 3 + config: | + # Copyright 2017 LinkedIn Corp. Licensed under the BSD 2-Clause License (the "License"). See License in the project root for license information. + # + # This is an example property file for Kafka Cruise Control. See KafkaCruiseControlConfig for more details. + # Configuration for the metadata client. + # ======================================= + # The maximum interval in milliseconds between two metadata refreshes. + #metadata.max.age.ms=300000 + # Client id for the Cruise Control. It is used for the metadata client. + #client.id=kafka-cruise-control + # The size of TCP send buffer bytes for the metadata client. + #send.buffer.bytes=131072 + # The size of TCP receive buffer size for the metadata client. + #receive.buffer.bytes=131072 + # The time to wait before disconnect an idle TCP connection. + #connections.max.idle.ms=540000 + # The time to wait before reconnect to a given host. + #reconnect.backoff.ms=50 + # The time to wait for a response from a host after sending a request. + #request.timeout.ms=30000 + # Configurations for the load monitor + # ======================================= + # The number of metric fetcher thread to fetch metrics for the Kafka cluster + num.metric.fetchers=1 + # The metric sampler class + metric.sampler.class=com.linkedin.kafka.cruisecontrol.monitor.sampling.CruiseControlMetricsReporterSampler + # Configurations for CruiseControlMetricsReporterSampler + metric.reporter.topic.pattern=__CruiseControlMetrics + # The sample store class name + sample.store.class=com.linkedin.kafka.cruisecontrol.monitor.sampling.KafkaSampleStore + # The config for the Kafka sample store to save the partition metric samples + partition.metric.sample.store.topic=__KafkaCruiseControlPartitionMetricSamples + # The config for the Kafka sample store to save the model training samples + broker.metric.sample.store.topic=__KafkaCruiseControlModelTrainingSamples + # The replication factor of Kafka metric sample store topic + sample.store.topic.replication.factor=2 + # The config for the number of Kafka sample store consumer threads + num.sample.loading.threads=8 + # The partition assignor class for the metric samplers + metric.sampler.partition.assignor.class=com.linkedin.kafka.cruisecontrol.monitor.sampling.DefaultMetricSamplerPartitionAssignor + # The metric sampling interval in milliseconds + metric.sampling.interval.ms=120000 + metric.anomaly.detection.interval.ms=180000 + # The partition metrics window size in milliseconds + partition.metrics.window.ms=300000 + # The number of partition metric windows to keep in memory + num.partition.metrics.windows=1 + # The minimum partition metric samples required for a partition in each window + min.samples.per.partition.metrics.window=1 + # The broker metrics window size in milliseconds + broker.metrics.window.ms=300000 + # The number of broker metric windows to keep in memory + num.broker.metrics.windows=20 + # The minimum broker metric samples required for a partition in each window + min.samples.per.broker.metrics.window=1 + # The configuration for the BrokerCapacityConfigFileResolver (supports JBOD and non-JBOD broker capacities) + capacity.config.file=config/capacity.json + #capacity.config.file=config/capacityJBOD.json + # Configurations for the analyzer + # ======================================= + # The list of goals to optimize the Kafka cluster for with pre-computed proposals + default.goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.PotentialNwOutGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.TopicReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.LeaderBytesInDistributionGoal + # The list of supported goals + goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.PotentialNwOutGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.TopicReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.LeaderBytesInDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.kafkaassigner.KafkaAssignerDiskUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.PreferredLeaderElectionGoal + # The list of supported hard goals + hard.goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal + # The minimum percentage of well monitored partitions out of all the partitions + min.monitored.partition.percentage=0.95 + # The balance threshold for CPU + cpu.balance.threshold=1.1 + # The balance threshold for disk + disk.balance.threshold=1.1 + # The balance threshold for network inbound utilization + network.inbound.balance.threshold=1.1 + # The balance threshold for network outbound utilization + network.outbound.balance.threshold=1.1 + # The balance threshold for the replica count + replica.count.balance.threshold=1.1 + # The capacity threshold for CPU in percentage + cpu.capacity.threshold=0.8 + # The capacity threshold for disk in percentage + disk.capacity.threshold=0.8 + # The capacity threshold for network inbound utilization in percentage + network.inbound.capacity.threshold=0.8 + # The capacity threshold for network outbound utilization in percentage + network.outbound.capacity.threshold=0.8 + # The threshold to define the cluster to be in a low CPU utilization state + cpu.low.utilization.threshold=0.0 + # The threshold to define the cluster to be in a low disk utilization state + disk.low.utilization.threshold=0.0 + # The threshold to define the cluster to be in a low network inbound utilization state + network.inbound.low.utilization.threshold=0.0 + # The threshold to define the cluster to be in a low disk utilization state + network.outbound.low.utilization.threshold=0.0 + # The metric anomaly percentile upper threshold + metric.anomaly.percentile.upper.threshold=90.0 + # The metric anomaly percentile lower threshold + metric.anomaly.percentile.lower.threshold=10.0 + # How often should the cached proposal be expired and recalculated if necessary + proposal.expiration.ms=60000 + # The maximum number of replicas that can reside on a broker at any given time. + max.replicas.per.broker=10000 + # The number of threads to use for proposal candidate precomputing. + num.proposal.precompute.threads=1 + # the topics that should be excluded from the partition movement. + #topics.excluded.from.partition.movement + # Configurations for the executor + # ======================================= + # The max number of partitions to move in/out on a given broker at a given time. + num.concurrent.partition.movements.per.broker=10 + # The interval between two execution progress checks. + execution.progress.check.interval.ms=10000 + # Configurations for anomaly detector + # ======================================= + # The goal violation notifier class + anomaly.notifier.class=com.linkedin.kafka.cruisecontrol.detector.notifier.SelfHealingNotifier + # The metric anomaly finder class + metric.anomaly.finder.class=com.linkedin.kafka.cruisecontrol.detector.KafkaMetricAnomalyFinder + # The anomaly detection interval + anomaly.detection.interval.ms=10000 + # The goal violation to detect. + anomaly.detection.goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal + # The interested metrics for metric anomaly analyzer. + metric.anomaly.analyzer.metrics=BROKER_PRODUCE_LOCAL_TIME_MS_MAX,BROKER_PRODUCE_LOCAL_TIME_MS_MEAN,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_MAX,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_MEAN,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_MAX,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_MEAN,BROKER_LOG_FLUSH_TIME_MS_MAX,BROKER_LOG_FLUSH_TIME_MS_MEAN + ## Adjust accordingly if your metrics reporter is an older version and does not produce these metrics. + #metric.anomaly.analyzer.metrics=BROKER_PRODUCE_LOCAL_TIME_MS_50TH,BROKER_PRODUCE_LOCAL_TIME_MS_999TH,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_50TH,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_999TH,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_50TH,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_999TH,BROKER_LOG_FLUSH_TIME_MS_50TH,BROKER_LOG_FLUSH_TIME_MS_999TH + # The cluster configurations for the KafkaTopicConfigProvider + cluster.configs.file=config/clusterConfigs.json + # The maximum time in milliseconds to store the response and access details of a completed user task. + completed.user.task.retention.time.ms=21600000 + # The maximum time in milliseconds to retain the demotion history of brokers. + demotion.history.retention.time.ms=86400000 + # The maximum number of completed user tasks for which the response and access details will be cached. + max.cached.completed.user.tasks=500 + # The maximum number of user tasks for concurrently running in async endpoints across all users. + max.active.user.tasks=25 + # Enable self healing for all anomaly detectors, unless the particular anomaly detector is explicitly disabled + self.healing.enabled=true + # Enable self healing for broker failure detector + #self.healing.broker.failure.enabled=true + # Enable self healing for goal violation detector + #self.healing.goal.violation.enabled=true + # Enable self healing for metric anomaly detector + #self.healing.metric.anomaly.enabled=true + # configurations for the webserver + # ================================ + # HTTP listen port + webserver.http.port=9090 + # HTTP listen address + webserver.http.address=0.0.0.0 + # Whether CORS support is enabled for API or not + webserver.http.cors.enabled=false + # Value for Access-Control-Allow-Origin + webserver.http.cors.origin=http://localhost:8080/ + # Value for Access-Control-Request-Method + webserver.http.cors.allowmethods=OPTIONS,GET,POST + # Headers that should be exposed to the Browser (Webapp) + # This is a special header that is used by the + # User Tasks subsystem and should be explicitly + # Enabled when CORS mode is used as part of the + # Admin Interface + webserver.http.cors.exposeheaders=User-Task-ID + # REST API default prefix + # (dont forget the ending *) + webserver.api.urlprefix=/kafkacruisecontrol/* + # Location where the Cruise Control frontend is deployed + webserver.ui.diskpath=./cruise-control-ui/dist/ + # URL path prefix for UI + # (dont forget the ending *) + webserver.ui.urlprefix=/* + # Time After which request is converted to Async + webserver.request.maxBlockTimeMs=10000 + # Default Session Expiry Period + webserver.session.maxExpiryTimeMs=60000 + # Session cookie path + webserver.session.path=/ + # Server Access Logs + webserver.accesslog.enabled=true + # Location of HTTP Request Logs + webserver.accesslog.path=access.log + # HTTP Request Log retention days + webserver.accesslog.retention.days=14 + clusterConfig: | + { + "min.insync.replicas": 3 + } + diff --git a/config/samples/kafkacluster-with-istio.yaml b/config/samples/simplekafkacluster_with_envoy.yaml similarity index 97% rename from config/samples/kafkacluster-with-istio.yaml rename to config/samples/simplekafkacluster_with_envoy.yaml index 8b316c9b2..464862e0d 100644 --- a/config/samples/kafkacluster-with-istio.yaml +++ b/config/samples/simplekafkacluster_with_envoy.yaml @@ -4,19 +4,33 @@ metadata: labels: controller-tools.k8s.io: "1.0" name: kafka + namespace: kafka spec: - headlessServiceEnabled: false - ingressController: "istioingress" - istioControlPlane: - name: icp-v115x-sample # The name of the existing istio control plane should be used here - namespace: istio-system - istioIngressConfig: - gatewayConfig: - mode: ISTIO_MUTUAL + monitoringConfig: + jmxImage: "ghcr.io/adobe/koperator/jmx-javaagent:1.4.0" + headlessServiceEnabled: true zkAddresses: - "zookeeper-server-client.zookeeper:2181" + propagateLabels: false oneBrokerPerNode: false clusterImage: "ghcr.io/adobe/koperator/kafka:2.13-3.9.1" + ingressController: "envoy" + listenersConfig: + internalListeners: + - type: "plaintext" + name: "internal" + containerPort: 29092 + usedForInnerBrokerCommunication: true + - type: "plaintext" + name: "controller" + containerPort: 29093 + usedForInnerBrokerCommunication: false + usedForControllerCommunication: true + externalListeners: + - type: "plaintext" + name: "external" + externalStartingPort: 19090 + containerPort: 9094 readOnlyConfig: | auto.create.topics.enable=false cruise.control.metrics.topic.auto.create=true @@ -24,8 +38,6 @@ spec: cruise.control.metrics.topic.replication.factor=2 brokerConfigGroups: default: - brokerAnnotations: - sidecar.istio.io/userVolumeMount: '[{"name":"exitfile", "mountPath":"/var/run/wait", "readonly":true}]' storageConfigs: - mountPath: "/kafka-logs" pvcSpec: @@ -34,6 +46,9 @@ spec: resources: requests: storage: 10Gi + brokerAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9020" brokers: - id: 0 brokerConfigGroup: "default" @@ -43,23 +58,9 @@ spec: brokerConfigGroup: "default" rollingUpgradeConfig: failureThreshold: 1 - listenersConfig: - internalListeners: - - type: "plaintext" - name: "internal" - containerPort: 29092 - usedForInnerBrokerCommunication: true - - type: "plaintext" - name: "controller" - containerPort: 29093 - usedForInnerBrokerCommunication: false - usedForControllerCommunication: true - externalListeners: - - type: "plaintext" - name: "external" - externalStartingPort: 19090 - containerPort: 9094 cruiseControlConfig: + cruiseControlTaskSpec: + RetryDurationMinutes: 5 topicConfig: partitions: 12 replicationFactor: 3 @@ -253,3 +254,5 @@ spec: { "min.insync.replicas": 3 } + + diff --git a/config/samples/simplekafkacluster_with_envoygateway.yaml b/config/samples/simplekafkacluster_with_envoygateway.yaml new file mode 100644 index 000000000..52f660909 --- /dev/null +++ b/config/samples/simplekafkacluster_with_envoygateway.yaml @@ -0,0 +1,288 @@ +--- +# Self-signed issuer for creating TLS certificates +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: envoygateway-selfsigned-issuer + namespace: kafka +spec: + selfSigned: {} +--- +# TLS certificate for Envoy Gateway +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: envoygateway-tls-cert + namespace: kafka +spec: + secretName: envoygateway-tls-secret + issuerRef: + name: envoygateway-selfsigned-issuer + kind: Issuer + dnsNames: + - "*.kafka.cluster.local" + - "kafka.cluster.local" + commonName: "kafka.cluster.local" +--- +apiVersion: kafka.banzaicloud.io/v1beta1 +kind: KafkaCluster +metadata: + labels: + controller-tools.k8s.io: "1.0" + name: kafka + namespace: kafka +spec: + monitoringConfig: + jmxImage: "ghcr.io/adobe/koperator/jmx-javaagent:1.4.0" + headlessServiceEnabled: true + zkAddresses: + - "zookeeper-server-client.zookeeper:2181" + propagateLabels: false + oneBrokerPerNode: false + clusterImage: "ghcr.io/adobe/koperator/kafka:2.13-3.9.1" + ingressController: "envoygateway" + envoyGatewayConfig: + gatewayClassName: "eg" + tlsSecretName: "envoygateway-tls-secret" + brokerHostnameTemplate: "broker-%id.kafka.cluster.local" + listenersConfig: + internalListeners: + - type: "plaintext" + name: "internal" + containerPort: 29092 + usedForInnerBrokerCommunication: true + - type: "plaintext" + name: "controller" + containerPort: 29093 + usedForInnerBrokerCommunication: false + usedForControllerCommunication: true + externalListeners: + - accessMethod: LoadBalancer + containerPort: 29095 + externalStartingPort: -1 + name: envoyg + type: plaintext + usedForInnerBrokerCommunication: false + readOnlyConfig: | + auto.create.topics.enable=false + cruise.control.metrics.topic.auto.create=true + cruise.control.metrics.topic.num.partitions=1 + cruise.control.metrics.topic.replication.factor=2 + brokerConfigGroups: + default: + storageConfigs: + - mountPath: "/kafka-logs" + pvcSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + brokerAnnotations: + prometheus.io/scrape: "true" + prometheus.io/port: "9020" + brokers: + - id: 0 + brokerConfigGroup: "default" + - id: 1 + brokerConfigGroup: "default" + - id: 2 + brokerConfigGroup: "default" + rollingUpgradeConfig: + failureThreshold: 1 + cruiseControlConfig: + cruiseControlTaskSpec: + RetryDurationMinutes: 5 + topicConfig: + partitions: 12 + replicationFactor: 3 + config: | + # Copyright 2017 LinkedIn Corp. Licensed under the BSD 2-Clause License (the "License"). See License in the project root for license information. + # + # This is an example property file for Kafka Cruise Control. See KafkaCruiseControlConfig for more details. + # Configuration for the metadata client. + # ======================================= + # The maximum interval in milliseconds between two metadata refreshes. + #metadata.max.age.ms=300000 + # Client id for the Cruise Control. It is used for the metadata client. + #client.id=kafka-cruise-control + # The size of TCP send buffer bytes for the metadata client. + #send.buffer.bytes=131072 + # The size of TCP receive buffer size for the metadata client. + #receive.buffer.bytes=131072 + # The time to wait before disconnect an idle TCP connection. + #connections.max.idle.ms=540000 + # The time to wait before reconnect to a given host. + #reconnect.backoff.ms=50 + # The time to wait for a response from a host after sending a request. + #request.timeout.ms=30000 + # Configurations for the load monitor + # ======================================= + # The number of metric fetcher thread to fetch metrics for the Kafka cluster + num.metric.fetchers=1 + # The metric sampler class + metric.sampler.class=com.linkedin.kafka.cruisecontrol.monitor.sampling.CruiseControlMetricsReporterSampler + # Configurations for CruiseControlMetricsReporterSampler + metric.reporter.topic.pattern=__CruiseControlMetrics + # The sample store class name + sample.store.class=com.linkedin.kafka.cruisecontrol.monitor.sampling.KafkaSampleStore + # The config for the Kafka sample store to save the partition metric samples + partition.metric.sample.store.topic=__KafkaCruiseControlPartitionMetricSamples + # The config for the Kafka sample store to save the model training samples + broker.metric.sample.store.topic=__KafkaCruiseControlModelTrainingSamples + # The replication factor of Kafka metric sample store topic + sample.store.topic.replication.factor=2 + # The config for the number of Kafka sample store consumer threads + num.sample.loading.threads=8 + # The partition assignor class for the metric samplers + metric.sampler.partition.assignor.class=com.linkedin.kafka.cruisecontrol.monitor.sampling.DefaultMetricSamplerPartitionAssignor + # The metric sampling interval in milliseconds + metric.sampling.interval.ms=120000 + metric.anomaly.detection.interval.ms=180000 + # The partition metrics window size in milliseconds + partition.metrics.window.ms=300000 + # The number of partition metric windows to keep in memory + num.partition.metrics.windows=1 + # The minimum partition metric samples required for a partition in each window + min.samples.per.partition.metrics.window=1 + # The broker metrics window size in milliseconds + broker.metrics.window.ms=300000 + # The number of broker metric windows to keep in memory + num.broker.metrics.windows=20 + # The minimum broker metric samples required for a partition in each window + min.samples.per.broker.metrics.window=1 + # The configuration for the BrokerCapacityConfigFileResolver (supports JBOD and non-JBOD broker capacities) + capacity.config.file=config/capacity.json + #capacity.config.file=config/capacityJBOD.json + # Configurations for the analyzer + # ======================================= + # The list of goals to optimize the Kafka cluster for with pre-computed proposals + default.goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.PotentialNwOutGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.TopicReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.LeaderBytesInDistributionGoal + # The list of supported goals + goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.PotentialNwOutGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.TopicReplicaDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.LeaderBytesInDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.kafkaassigner.KafkaAssignerDiskUsageDistributionGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.PreferredLeaderElectionGoal + # The list of supported hard goals + hard.goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal + # The minimum percentage of well monitored partitions out of all the partitions + min.monitored.partition.percentage=0.95 + # The balance threshold for CPU + cpu.balance.threshold=1.1 + # The balance threshold for disk + disk.balance.threshold=1.1 + # The balance threshold for network inbound utilization + network.inbound.balance.threshold=1.1 + # The balance threshold for network outbound utilization + network.outbound.balance.threshold=1.1 + # The balance threshold for the replica count + replica.count.balance.threshold=1.1 + # The capacity threshold for CPU in percentage + cpu.capacity.threshold=0.8 + # The capacity threshold for disk in percentage + disk.capacity.threshold=0.8 + # The capacity threshold for network inbound utilization in percentage + network.inbound.capacity.threshold=0.8 + # The capacity threshold for network outbound utilization in percentage + network.outbound.capacity.threshold=0.8 + # The threshold to define the cluster to be in a low CPU utilization state + cpu.low.utilization.threshold=0.0 + # The threshold to define the cluster to be in a low disk utilization state + disk.low.utilization.threshold=0.0 + # The threshold to define the cluster to be in a low network inbound utilization state + network.inbound.low.utilization.threshold=0.0 + # The threshold to define the cluster to be in a low disk utilization state + network.outbound.low.utilization.threshold=0.0 + # The metric anomaly percentile upper threshold + metric.anomaly.percentile.upper.threshold=90.0 + # The metric anomaly percentile lower threshold + metric.anomaly.percentile.lower.threshold=10.0 + # How often should the cached proposal be expired and recalculated if necessary + proposal.expiration.ms=60000 + # The maximum number of replicas that can reside on a broker at any given time. + max.replicas.per.broker=10000 + # The number of threads to use for proposal candidate precomputing. + num.proposal.precompute.threads=1 + # the topics that should be excluded from the partition movement. + #topics.excluded.from.partition.movement + # Configurations for the executor + # ======================================= + # The max number of partitions to move in/out on a given broker at a given time. + num.concurrent.partition.movements.per.broker=10 + # The interval between two execution progress checks. + execution.progress.check.interval.ms=10000 + # Configurations for anomaly detector + # ======================================= + # The goal violation notifier class + anomaly.notifier.class=com.linkedin.kafka.cruisecontrol.detector.notifier.SelfHealingNotifier + # The metric anomaly finder class + metric.anomaly.finder.class=com.linkedin.kafka.cruisecontrol.detector.KafkaMetricAnomalyFinder + # The anomaly detection interval + anomaly.detection.interval.ms=10000 + # The goal violation to detect. + anomaly.detection.goals=com.linkedin.kafka.cruisecontrol.analyzer.goals.ReplicaCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.DiskCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkInboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.NetworkOutboundCapacityGoal,com.linkedin.kafka.cruisecontrol.analyzer.goals.CpuCapacityGoal + # The interested metrics for metric anomaly analyzer. + metric.anomaly.analyzer.metrics=BROKER_PRODUCE_LOCAL_TIME_MS_MAX,BROKER_PRODUCE_LOCAL_TIME_MS_MEAN,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_MAX,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_MEAN,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_MAX,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_MEAN,BROKER_LOG_FLUSH_TIME_MS_MAX,BROKER_LOG_FLUSH_TIME_MS_MEAN + ## Adjust accordingly if your metrics reporter is an older version and does not produce these metrics. + #metric.anomaly.analyzer.metrics=BROKER_PRODUCE_LOCAL_TIME_MS_50TH,BROKER_PRODUCE_LOCAL_TIME_MS_999TH,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_50TH,BROKER_CONSUMER_FETCH_LOCAL_TIME_MS_999TH,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_50TH,BROKER_FOLLOWER_FETCH_LOCAL_TIME_MS_999TH,BROKER_LOG_FLUSH_TIME_MS_50TH,BROKER_LOG_FLUSH_TIME_MS_999TH + # The zk path to store failed broker information. + failed.brokers.zk.path=/CruiseControlBrokerList + # Topic config provider class + topic.config.provider.class=com.linkedin.kafka.cruisecontrol.config.KafkaTopicConfigProvider + # The cluster configurations for the KafkaTopicConfigProvider + cluster.configs.file=config/clusterConfigs.json + # The maximum time in milliseconds to store the response and access details of a completed user task. + completed.user.task.retention.time.ms=21600000 + # The maximum time in milliseconds to retain the demotion history of brokers. + demotion.history.retention.time.ms=86400000 + # The maximum number of completed user tasks for which the response and access details will be cached. + max.cached.completed.user.tasks=500 + # The maximum number of user tasks for concurrently running in async endpoints across all users. + max.active.user.tasks=25 + # Enable self healing for all anomaly detectors, unless the particular anomaly detector is explicitly disabled + self.healing.enabled=true + # Enable self healing for broker failure detector + #self.healing.broker.failure.enabled=true + # Enable self healing for goal violation detector + #self.healing.goal.violation.enabled=true + # Enable self healing for metric anomaly detector + #self.healing.metric.anomaly.enabled=true + # configurations for the webserver + # ================================ + # HTTP listen port + webserver.http.port=9090 + # HTTP listen address + webserver.http.address=0.0.0.0 + # Whether CORS support is enabled for API or not + webserver.http.cors.enabled=false + # Value for Access-Control-Allow-Origin + webserver.http.cors.origin=http://localhost:8080/ + # Value for Access-Control-Request-Method + webserver.http.cors.allowmethods=OPTIONS,GET,POST + # Headers that should be exposed to the Browser (Webapp) + # This is a special header that is used by the + # User Tasks subsystem and should be explicitly + # Enabled when CORS mode is used as part of the + # Admin Interface + webserver.http.cors.exposeheaders=User-Task-ID + # REST API default prefix + # (dont forget the ending *) + webserver.api.urlprefix=/kafkacruisecontrol/* + # Location where the Cruise Control frontend is deployed + webserver.ui.diskpath=./cruise-control-ui/dist/ + # URL path prefix for UI + # (dont forget the ending *) + webserver.ui.urlprefix=/* + # Time After which request is converted to Async + webserver.request.maxBlockTimeMs=10000 + # Default Session Expiry Period + webserver.session.maxExpiryTimeMs=60000 + # Session cookie path + webserver.session.path=/ + # Server Access Logs + webserver.accesslog.enabled=true + # Location of HTTP Request Logs + webserver.accesslog.path=access.log + # HTTP Request Log retention days + webserver.accesslog.retention.days=14 + clusterConfig: | + { + "min.insync.replicas": 3 + } diff --git a/config/test/crd/gateway-api/gateway-api-crds.yaml b/config/test/crd/gateway-api/gateway-api-crds.yaml new file mode 100644 index 000000000..6baa62798 --- /dev/null +++ b/config/test/crd/gateway-api/gateway-api-crds.yaml @@ -0,0 +1,19071 @@ +# Copyright 2025 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# +# Gateway API Standard channel install +# +--- +# +# config/crd/standard/gateway.networking.k8s.io_backendtlspolicies.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: standard + labels: + gateway.networking.k8s.io/policy: Direct + name: backendtlspolicies.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: BackendTLSPolicy + listKind: BackendTLSPolicyList + plural: backendtlspolicies + shortNames: + - btlspolicy + singular: backendtlspolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + BackendTLSPolicy provides a way to configure how a Gateway + connects to a Backend via TLS. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendTLSPolicy. + properties: + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + targetRefs: + description: |- + TargetRefs identifies an API object to apply the policy to. + Only Services have Extended support. Implementations MAY support + additional objects, with Implementation Specific support. + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. + + TargetRefs must be _distinct_. This means either that: + + * They select different targets. If this is the case, then targetRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, and `name` must + be unique across all targetRef entries in the BackendTLSPolicy. + * They select different sectionNames in the same target. + + When more than one BackendTLSPolicy selects the same target and + sectionName, implementations MUST determine precedence using the + following criteria, continuing on ties: + + * The older policy by creation timestamp takes precedence. For + example, a policy with a creation timestamp of "2021-07-15 + 01:02:03" MUST be given precedence over a policy with a + creation timestamp of "2021-07-15 01:02:04". + * The policy appearing first in alphabetical order by {name}. + For example, a policy named `bar` is given precedence over a + policy named `baz`. + + For any BackendTLSPolicy that does not take precedence, the + implementation MUST ensure the `Accepted` Condition is set to + `status: False`, with Reason `Conflicted`. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + items: + description: |- + LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a + direct policy to. This should be used as part of Policy resources that can + target single resources. For more information on how this policy attachment + mode works, and a sample Policy resource, refer to the policy attachment + documentation for Gateway API. + + Note: This should only be used for direct policy attachment when references + to SectionName are actually needed. In all other cases, + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: |- + SectionName is the name of a section within the target resource. When + unspecified, this targetRef targets the entire resource. In the following + resources, SectionName is interpreted as the following: + + * Gateway: Listener name + * HTTPRoute: HTTPRouteRule name + * Service: Port name + + If a SectionName is specified, but does not exist on the targeted object, + the Policy must fail to attach, and the policy implementation should record + a `ResolvedRefs` or similar Condition in the Policy's status. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when targetRefs includes + 2 or more references to the same target + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName + == '''') == (!has(p2.sectionName) || p2.sectionName == '''')) + : true))' + - message: sectionName must be unique when targetRefs includes 2 or + more references to the same target + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || + p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + validation: + description: Validation contains backend TLS validation configuration. + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes objects that + contain a PEM-encoded TLS CA certificate bundle, which is used to + validate a TLS handshake between the Gateway and backend Pod. + + If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be + specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, + not both. If CACertificateRefs is empty or unspecified, the configuration for + WellKnownCACertificates MUST be honored instead if supported by the implementation. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key + named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this case, the Reason + must be set to `InvalidKind` and the Message of the Condition must explain which + kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace. This may change in future + spec updates. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message must be set for the invalid reference. + + In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on + the BackendTLSPolicy is set to `status: False`, with a Reason and Message + that indicate the cause of the error. Connections using an invalid + CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error + response. If ALL CACertificateRefs are invalid, the implementation MUST also + ensure the `Accepted` Condition on the BackendTLSPolicy is set to + `status: False`, with a Reason `NoValidCACertificate`. + + A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a backend, but this behavior is implementation-specific. + + Support: Core - An optional single reference to a Kubernetes ConfigMap, + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + LocalObjectReference identifies an API object within the namespace of the + referrer. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" + or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + hostname: + description: |- + Hostname is used for two purposes in the connection between Gateways and + backends: + + 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). + 2. Hostname MUST be used for authentication and MUST match the certificate + served by the matching backend, unless SubjectAltNames is specified. + 3. If SubjectAltNames are specified, Hostname can be used for certificate selection + but MUST NOT be used for authentication. If you want to use the value + of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + subjectAltNames: + description: |- + SubjectAltNames contains one or more Subject Alternative Names. + When specified the certificate served from the backend MUST + have at least one Subject Alternate Name matching one of the specified SubjectAltNames. + + Support: Extended + items: + description: SubjectAltName represents Subject Alternative Name. + properties: + hostname: + description: |- + Hostname contains Subject Alternative Name specified in DNS name format. + Required when Type is set to Hostname, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: + description: |- + Type determines the format of the Subject Alternative Name. Always required. + + Support: Core + enum: + - Hostname + - URI + type: string + uri: + description: |- + URI contains Subject Alternative Name specified in a full URI format. + It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. + Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + Required when Type is set to URI, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: SubjectAltName element must contain Hostname, if + Type is set to Hostname + rule: '!(self.type == "Hostname" && (!has(self.hostname) || + self.hostname == ""))' + - message: SubjectAltName element must not contain Hostname, + if Type is not set to Hostname + rule: '!(self.type != "Hostname" && has(self.hostname) && + self.hostname != "")' + - message: SubjectAltName element must contain URI, if Type + is set to URI + rule: '!(self.type == "URI" && (!has(self.uri) || self.uri + == ""))' + - message: SubjectAltName element must not contain URI, if Type + is not set to URI + rule: '!(self.type != "URI" && has(self.uri) && self.uri != + "")' + maxItems: 5 + type: array + x-kubernetes-list-type: atomic + wellKnownCACertificates: + description: |- + WellKnownCACertificates specifies whether system CA certificates may be used in + the TLS handshake between the gateway and backend pod. + + If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs + must be specified with at least one entry for a valid configuration. Only one of + CACertificateRefs or WellKnownCACertificates may be specified, not both. + If an implementation does not support the WellKnownCACertificates field, or + the supplied value is not recognized, the implementation MUST ensure the + `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with + a Reason `Invalid`. + + Support: Implementation-specific + enum: + - System + type: string + required: + - hostname + type: object + x-kubernetes-validations: + - message: must not contain both CACertificateRefs and WellKnownCACertificates + rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) + > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates + != "")' + - message: must specify either CACertificateRefs or WellKnownCACertificates + rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) + > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates + != "") + required: + - targetRefs + - validation + type: object + status: + description: Status defines the current state of BackendTLSPolicy. + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - deprecated: true + deprecationWarning: The v1alpha3 version of BackendTLSPolicy has been deprecated + and will be removed in a future release of the API. Please upgrade to v1. + name: v1alpha3 + schema: + openAPIV3Schema: + description: |- + BackendTLSPolicy provides a way to configure how a Gateway + connects to a Backend via TLS. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of BackendTLSPolicy. + properties: + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + targetRefs: + description: |- + TargetRefs identifies an API object to apply the policy to. + Only Services have Extended support. Implementations MAY support + additional objects, with Implementation Specific support. + Note that this config applies to the entire referenced resource + by default, but this default may change in the future to provide + a more granular application of the policy. + + TargetRefs must be _distinct_. This means either that: + + * They select different targets. If this is the case, then targetRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, and `name` must + be unique across all targetRef entries in the BackendTLSPolicy. + * They select different sectionNames in the same target. + + When more than one BackendTLSPolicy selects the same target and + sectionName, implementations MUST determine precedence using the + following criteria, continuing on ties: + + * The older policy by creation timestamp takes precedence. For + example, a policy with a creation timestamp of "2021-07-15 + 01:02:03" MUST be given precedence over a policy with a + creation timestamp of "2021-07-15 01:02:04". + * The policy appearing first in alphabetical order by {name}. + For example, a policy named `bar` is given precedence over a + policy named `baz`. + + For any BackendTLSPolicy that does not take precedence, the + implementation MUST ensure the `Accepted` Condition is set to + `status: False`, with Reason `Conflicted`. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + items: + description: |- + LocalPolicyTargetReferenceWithSectionName identifies an API object to apply a + direct policy to. This should be used as part of Policy resources that can + target single resources. For more information on how this policy attachment + mode works, and a sample Policy resource, refer to the policy attachment + documentation for Gateway API. + + Note: This should only be used for direct policy attachment when references + to SectionName are actually needed. In all other cases, + LocalPolicyTargetReference should be used. + properties: + group: + description: Group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the target resource. + maxLength: 253 + minLength: 1 + type: string + sectionName: + description: |- + SectionName is the name of a section within the target resource. When + unspecified, this targetRef targets the entire resource. In the following + resources, SectionName is interpreted as the following: + + * Gateway: Listener name + * HTTPRoute: HTTPRouteRule name + * Service: Port name + + If a SectionName is specified, but does not exist on the targeted object, + the Policy must fail to attach, and the policy implementation should record + a `ResolvedRefs` or similar Condition in the Policy's status. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - group + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when targetRefs includes + 2 or more references to the same target + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name ? ((!has(p1.sectionName) || p1.sectionName + == '''') == (!has(p2.sectionName) || p2.sectionName == '''')) + : true))' + - message: sectionName must be unique when targetRefs includes 2 or + more references to the same target + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.sectionName) || + p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + validation: + description: Validation contains backend TLS validation configuration. + properties: + caCertificateRefs: + description: |- + CACertificateRefs contains one or more references to Kubernetes objects that + contain a PEM-encoded TLS CA certificate bundle, which is used to + validate a TLS handshake between the Gateway and backend Pod. + + If CACertificateRefs is empty or unspecified, then WellKnownCACertificates must be + specified. Only one of CACertificateRefs or WellKnownCACertificates may be specified, + not both. If CACertificateRefs is empty or unspecified, the configuration for + WellKnownCACertificates MUST be honored instead if supported by the implementation. + + A CACertificateRef is invalid if: + + * It refers to a resource that cannot be resolved (e.g., the referenced resource + does not exist) or is misconfigured (e.g., a ConfigMap does not contain a key + named `ca.crt`). In this case, the Reason must be set to `InvalidCACertificateRef` + and the Message of the Condition must indicate which reference is invalid and why. + + * It refers to an unknown or unsupported kind of resource. In this case, the Reason + must be set to `InvalidKind` and the Message of the Condition must explain which + kind of resource is unknown or unsupported. + + * It refers to a resource in another namespace. This may change in future + spec updates. + + Implementations MAY choose to perform further validation of the certificate + content (e.g., checking expiry or enforcing specific formats). In such cases, + an implementation-specific Reason and Message must be set for the invalid reference. + + In all cases, the implementation MUST ensure the `ResolvedRefs` Condition on + the BackendTLSPolicy is set to `status: False`, with a Reason and Message + that indicate the cause of the error. Connections using an invalid + CACertificateRef MUST fail, and the client MUST receive an HTTP 5xx error + response. If ALL CACertificateRefs are invalid, the implementation MUST also + ensure the `Accepted` Condition on the BackendTLSPolicy is set to + `status: False`, with a Reason `NoValidCACertificate`. + + A single CACertificateRef to a Kubernetes ConfigMap kind has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a backend, but this behavior is implementation-specific. + + Support: Core - An optional single reference to a Kubernetes ConfigMap, + with the CA certificate in a key named `ca.crt`. + + Support: Implementation-specific - More than one reference, other kinds + of resources, or a single reference that includes multiple certificates. + items: + description: |- + LocalObjectReference identifies an API object within the namespace of the + referrer. + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example "HTTPRoute" + or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + hostname: + description: |- + Hostname is used for two purposes in the connection between Gateways and + backends: + + 1. Hostname MUST be used as the SNI to connect to the backend (RFC 6066). + 2. Hostname MUST be used for authentication and MUST match the certificate + served by the matching backend, unless SubjectAltNames is specified. + 3. If SubjectAltNames are specified, Hostname can be used for certificate selection + but MUST NOT be used for authentication. If you want to use the value + of the Hostname field for authentication, you MUST add it to the SubjectAltNames list. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + subjectAltNames: + description: |- + SubjectAltNames contains one or more Subject Alternative Names. + When specified the certificate served from the backend MUST + have at least one Subject Alternate Name matching one of the specified SubjectAltNames. + + Support: Extended + items: + description: SubjectAltName represents Subject Alternative Name. + properties: + hostname: + description: |- + Hostname contains Subject Alternative Name specified in DNS name format. + Required when Type is set to Hostname, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: + description: |- + Type determines the format of the Subject Alternative Name. Always required. + + Support: Core + enum: + - Hostname + - URI + type: string + uri: + description: |- + URI contains Subject Alternative Name specified in a full URI format. + It MUST include both a scheme (e.g., "http" or "ftp") and a scheme-specific-part. + Common values include SPIFFE IDs like "spiffe://mycluster.example.com/ns/myns/sa/svc1sa". + Required when Type is set to URI, ignored otherwise. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(([^:/?#]+):)(//([^/?#]*))([^?#]*)(\?([^#]*))?(#(.*))? + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: SubjectAltName element must contain Hostname, if + Type is set to Hostname + rule: '!(self.type == "Hostname" && (!has(self.hostname) || + self.hostname == ""))' + - message: SubjectAltName element must not contain Hostname, + if Type is not set to Hostname + rule: '!(self.type != "Hostname" && has(self.hostname) && + self.hostname != "")' + - message: SubjectAltName element must contain URI, if Type + is set to URI + rule: '!(self.type == "URI" && (!has(self.uri) || self.uri + == ""))' + - message: SubjectAltName element must not contain URI, if Type + is not set to URI + rule: '!(self.type != "URI" && has(self.uri) && self.uri != + "")' + maxItems: 5 + type: array + x-kubernetes-list-type: atomic + wellKnownCACertificates: + description: |- + WellKnownCACertificates specifies whether system CA certificates may be used in + the TLS handshake between the gateway and backend pod. + + If WellKnownCACertificates is unspecified or empty (""), then CACertificateRefs + must be specified with at least one entry for a valid configuration. Only one of + CACertificateRefs or WellKnownCACertificates may be specified, not both. + If an implementation does not support the WellKnownCACertificates field, or + the supplied value is not recognized, the implementation MUST ensure the + `Accepted` Condition on the BackendTLSPolicy is set to `status: False`, with + a Reason `Invalid`. + + Support: Implementation-specific + enum: + - System + type: string + required: + - hostname + type: object + x-kubernetes-validations: + - message: must not contain both CACertificateRefs and WellKnownCACertificates + rule: '!(has(self.caCertificateRefs) && size(self.caCertificateRefs) + > 0 && has(self.wellKnownCACertificates) && self.wellKnownCACertificates + != "")' + - message: must specify either CACertificateRefs or WellKnownCACertificates + rule: (has(self.caCertificateRefs) && size(self.caCertificateRefs) + > 0 || has(self.wellKnownCACertificates) && self.wellKnownCACertificates + != "") + required: + - targetRefs + - validation + type: object + status: + description: Status defines the current state of BackendTLSPolicy. + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - conditions + - controllerName + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + required: + - ancestors + type: object + required: + - spec + type: object + served: false + storage: false +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_gatewayclasses.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: standard + name: gatewayclasses.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GatewayClass + listKind: GatewayClassList + plural: gatewayclasses + shortNames: + - gc + singular: gatewayclass + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. + + Example: "example.net/gateway-controller". + + This field is not mutable and cannot be empty. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. + + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: + description: |- + SupportedFeatures is the set of features the GatewayClass support. + It MUST be sorted in ascending alphabetical order by the Name key. + items: + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.controllerName + name: Controller + type: string + - jsonPath: .status.conditions[?(@.type=="Accepted")].status + name: Accepted + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .spec.description + name: Description + priority: 1 + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + GatewayClass describes a class of Gateways available to the user for creating + Gateway resources. + + It is recommended that this resource be used as a template for Gateways. This + means that a Gateway is based on the state of the GatewayClass at the time it + was created and changes to the GatewayClass or associated parameters are not + propagated down to existing Gateways. This recommendation is intended to + limit the blast radius of changes to GatewayClass or associated parameters. + If implementations choose to propagate GatewayClass changes to existing + Gateways, that MUST be clearly documented by the implementation. + + Whenever one or more Gateways are using a GatewayClass, implementations SHOULD + add the `gateway-exists-finalizer.gateway.networking.k8s.io` finalizer on the + associated GatewayClass. This ensures that a GatewayClass associated with a + Gateway is not deleted while in use. + + GatewayClass is a Cluster level resource. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GatewayClass. + properties: + controllerName: + description: |- + ControllerName is the name of the controller that is managing Gateways of + this class. The value of this field MUST be a domain prefixed path. + + Example: "example.net/gateway-controller". + + This field is not mutable and cannot be empty. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + x-kubernetes-validations: + - message: Value is immutable + rule: self == oldSelf + description: + description: Description helps describe a GatewayClass with more details. + maxLength: 64 + type: string + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the GatewayClass. This is optional if the + controller does not require any additional configuration. + + ParametersRef can reference a standard Kubernetes resource, i.e. ConfigMap, + or an implementation-specific custom resource. The resource can be + cluster-scoped or namespace-scoped. + + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the GatewayClass SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. + + A Gateway for this GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + This field is required when referring to a Namespace-scoped resource and + MUST be unset when referring to a Cluster-scoped resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - name + type: object + required: + - controllerName + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Status defines the current state of GatewayClass. + + Implementations MUST populate status on all GatewayClass resources which + specify their controller name. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + description: |- + Conditions is the current status from the controller for + this GatewayClass. + + Controllers should prefer to publish conditions using values + of GatewayClassConditionType for the type of each Condition. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + supportedFeatures: + description: |- + SupportedFeatures is the set of features the GatewayClass support. + It MUST be sorted in ascending alphabetical order by the Name key. + items: + properties: + name: + description: |- + FeatureName is used to describe distinct features that are covered by + conformance tests. + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_gateways.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: standard + name: gateways.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: Gateway + listKind: GatewayList + plural: gateways + shortNames: + - gtw + singular: gateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |- + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in an associated entry in GatewayStatus.Conditions. + + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. + + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. + + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + Support: Extended + items: + description: GatewaySpecAddress describes an address that can be + bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + When a value is unspecified, an implementation SHOULD automatically + assign an address matching the requested type if possible. + + If an implementation does not support an empty value, they MUST set the + "Programmed" condition in status to False with a reason of "AddressNotAssigned". + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + type: string + type: object + x-kubernetes-validations: + - message: Hostname value must be empty or contain only valid characters + (matching ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? (!has(self.value) || self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")): + true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value + == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value + == a1.value) : true )' + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: |- + Infrastructure defines infrastructure level attributes about this Gateway instance. + + Support: Extended + properties: + annotations: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Annotations that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. + For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. + + An implementation may chose to add additional implementation-specific annotations as they see fit. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: |- + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + Labels that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. + For other implementations, this refers to any relevant (implementation specific) "labels" concepts. + + An implementation may chose to add additional implementation-specific labels as they see fit. + + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the Gateway. This is optional if the + controller does not require any additional configuration. + + This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis + + The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the Gateway SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + listeners: + description: |- + Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. + At least one Listener MUST be specified. + + ## Distinct Listeners + + Each Listener in a set of Listeners (for example, in a single Gateway) + MUST be _distinct_, in that a traffic flow MUST be able to be assigned to + exactly one listener. (This section uses "set of Listeners" rather than + "Listeners in a single Gateway" because implementations MAY merge configuration + from multiple Gateways onto a single data plane, and these rules _also_ + apply in that case). + + Practically, this means that each listener in a set MUST have a unique + combination of Port, Protocol, and, if supported by the protocol, Hostname. + + Some combinations of port, protocol, and TLS settings are considered + Core support and MUST be supported by implementations based on the objects + they support: + + HTTPRoute + + 1. HTTPRoute, Port: 80, Protocol: HTTP + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided + + TLSRoute + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + "Distinct" Listeners have the following property: + + **The implementation can match inbound requests to a single distinct + Listener**. + + When multiple Listeners share values for fields (for + example, two Listeners with the same Port value), the implementation + can match requests to only one of the Listeners using other + Listener fields. + + When multiple listeners have the same value for the Protocol field, then + each of the Listeners with matching Protocol values MUST have different + values for other fields. + + The set of fields that MUST be different for a Listener differs per protocol. + The following rules define the rules for what fields MUST be considered for + Listeners to be distinct with each protocol currently defined in the + Gateway API spec. + + The set of listeners that all share a protocol value MUST have _different_ + values for _at least one_ of these fields to be distinct: + + * **HTTP, HTTPS, TLS**: Port, Hostname + * **TCP, UDP**: Port + + One **very** important rule to call out involves what happens when an + implementation: + + * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol + Listeners, and + * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP + Protocol. + + In this case all the Listeners that share a port with the + TCP Listener are not distinct and so MUST NOT be accepted. + + If an implementation does not support TCP Protocol Listeners, then the + previous rule does not apply, and the TCP Listeners SHOULD NOT be + accepted. + + Note that the `tls` field is not used for determining if a listener is distinct, because + Listeners that _only_ differ on TLS config will still conflict in all cases. + + ### Listeners that are distinct only by Hostname + + When the Listeners are distinct based only on Hostname, inbound request + hostnames MUST match from the most specific to least specific Hostname + values to choose the correct Listener and its associated set of Routes. + + Exact matches MUST be processed before wildcard matches, and wildcard + matches MUST be processed before fallback (empty Hostname value) + matches. For example, `"foo.example.com"` takes precedence over + `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. + + Additionally, if there are multiple wildcard entries, more specific + wildcard entries must be processed before less specific wildcard entries. + For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. + + The precise definition here is that the higher the number of dots in the + hostname to the right of the wildcard character, the higher the precedence. + + The wildcard character will match any number of characters _and dots_ to + the left, however, so `"*.example.com"` will match both + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + ## Handling indistinct Listeners + + If a set of Listeners contains Listeners that are not distinct, then those + Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + condition in the Listener Status to "True". + + The words "indistinct" and "conflicted" are considered equivalent for the + purpose of this documentation. + + Implementations MAY choose to accept a Gateway with some Conflicted + Listeners only if they only accept the partial Listener set that contains + no Conflicted Listeners. + + Specifically, an implementation MAY accept a partial Listener set subject to + the following rules: + + * The implementation MUST NOT pick one conflicting Listener as the winner. + ALL indistinct Listeners must not be accepted for processing. + * At least one distinct Listener MUST be present, or else the Gateway effectively + contains _no_ Listeners, and must be rejected from processing as a whole. + + The implementation MUST set a "ListenersNotValid" condition on the + Gateway Status when the Gateway contains Conflicted Listeners whether or + not they accept the Gateway. That Condition SHOULD clearly + indicate in the Message which Listeners are conflicted, and which are + Accepted. Additionally, the Listener status for those listeners SHOULD + indicate which Listeners are conflicted and not Accepted. + + ## General Listener behavior + + Note that, for all distinct Listeners, requests SHOULD match at most one Listener. + For example, if Listeners are defined for "foo.example.com" and "*.example.com", a + request to "foo.example.com" SHOULD only be routed using routes attached + to the "foo.example.com" Listener (and not the "*.example.com" Listener). + + This concept is known as "Listener Isolation", and it is an Extended feature + of Gateway API. Implementations that do not support Listener Isolation MUST + clearly document this, and MUST NOT claim support for the + `GatewayHTTPListenerIsolation` feature. + + Implementations that _do_ support Listener Isolation SHOULD claim support + for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated + conformance tests. + + ## Compatible Listeners + + A Gateway's Listeners are considered _compatible_ if: + + 1. They are distinct. + 2. The implementation can serve them in compliance with the Addresses + requirement that all Listeners are available on all assigned + addresses. + + Compatible combinations in Extended support are expected to vary across + implementations. A combination that is compatible for one implementation + may not be compatible for another. + + For example, an implementation that cannot serve both TCP and UDP listeners + on the same address, or cannot mix HTTPS and generic TLS listens on the same port + would not consider those cases compatible, even though they are distinct. + + Implementations MAY merge separate Gateways onto a single set of + Addresses if all Listeners across all Gateways are compatible. + + In a future release the MinItems=1 requirement MAY be dropped. + + Support: Core + items: + description: |- + Listener embodies the concept of a logical endpoint where a Gateway accepts + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + + Support: Core + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. + Note that this does not require the SNI and Host header to be the same. + The semantics of this are described in more detail below. + + To ensure security, Section 11.1 of RFC-6066 emphasizes that server + implementations that rely on SNI hostname matching MUST also verify + hostnames within the application protocol. + + Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the + reuse of a connection by responding with the HTTP 421 Misdirected Request + status code. This indicates that the origin server has rejected the + request because it appears to have been misdirected. + + To detect misdirected requests, Gateways SHOULD match the authority of + the requests with all the SNI hostname(s) configured across all the + Gateway Listeners on the same port and protocol: + + * If another Listener has an exact match or more specific wildcard entry, + the Gateway SHOULD return a 421. + * If the current Listener (selected by SNI matching during ClientHello) + does not match the Host: + * If another Listener does match the Host the Gateway SHOULD return a + 421. + * If no other Listener matches the Host, the Gateway MUST return a + 404. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: |- + Protocol specifies the network protocol this listener expects to receive. + + Support: Core + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + The association of SNIs to Certificate defined in ListenerTLSConfig is + defined based on the Hostname field for this listener. + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + + Support: Core + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol + == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname + == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: |- + Addresses lists the network addresses that have been bound to the + Gateway. + + This list may differ from the addresses provided in the spec under some + conditions: + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + items: + description: GatewayStatusAddress describes a network address that + is bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the Gateway. + + Implementations should prefer to express Gateway conditions + using the `GatewayConditionType` and `GatewayConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe Gateway state. + + Known condition types are: + + * "Accepted" + * "Programmed" + * "Ready" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener or Route status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners with condition Accepted: false and MUST count successfully + attached Routes that may themselves have Accepted: false conditions. + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds an implementation supports for + that Listener configuration. + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.gatewayClassName + name: Class + type: string + - jsonPath: .status.addresses[*].value + name: Address + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + Gateway represents an instance of a service-traffic handling infrastructure + by binding Listeners to a set of IP addresses. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of Gateway. + properties: + addresses: + description: |- + Addresses requested for this Gateway. This is optional and behavior can + depend on the implementation. If a value is set in the spec and the + requested address is invalid or unavailable, the implementation MUST + indicate this in an associated entry in GatewayStatus.Conditions. + + The Addresses field represents a request for the address(es) on the + "outside of the Gateway", that traffic bound for this Gateway will use. + This could be the IP address or hostname of an external load balancer or + other networking infrastructure, or some other address that traffic will + be sent to. + + If no Addresses are specified, the implementation MAY schedule the + Gateway in an implementation-specific manner, assigning an appropriate + set of Addresses. + + The implementation MUST bind all Listeners to every GatewayAddress that + it assigns to the Gateway and add a corresponding entry in + GatewayStatus.Addresses. + + Support: Extended + items: + description: GatewaySpecAddress describes an address that can be + bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + When a value is unspecified, an implementation SHOULD automatically + assign an address matching the requested type if possible. + + If an implementation does not support an empty value, they MUST set the + "Programmed" condition in status to False with a reason of "AddressNotAssigned". + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + type: string + type: object + x-kubernetes-validations: + - message: Hostname value must be empty or contain only valid characters + (matching ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? (!has(self.value) || self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$""")): + true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: IPAddress values must be unique + rule: 'self.all(a1, a1.type == ''IPAddress'' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value + == a1.value) : true )' + - message: Hostname values must be unique + rule: 'self.all(a1, a1.type == ''Hostname'' && has(a1.value) ? + self.exists_one(a2, a2.type == a1.type && has(a2.value) && a2.value + == a1.value) : true )' + gatewayClassName: + description: |- + GatewayClassName used for this Gateway. This is the name of a + GatewayClass resource. + maxLength: 253 + minLength: 1 + type: string + infrastructure: + description: |- + Infrastructure defines infrastructure level attributes about this Gateway instance. + + Support: Extended + properties: + annotations: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Annotations that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.annotations` field on resources. + For other implementations, this refers to any relevant (implementation specific) "annotations" concepts. + + An implementation may chose to add additional implementation-specific annotations as they see fit. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Annotation keys must be in the form of an optional + DNS subdomain prefix followed by a required name segment of + up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the annotation key's prefix must be a + DNS subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + labels: + additionalProperties: + description: |- + LabelValue is the value of a label in the Gateway API. This is used for validation + of maps such as Gateway infrastructure labels. This matches the Kubernetes + label validation rules: + * must be 63 characters or less (can be empty), + * unless empty, must begin and end with an alphanumeric character ([a-z0-9A-Z]), + * could contain dashes (-), underscores (_), dots (.), and alphanumerics between. + + Valid values include: + + * MyValue + * my.name + * 123-my-value + maxLength: 63 + minLength: 0 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + Labels that SHOULD be applied to any resources created in response to this Gateway. + + For implementations creating other Kubernetes objects, this should be the `metadata.labels` field on resources. + For other implementations, this refers to any relevant (implementation specific) "labels" concepts. + + An implementation may chose to add additional implementation-specific labels as they see fit. + + If an implementation maps these labels to Pods, or any other resource that would need to be recreated when labels + change, it SHOULD clearly warn about this behavior in documentation. + + Support: Extended + maxProperties: 8 + type: object + x-kubernetes-validations: + - message: Label keys must be in the form of an optional DNS subdomain + prefix followed by a required name segment of up to 63 characters. + rule: self.all(key, key.matches(r"""^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?([A-Za-z0-9][-A-Za-z0-9_.]{0,61})?[A-Za-z0-9]$""")) + - message: If specified, the label key's prefix must be a DNS + subdomain not longer than 253 characters in total. + rule: self.all(key, key.split("/")[0].size() < 253) + parametersRef: + description: |- + ParametersRef is a reference to a resource that contains the configuration + parameters corresponding to the Gateway. This is optional if the + controller does not require any additional configuration. + + This follows the same semantics as GatewayClass's `parametersRef`, but on a per-Gateway basis + + The Gateway's GatewayClass may provide its own `parametersRef`. When both are specified, + the merging behavior is implementation specific. + It is generally recommended that GatewayClass provides defaults that can be overridden by a Gateway. + + If the referent cannot be found, refers to an unsupported kind, or when + the data within that resource is malformed, the Gateway SHOULD be + rejected with the "Accepted" status condition set to "False" and an + "InvalidParameters" reason. + + Support: Implementation-specific + properties: + group: + description: Group is the group of the referent. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + type: object + listeners: + description: |- + Listeners associated with this Gateway. Listeners define + logical endpoints that are bound on this Gateway's addresses. + At least one Listener MUST be specified. + + ## Distinct Listeners + + Each Listener in a set of Listeners (for example, in a single Gateway) + MUST be _distinct_, in that a traffic flow MUST be able to be assigned to + exactly one listener. (This section uses "set of Listeners" rather than + "Listeners in a single Gateway" because implementations MAY merge configuration + from multiple Gateways onto a single data plane, and these rules _also_ + apply in that case). + + Practically, this means that each listener in a set MUST have a unique + combination of Port, Protocol, and, if supported by the protocol, Hostname. + + Some combinations of port, protocol, and TLS settings are considered + Core support and MUST be supported by implementations based on the objects + they support: + + HTTPRoute + + 1. HTTPRoute, Port: 80, Protocol: HTTP + 2. HTTPRoute, Port: 443, Protocol: HTTPS, TLS Mode: Terminate, TLS keypair provided + + TLSRoute + + 1. TLSRoute, Port: 443, Protocol: TLS, TLS Mode: Passthrough + + "Distinct" Listeners have the following property: + + **The implementation can match inbound requests to a single distinct + Listener**. + + When multiple Listeners share values for fields (for + example, two Listeners with the same Port value), the implementation + can match requests to only one of the Listeners using other + Listener fields. + + When multiple listeners have the same value for the Protocol field, then + each of the Listeners with matching Protocol values MUST have different + values for other fields. + + The set of fields that MUST be different for a Listener differs per protocol. + The following rules define the rules for what fields MUST be considered for + Listeners to be distinct with each protocol currently defined in the + Gateway API spec. + + The set of listeners that all share a protocol value MUST have _different_ + values for _at least one_ of these fields to be distinct: + + * **HTTP, HTTPS, TLS**: Port, Hostname + * **TCP, UDP**: Port + + One **very** important rule to call out involves what happens when an + implementation: + + * Supports TCP protocol Listeners, as well as HTTP, HTTPS, or TLS protocol + Listeners, and + * sees HTTP, HTTPS, or TLS protocols with the same `port` as one with TCP + Protocol. + + In this case all the Listeners that share a port with the + TCP Listener are not distinct and so MUST NOT be accepted. + + If an implementation does not support TCP Protocol Listeners, then the + previous rule does not apply, and the TCP Listeners SHOULD NOT be + accepted. + + Note that the `tls` field is not used for determining if a listener is distinct, because + Listeners that _only_ differ on TLS config will still conflict in all cases. + + ### Listeners that are distinct only by Hostname + + When the Listeners are distinct based only on Hostname, inbound request + hostnames MUST match from the most specific to least specific Hostname + values to choose the correct Listener and its associated set of Routes. + + Exact matches MUST be processed before wildcard matches, and wildcard + matches MUST be processed before fallback (empty Hostname value) + matches. For example, `"foo.example.com"` takes precedence over + `"*.example.com"`, and `"*.example.com"` takes precedence over `""`. + + Additionally, if there are multiple wildcard entries, more specific + wildcard entries must be processed before less specific wildcard entries. + For example, `"*.foo.example.com"` takes precedence over `"*.example.com"`. + + The precise definition here is that the higher the number of dots in the + hostname to the right of the wildcard character, the higher the precedence. + + The wildcard character will match any number of characters _and dots_ to + the left, however, so `"*.example.com"` will match both + `"foo.bar.example.com"` _and_ `"bar.example.com"`. + + ## Handling indistinct Listeners + + If a set of Listeners contains Listeners that are not distinct, then those + Listeners are _Conflicted_, and the implementation MUST set the "Conflicted" + condition in the Listener Status to "True". + + The words "indistinct" and "conflicted" are considered equivalent for the + purpose of this documentation. + + Implementations MAY choose to accept a Gateway with some Conflicted + Listeners only if they only accept the partial Listener set that contains + no Conflicted Listeners. + + Specifically, an implementation MAY accept a partial Listener set subject to + the following rules: + + * The implementation MUST NOT pick one conflicting Listener as the winner. + ALL indistinct Listeners must not be accepted for processing. + * At least one distinct Listener MUST be present, or else the Gateway effectively + contains _no_ Listeners, and must be rejected from processing as a whole. + + The implementation MUST set a "ListenersNotValid" condition on the + Gateway Status when the Gateway contains Conflicted Listeners whether or + not they accept the Gateway. That Condition SHOULD clearly + indicate in the Message which Listeners are conflicted, and which are + Accepted. Additionally, the Listener status for those listeners SHOULD + indicate which Listeners are conflicted and not Accepted. + + ## General Listener behavior + + Note that, for all distinct Listeners, requests SHOULD match at most one Listener. + For example, if Listeners are defined for "foo.example.com" and "*.example.com", a + request to "foo.example.com" SHOULD only be routed using routes attached + to the "foo.example.com" Listener (and not the "*.example.com" Listener). + + This concept is known as "Listener Isolation", and it is an Extended feature + of Gateway API. Implementations that do not support Listener Isolation MUST + clearly document this, and MUST NOT claim support for the + `GatewayHTTPListenerIsolation` feature. + + Implementations that _do_ support Listener Isolation SHOULD claim support + for the Extended `GatewayHTTPListenerIsolation` feature and pass the associated + conformance tests. + + ## Compatible Listeners + + A Gateway's Listeners are considered _compatible_ if: + + 1. They are distinct. + 2. The implementation can serve them in compliance with the Addresses + requirement that all Listeners are available on all assigned + addresses. + + Compatible combinations in Extended support are expected to vary across + implementations. A combination that is compatible for one implementation + may not be compatible for another. + + For example, an implementation that cannot serve both TCP and UDP listeners + on the same address, or cannot mix HTTPS and generic TLS listens on the same port + would not consider those cases compatible, even though they are distinct. + + Implementations MAY merge separate Gateways onto a single set of + Addresses if all Listeners across all Gateways are compatible. + + In a future release the MinItems=1 requirement MAY be dropped. + + Support: Core + items: + description: |- + Listener embodies the concept of a logical endpoint where a Gateway accepts + network connections. + properties: + allowedRoutes: + default: + namespaces: + from: Same + description: |- + AllowedRoutes defines the types of routes that MAY be attached to a + Listener and the trusted namespaces where those Route resources MAY be + present. + + Although a client request may match multiple route rules, only one rule + may ultimately receive the request. Matching precedence MUST be + determined in order of the following criteria: + + * The most specific match as defined by the Route type. + * The oldest Route based on creation timestamp. For example, a Route with + a creation timestamp of "2020-09-08 01:02:03" is given precedence over + a Route with a creation timestamp of "2020-09-08 01:02:04". + * If everything else is equivalent, the Route appearing first in + alphabetical order (namespace/name) should be given precedence. For + example, foo/bar is given precedence over foo/baz. + + All valid rules within a Route attached to this Listener should be + implemented. Invalid Route rules can be ignored (sometimes that will mean + the full Route). If a Route rule transitions from valid to invalid, + support for that Route rule should be dropped to ensure consistency. For + example, even if a filter specified by a Route rule is invalid, the rest + of the rules within that Route should still be supported. + + Support: Core + properties: + kinds: + description: |- + Kinds specifies the groups and kinds of Routes that are allowed to bind + to this Gateway Listener. When unspecified or empty, the kinds of Routes + selected are determined using the Listener protocol. + + A RouteGroupKind MUST correspond to kinds of Routes that are compatible + with the application protocol specified in the Listener's Protocol field. + If an implementation does not support or recognize this resource type, it + MUST set the "ResolvedRefs" condition to False for this Listener with the + "InvalidRouteKinds" reason. + + Support: Core + items: + description: RouteGroupKind indicates the group and kind + of a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + namespaces: + default: + from: Same + description: |- + Namespaces indicates namespaces from which Routes may be attached to this + Listener. This is restricted to the namespace of this Gateway by default. + + Support: Core + properties: + from: + default: Same + description: |- + From indicates where Routes will be selected for this Gateway. Possible + values are: + + * All: Routes in all namespaces may be used by this Gateway. + * Selector: Routes in namespaces selected by the selector may be used by + this Gateway. + * Same: Only Routes in the same namespace may be used by this Gateway. + + Support: Core + enum: + - All + - Selector + - Same + type: string + selector: + description: |- + Selector must be specified when From is set to "Selector". In that case, + only Routes in Namespaces matching this Selector will be selected by this + Gateway. This field is ignored for other values of "From". + + Support: Core + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: object + hostname: + description: |- + Hostname specifies the virtual hostname to match for protocol types that + define this concept. When unspecified, all hostnames are matched. This + field is ignored for protocols that don't require hostname based + matching. + + Implementations MUST apply Hostname matching appropriately for each of + the following protocols: + + * TLS: The Listener Hostname MUST match the SNI. + * HTTP: The Listener Hostname MUST match the Host header of the request. + * HTTPS: The Listener Hostname SHOULD match both the SNI and Host header. + Note that this does not require the SNI and Host header to be the same. + The semantics of this are described in more detail below. + + To ensure security, Section 11.1 of RFC-6066 emphasizes that server + implementations that rely on SNI hostname matching MUST also verify + hostnames within the application protocol. + + Section 9.1.2 of RFC-7540 provides a mechanism for servers to reject the + reuse of a connection by responding with the HTTP 421 Misdirected Request + status code. This indicates that the origin server has rejected the + request because it appears to have been misdirected. + + To detect misdirected requests, Gateways SHOULD match the authority of + the requests with all the SNI hostname(s) configured across all the + Gateway Listeners on the same port and protocol: + + * If another Listener has an exact match or more specific wildcard entry, + the Gateway SHOULD return a 421. + * If the current Listener (selected by SNI matching during ClientHello) + does not match the Host: + * If another Listener does match the Host the Gateway SHOULD return a + 421. + * If no other Listener matches the Host, the Gateway MUST return a + 404. + + For HTTPRoute and TLSRoute resources, there is an interaction with the + `spec.hostnames` array. When both listener and route specify hostnames, + there MUST be an intersection between the values for a Route to be + accepted. For more information, refer to the Route specific Hostnames + documentation. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + name: + description: |- + Name is the name of the Listener. This name MUST be unique within a + Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + port: + description: |- + Port is the network port. Multiple listeners may use the + same port, subject to the Listener compatibility rules. + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: |- + Protocol specifies the network protocol this listener expects to receive. + + Support: Core + maxLength: 255 + minLength: 1 + pattern: ^[a-zA-Z0-9]([-a-zA-Z0-9]*[a-zA-Z0-9])?$|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9]+$ + type: string + tls: + description: |- + TLS is the TLS configuration for the Listener. This field is required if + the Protocol field is "HTTPS" or "TLS". It is invalid to set this field + if the Protocol field is "HTTP", "TCP", or "UDP". + + The association of SNIs to Certificate defined in ListenerTLSConfig is + defined based on the Hostname field for this listener. + + The GatewayClass MUST use the longest matching SNI out of all + available certificates for any TLS handshake. + + Support: Core + properties: + certificateRefs: + description: |- + CertificateRefs contains a series of references to Kubernetes objects that + contains TLS certificates and private keys. These certificates are used to + establish a TLS handshake for requests that match the hostname of the + associated listener. + + A single CertificateRef to a Kubernetes Secret has "Core" support. + Implementations MAY choose to support attaching multiple certificates to + a Listener, but this behavior is implementation-specific. + + References to a resource in different namespace are invalid UNLESS there + is a ReferenceGrant in the target namespace that allows the certificate + to be attached. If a ReferenceGrant does not allow this reference, the + "ResolvedRefs" condition MUST be set to False for this listener with the + "RefNotPermitted" reason. + + This field is required to have at least one element when the mode is set + to "Terminate" (default) and is optional otherwise. + + CertificateRefs can reference to standard Kubernetes resources, i.e. + Secret, or implementation-specific custom resources. + + Support: Core - A single reference to a Kubernetes Secret of type kubernetes.io/tls + + Support: Implementation-specific (More than one reference or other resource types) + items: + description: |- + SecretObjectReference identifies an API object including its namespace, + defaulting to Secret. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + + References to objects with invalid Group and Kind are not valid, and must + be rejected by the implementation, with appropriate Conditions set + on the containing object. + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Secret + description: Kind is kind of the referent. For example + "Secret". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referenced object. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + mode: + default: Terminate + description: |- + Mode defines the TLS behavior for the TLS session initiated by the client. + There are two possible modes: + + - Terminate: The TLS session between the downstream client and the + Gateway is terminated at the Gateway. This mode requires certificates + to be specified in some way, such as populating the certificateRefs + field. + - Passthrough: The TLS session is NOT terminated by the Gateway. This + implies that the Gateway can't decipher the TLS stream except for + the ClientHello message of the TLS protocol. The certificateRefs field + is ignored in this mode. + + Support: Core + enum: + - Terminate + - Passthrough + type: string + options: + additionalProperties: + description: |- + AnnotationValue is the value of an annotation in Gateway API. This is used + for validation of maps such as TLS options. This roughly matches Kubernetes + annotation validation, although the length validation in that case is based + on the entire size of the annotations struct. + maxLength: 4096 + minLength: 0 + type: string + description: |- + Options are a list of key/value pairs to enable extended TLS + configuration for each implementation. For example, configuring the + minimum TLS version or supported cipher suites. + + A set of common keys MAY be defined by the API in the future. To avoid + any ambiguity, implementation-specific definitions MUST use + domain-prefixed names, such as `example.com/my-custom-option`. + Un-prefixed names are reserved for key names defined by Gateway API. + + Support: Implementation-specific + maxProperties: 16 + type: object + type: object + x-kubernetes-validations: + - message: certificateRefs or options must be specified when + mode is Terminate + rule: 'self.mode == ''Terminate'' ? size(self.certificateRefs) + > 0 || size(self.options) > 0 : true' + required: + - name + - port + - protocol + type: object + maxItems: 64 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: tls must not be specified for protocols ['HTTP', 'TCP', + 'UDP'] + rule: 'self.all(l, l.protocol in [''HTTP'', ''TCP'', ''UDP''] ? + !has(l.tls) : true)' + - message: tls mode must be Terminate for protocol HTTPS + rule: 'self.all(l, (l.protocol == ''HTTPS'' && has(l.tls)) ? (l.tls.mode + == '''' || l.tls.mode == ''Terminate'') : true)' + - message: hostname must not be specified for protocols ['TCP', 'UDP'] + rule: 'self.all(l, l.protocol in [''TCP'', ''UDP''] ? (!has(l.hostname) + || l.hostname == '''') : true)' + - message: Listener name must be unique within the Gateway + rule: self.all(l1, self.exists_one(l2, l1.name == l2.name)) + - message: Combination of port, protocol and hostname must be unique + for each listener + rule: 'self.all(l1, self.exists_one(l2, l1.port == l2.port && l1.protocol + == l2.protocol && (has(l1.hostname) && has(l2.hostname) ? l1.hostname + == l2.hostname : !has(l1.hostname) && !has(l2.hostname))))' + required: + - gatewayClassName + - listeners + type: object + status: + default: + conditions: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Status defines the current state of Gateway. + properties: + addresses: + description: |- + Addresses lists the network addresses that have been bound to the + Gateway. + + This list may differ from the addresses provided in the spec under some + conditions: + + * no addresses are specified, all addresses are dynamically assigned + * a combination of specified and dynamic addresses are assigned + * a specified address was unusable (e.g. already in use) + items: + description: GatewayStatusAddress describes a network address that + is bound to a Gateway. + oneOf: + - properties: + type: + enum: + - IPAddress + value: + anyOf: + - format: ipv4 + - format: ipv6 + - properties: + type: + not: + enum: + - IPAddress + properties: + type: + default: IPAddress + description: Type of the address. + maxLength: 253 + minLength: 1 + pattern: ^Hostname|IPAddress|NamedAddress|[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + value: + description: |- + Value of the address. The validity of the values will depend + on the type and support by the controller. + + Examples: `1.2.3.4`, `128::1`, `my-ip-address`. + maxLength: 253 + minLength: 1 + type: string + required: + - value + type: object + x-kubernetes-validations: + - message: Hostname value must only contain valid characters (matching + ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$) + rule: 'self.type == ''Hostname'' ? self.value.matches(r"""^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$"""): + true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Accepted + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the Gateway. + + Implementations should prefer to express Gateway conditions + using the `GatewayConditionType` and `GatewayConditionReason` + constants so that operators and tools can converge on a common + vocabulary to describe Gateway state. + + Known condition types are: + + * "Accepted" + * "Programmed" + * "Ready" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + listeners: + description: Listeners provide status for each unique listener port + defined in the Spec. + items: + description: ListenerStatus is the status associated with a Listener. + properties: + attachedRoutes: + description: |- + AttachedRoutes represents the total number of Routes that have been + successfully attached to this Listener. + + Successful attachment of a Route to a Listener is based solely on the + combination of the AllowedRoutes field on the corresponding Listener + and the Route's ParentRefs field. A Route is successfully attached to + a Listener when it is selected by the Listener's AllowedRoutes field + AND the Route has a valid ParentRef selecting the whole Gateway + resource or a specific Listener as a parent resource (more detail on + attachment semantics can be found in the documentation on the various + Route kinds ParentRefs fields). Listener or Route status does not impact + successful attachment, i.e. the AttachedRoutes field count MUST be set + for Listeners with condition Accepted: false and MUST count successfully + attached Routes that may themselves have Accepted: false conditions. + + Uses for this field include troubleshooting Route attachment and + measuring blast radius/impact of changes to a Listener. + format: int32 + type: integer + conditions: + description: Conditions describe the current condition of this + listener. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + name: + description: Name is the name of the Listener that this status + corresponds to. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + supportedKinds: + description: |- + SupportedKinds is the list indicating the Kinds supported by this + listener. This MUST represent the kinds an implementation supports for + that Listener configuration. + + If kinds are specified in Spec that are not supported, they MUST NOT + appear in this list and an implementation MUST set the "ResolvedRefs" + condition to "False" with the "InvalidRouteKinds" reason. If both valid + and invalid Route kinds are specified, the implementation MUST + reference the valid Route kinds that have been specified. + items: + description: RouteGroupKind indicates the group and kind of + a Route resource. + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the Route. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is the kind of the Route. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + required: + - kind + type: object + maxItems: 8 + type: array + x-kubernetes-list-type: atomic + required: + - attachedRoutes + - conditions + - name + - supportedKinds + type: object + maxItems: 64 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_grpcroutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: standard + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + GRPCRoute provides a way to route gRPC requests. This includes the capability + to match requests by hostname, gRPC service, gRPC method, or HTTP/2 header. + Filters can be used to specify additional processing steps. Backends specify + where matching requests will be routed. + + GRPCRoute falls under extended support within the Gateway API. Within the + following specification, the word "MUST" indicates that an implementation + supporting GRPCRoute must conform to the indicated requirement, but an + implementation not supporting this route type need not follow the requirement + unless explicitly indicated. + + Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` MUST + accept HTTP/2 connections without an initial upgrade from HTTP/1.1, i.e. via + ALPN. If the implementation does not support this, then it MUST set the + "Accepted" condition to "False" for the affected listener with a reason of + "UnsupportedProtocol". Implementations MAY also accept HTTP/2 connections + with an upgrade from HTTP/1. + + Implementations supporting `GRPCRoute` with the `HTTP` `ProtocolType` MUST + support HTTP/2 over cleartext TCP (h2c, + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial + upgrade from HTTP/1.1, i.e. with prior knowledge + (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). If the implementation + does not support this, then it MUST set the "Accepted" condition to "False" + for the affected listener with a reason of "UnsupportedProtocol". + Implementations MAY also accept HTTP/2 connections with an upgrade from + HTTP/1, i.e. without prior knowledge. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames to match against the GRPC + Host header to select a GRPCRoute to process the request. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label MUST appear by itself as the first label. + + If a hostname is specified by both the Listener and GRPCRoute, there + MUST be at least one intersecting hostname for the GRPCRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the other + hand, `example.com` and `test.example.net` would not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + If both the Listener and GRPCRoute have specified hostnames, any + GRPCRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + GRPCRoute specified `test.example.com` and `test.example.net`, + `test.example.net` MUST NOT be considered for a match. + + If both the Listener and GRPCRoute have specified hostnames, and none + match with the criteria above, then the GRPCRoute MUST NOT be accepted by + the implementation. The implementation MUST raise an 'Accepted' Condition + with a status of `False` in the corresponding RouteParentStatus. + + If a Route (A) of type HTTPRoute or GRPCRoute is attached to a + Listener and that listener already has another Route (B) of the other + type attached and the intersection of the hostnames of A and B is + non-empty, then the implementation MUST accept exactly one of these two + routes, determined by the following criteria, in order: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + The rejected Route MUST raise an 'Accepted' condition with a status of + 'False' in the corresponding RouteParentStatus. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: |- + GRPCRouteRule defines the semantics for matching a gRPC request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive an `UNAVAILABLE` status. + + See the GRPCBackendRef definition for the rules about what makes a single + GRPCBackendRef invalid. + + When a GRPCBackendRef is invalid, `UNAVAILABLE` statuses MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive an `UNAVAILABLE` status. + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic MUST receive an `UNAVAILABLE` status. + Implementations may choose how that 50 percent is determined. + + Support: Core for Kubernetes Service + + Support: Implementation-specific for any other resource + + Support for weight: Core + items: + description: |- + GRPCBackendRef defines how a GRPCRoute forwards a gRPC request. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + properties: + filters: + description: |- + Filters defined at this level MUST be executed if and only if the + request is being forwarded to the backend defined here. + + Support: Implementation-specific (For broader support of filters, use the + Filters field in GRPCRouteRule.) + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + Support: Implementation-specific + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + The effects of ordering of multiple behaviors are currently unspecified. + This can change in the future based on feedback during the alpha stage. + + Conformance-levels at this level are defined based on the type of filter: + + - ALL core filters MUST be supported by all implementations that support + GRPCRoute. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + If an implementation cannot support a combination of filters, it must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + Support: Core + items: + description: |- + GRPCRouteFilter defines processing steps that must be completed during the + request or response lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + Support: Implementation-specific + + This filter can be used multiple times within the same rule. + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations supporting GRPCRoute MUST support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` MUST be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + matches: + description: |- + Matches define conditions used for matching the rule against incoming + gRPC requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + For example, take the following matches configuration: + + ``` + matches: + - method: + service: foo.bar + headers: + values: + version: 2 + - method: + service: foo.bar.v2 + ``` + + For a request to match against this rule, it MUST satisfy + EITHER of the two conditions: + + - service of foo.bar AND contains the header `version: 2` + - service of foo.bar.v2 + + See the documentation for GRPCRouteMatch on how to specify multiple + match conditions to be ANDed together. + + If no matches are specified, the implementation MUST match every gRPC request. + + Proxy or Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing on + ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number of: + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + * Characters in a matching service. + * Characters in a matching method. + * Header matches. + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching rule meeting + the above criteria. + items: + description: |- + GRPCRouteMatch defines the predicate used to match requests to a given + action. Multiple match types are ANDed together, i.e. the match will + evaluate to true only if all conditions are satisfied. + + For example, the match below will match a gRPC request only if its service + is `foo` AND it contains the `version: v1` header: + + ``` + matches: + - method: + type: Exact + service: "foo" + headers: + - name: "version" + value "v1" + + ``` + properties: + headers: + description: |- + Headers specifies gRPC request header matchers. Multiple match values are + ANDed together, meaning, a request MUST match all the specified headers + to select the route. + items: + description: |- + GRPCHeaderMatch describes how to select a gRPC route by matching gRPC request + headers. + properties: + name: + description: |- + Name is the name of the gRPC Header to be matched. + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies a gRPC request service/method matcher. If this field is + not specified, all services and methods will match. + properties: + method: + description: |- + Value of the method to match against. If left empty or omitted, will + match all services. + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + service: + description: |- + Value of the service to match against. If left empty or omitted, will + match any service. + + At least one of Service and Method MUST be a non-empty string. + maxLength: 1024 + type: string + type: + default: Exact + description: |- + Type specifies how to match against the service and/or method. + Support: Core (Exact with service and method specified) + + Support: Implementation-specific (Exact with method specified but no service specified) + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - RegularExpression + type: string + type: object + x-kubernetes-validations: + - message: One or both of 'service' or 'method' must be + specified + rule: 'has(self.type) ? has(self.service) || has(self.method) + : true' + - message: service must only contain valid characters + (matching ^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.service) ? self.service.matches(r"""^(?i)\.?[a-z_][a-z_0-9]*(\.[a-z_][a-z_0-9]*)*$"""): + true' + - message: method must only contain valid characters (matching + ^[A-Za-z_][A-Za-z_0-9]*$) + rule: '(!has(self.type) || self.type == ''Exact'') && + has(self.method) ? self.method.matches(r"""^[A-Za-z_][A-Za-z_0-9]*$"""): + true' + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + type: object + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? (has(self[0].matches) ? self[0].matches.size() + : 0) : 0) + (self.size() > 1 ? (has(self[1].matches) ? self[1].matches.size() + : 0) : 0) + (self.size() > 2 ? (has(self[2].matches) ? self[2].matches.size() + : 0) : 0) + (self.size() > 3 ? (has(self[3].matches) ? self[3].matches.size() + : 0) : 0) + (self.size() > 4 ? (has(self[4].matches) ? self[4].matches.size() + : 0) : 0) + (self.size() > 5 ? (has(self[5].matches) ? self[5].matches.size() + : 0) : 0) + (self.size() > 6 ? (has(self[6].matches) ? self[6].matches.size() + : 0) : 0) + (self.size() > 7 ? (has(self[7].matches) ? self[7].matches.size() + : 0) : 0) + (self.size() > 8 ? (has(self[8].matches) ? self[8].matches.size() + : 0) : 0) + (self.size() > 9 ? (has(self[9].matches) ? self[9].matches.size() + : 0) : 0) + (self.size() > 10 ? (has(self[10].matches) ? self[10].matches.size() + : 0) : 0) + (self.size() > 11 ? (has(self[11].matches) ? self[11].matches.size() + : 0) : 0) + (self.size() > 12 ? (has(self[12].matches) ? self[12].matches.size() + : 0) : 0) + (self.size() > 13 ? (has(self[13].matches) ? self[13].matches.size() + : 0) : 0) + (self.size() > 14 ? (has(self[14].matches) ? self[14].matches.size() + : 0) : 0) + (self.size() > 15 ? (has(self[15].matches) ? self[15].matches.size() + : 0) : 0) <= 128' + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_httproutes.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: standard + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. + + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. + + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + properties: + filters: + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. + + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + Wherever possible, implementations SHOULD implement filters in the order + they are specified. + + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that cannot be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. + + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. + + Conformance-levels at this level are defined based on the type of filter: + + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation cannot support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + For example, take the following matches configuration: + + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: + + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + Note: The precedence of RegularExpression path matches are implementation-specific. + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. + + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. + + Support: Core (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. + + Support: Core (Exact, PathPrefix) + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. + + Support: Extended (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + timeouts: + description: |- + Timeouts defines the timeouts that can be configured for an HTTP request. + + Support: Extended + properties: + backendRequest: + description: |- + BackendRequest specifies a timeout for an individual request from the gateway + to a backend. This covers the time from when the request first starts being + sent from the gateway to when the full response has been received from the backend. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + An entire client HTTP transaction with a gateway, covered by the Request timeout, + may result in more than one call from the gateway to the destination backend, + for example, if automatic retries are supported. + + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: |- + Request specifies the maximum duration for a gateway to respond to an HTTP request. + If the gateway has not been able to respond before this deadline is met, the gateway + MUST return a timeout error. + + For example, setting the `rules.timeouts.request` field to the value `10s` in an + `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds + to complete. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + This timeout is intended to cover as close to the whole request-response transaction + as possible although an implementation MAY choose to start the timeout after the entire + request stream has been received instead of immediately after the transaction is + initiated by the client. + + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: backendRequest timeout cannot be longer than request + timeout + rule: '!(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration(''0s'') && duration(self.backendRequest) + > duration(self.request))' + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + HTTPRoute provides a way to route HTTP requests. This includes the capability + to match requests by hostname, path, header, or query param. Filters can be + used to specify additional processing steps. Backends specify where matching + requests should be routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: |- + Hostnames defines a set of hostnames that should match against the HTTP Host + header to select a HTTPRoute used to process the request. Implementations + MUST ignore any port value specified in the HTTP Host header while + performing a match and (absent of any applicable header modification + configuration) MUST forward this header unmodified to the backend. + + Valid values for Hostnames are determined by RFC 1123 definition of a + hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + If a hostname is specified by both the Listener and HTTPRoute, there + must be at least one intersecting hostname for the HTTPRoute to be + attached to the Listener. For example: + + * A Listener with `test.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames, or have specified at + least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at least + one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` would + all match. On the other hand, `example.com` and `test.example.net` would + not match. + + Hostnames that are prefixed with a wildcard label (`*.`) are interpreted + as a suffix match. That means that a match for `*.example.com` would match + both `test.example.com`, and `foo.test.example.com`, but not `example.com`. + + If both the Listener and HTTPRoute have specified hostnames, any + HTTPRoute hostnames that do not match the Listener hostname MUST be + ignored. For example, if a Listener specified `*.example.com`, and the + HTTPRoute specified `test.example.com` and `test.example.net`, + `test.example.net` must not be considered for a match. + + If both the Listener and HTTPRoute have specified hostnames, and none + match with the criteria above, then the HTTPRoute is not accepted. The + implementation must raise an 'Accepted' Condition with a status of + `False` in the corresponding RouteParentStatus. + + In the event that multiple HTTPRoutes specify intersecting hostnames (e.g. + overlapping wildcard matching and exact matching hostnames), precedence must + be given to rules from the HTTPRoute with the largest number of: + + * Characters in a matching non-wildcard hostname. + * Characters in a matching hostname. + + If ties exist across multiple Routes, the matching precedence rules for + HTTPRouteMatches takes over. + + Support: Core + items: + description: |- + Hostname is the fully qualified domain name of a network host. This matches + the RFC 1123 definition of a hostname with 2 notable exceptions: + + 1. IPs are not allowed. + 2. A hostname may be prefixed with a wildcard label (`*.`). The wildcard + label must appear by itself as the first label. + + Hostname can be "precise" which is a domain name without the terminating + dot of a network host (e.g. "foo.example.com") or "wildcard", which is a + domain name prefixed with a single wildcard label (e.g. `*.example.com`). + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: |- + ParentRefs references the resources (usually Gateways) that a Route wants + to be attached to. Note that the referenced parent resource needs to + allow this for the attachment to be complete. For Gateways, that means + the Gateway needs to allow attachment from Routes of this kind and + namespace. For Services, that means the Service must either be in the same + namespace for a "producer" route, or the mesh implementation must support + and allow "consumer" routes for the referenced Service. ReferenceGrant is + not applicable for governing ParentRefs to Services - it is not possible to + create a "producer" route for a Service in a different namespace from the + Route. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + ParentRefs must be _distinct_. This means either that: + + * They select different objects. If this is the case, then parentRef + entries are distinct. In terms of fields, this means that the + multi-part key defined by `group`, `kind`, `namespace`, and `name` must + be unique across all parentRef entries in the Route. + * They do not select different objects, but for each optional field used, + each ParentRef that selects the same object must set the same set of + optional fields to different values. If one ParentRef sets a + combination of optional fields, all must set the same combination. + + Some examples: + + * If one ParentRef sets `sectionName`, all ParentRefs referencing the + same object must also set `sectionName`. + * If one ParentRef sets `port`, all ParentRefs referencing the same + object must also set `port`. + * If one ParentRef sets `sectionName` and `port`, all ParentRefs + referencing the same object must also set `sectionName` and `port`. + + It is possible to separately reference multiple distinct objects that may + be collapsed by an implementation. For example, some implementations may + choose to merge compatible Gateway Listeners together. If that is the + case, the list of routes attached to those resources should also be + merged. + + Note that for ParentRefs that cross namespace boundaries, there are specific + rules. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example, + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable other kinds of cross-namespace reference. + items: + description: |- + ParentReference identifies an API object (usually a Gateway) that can be considered + a parent of this resource (usually a route). There are two kinds of parent resources + with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + This API may be extended in the future to support additional kinds of parent + resources. + + The API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''')) : true))' + - message: sectionName must be unique when parentRefs includes 2 or + more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || (has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)))) + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: |- + HTTPRouteRule defines semantics for matching an HTTP request based on + conditions (matches), processing it (filters), and forwarding the request to + an API object (backendRefs). + properties: + backendRefs: + description: |- + BackendRefs defines the backend(s) where matching requests should be + sent. + + Failure behavior here depends on how many BackendRefs are specified and + how many are invalid. + + If *all* entries in BackendRefs are invalid, and there are also no filters + specified in this route rule, *all* traffic which matches this rule MUST + receive a 500 status code. + + See the HTTPBackendRef definition for the rules about what makes a single + HTTPBackendRef invalid. + + When a HTTPBackendRef is invalid, 500 status codes MUST be returned for + requests that would have otherwise been routed to an invalid backend. If + multiple backends are specified, and some are invalid, the proportion of + requests that would otherwise have been routed to an invalid backend + MUST receive a 500 status code. + + For example, if two backends are specified with equal weights, and one is + invalid, 50 percent of traffic must receive a 500. Implementations may + choose how that 50 percent is determined. + + When a HTTPBackendRef refers to a Service that has no ready endpoints, + implementations SHOULD return a 503 for requests to that backend instead. + If an implementation chooses to do this, all of the above rules for 500 responses + MUST also apply for responses that return a 503. + + Support: Core for Kubernetes Service + + Support: Extended for Kubernetes ServiceImport + + Support: Implementation-specific for any other resource + + Support for weight: Core + items: + description: |- + HTTPBackendRef defines how a HTTPRoute forwards a HTTP request. + + Note that when a namespace different than the local namespace is specified, a + ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + properties: + filters: + description: |- + Filters defined at this level should be executed if and only if the + request is being forwarded to the backend defined here. + + Support: Implementation-specific (For broader support of filters, use the + Filters field in HTTPRouteRule.) + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind + == ''Service'') ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal + to denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be + specified in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified + when type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? + has(self.replaceFullPath) : true' + - message: type must be 'ReplaceFullPath' when + replaceFullPath is set + rule: 'has(self.replaceFullPath) ? self.type + == ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified + when type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' + ? has(self.replacePrefixMatch) : true' + - message: type must be 'ReplacePrefixMatch' + when replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil + if the filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type + != ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type + == ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil + if the filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type + != ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for + RequestMirror filter.type + rule: '!(!has(self.requestMirror) && self.type == + ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the + filter.type is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != + ''RequestRedirect'')' + - message: filter.requestRedirect must be specified + for RequestRedirect filter.type + rule: '!(!has(self.requestRedirect) && self.type == + ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for + ExtensionRef filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') + && self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() + <= 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() + <= 1 + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: |- + Weight specifies the proportion of requests forwarded to the referenced + backend. This is computed as weight/(sum of all weights in this + BackendRefs list). For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision an + implementation supports. Weight is not a percentage and the sum of + weights does not need to equal 100. + + If only one backend is specified and it has a weight greater than 0, 100% + of the traffic is forwarded to that backend. If weight is set to 0, no + traffic should be forwarded for this entry. If unspecified, weight + defaults to 1. + + Support for this field varies based on the context where used. + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + filters: + description: |- + Filters define the filters that are applied to requests that match + this rule. + + Wherever possible, implementations SHOULD implement filters in the order + they are specified. + + Implementations MAY choose to implement this ordering strictly, rejecting + any combination or order of filters that cannot be supported. If implementations + choose a strict interpretation of filter ordering, they MUST clearly document + that behavior. + + To reject an invalid combination or order of filters, implementations SHOULD + consider the Route Rules with this configuration invalid. If all Route Rules + in a Route are invalid, the entire Route would be considered invalid. If only + a portion of Route Rules are invalid, implementations MUST set the + "PartiallyInvalid" condition for the Route. + + Conformance-levels at this level are defined based on the type of filter: + + - ALL core filters MUST be supported by all implementations. + - Implementers are encouraged to support extended filters. + - Implementation-specific custom filters have no API guarantees across + implementations. + + Specifying the same filter multiple times is not supported unless explicitly + indicated in the filter. + + All filters are expected to be compatible with each other except for the + URLRewrite and RequestRedirect filters, which may not be combined. If an + implementation cannot support other combinations of filters, they must clearly + document that limitation. In cases where incompatible or unsupported + filters are specified and cause the `Accepted` condition to be set to status + `False`, implementations may use the `IncompatibleFilters` reason to specify + this configuration error. + + Support: Core + items: + description: |- + HTTPRouteFilter defines processing steps that must be completed during the + request or response lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway implementations. Some + examples include request or response modification, implementing + authentication strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type of the filter. + properties: + extensionRef: + description: |- + ExtensionRef is an optional, implementation-specific extension to the + "filter" behavior. For example, resource "myroutefilter" in group + "networking.example.net"). ExtensionRef MUST NOT be used for core and + extended filters. + + This filter can be used multiple times within the same rule. + + Support: Implementation-specific + properties: + group: + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: |- + RequestHeaderModifier defines a schema for a filter that modifies request + headers. + + Support: Core + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: |- + RequestMirror defines a schema for a filter that mirrors requests. + Requests are sent to the specified destination, but responses from + that destination are ignored. + + This filter can be used multiple times within the same rule. Note that + not all implementations will be able to support mirroring to multiple + backends. + + Support: Extended + properties: + backendRef: + description: |- + BackendRef references a resource where mirrored requests are sent. + + Mirrored requests must be sent only to a single destination endpoint + within this BackendRef, irrespective of how many endpoints are present + within this BackendRef. + + If the referent cannot be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure the "ResolvedRefs" + condition on the Route status is set to `status: False` and not configure + this backend in the underlying implementation. + + If there is a cross-namespace reference to an *existing* object + that is not allowed by a ReferenceGrant, the controller must ensure the + "ResolvedRefs" condition on the Route is set to `status: False`, + with the "RefNotPermitted" reason and not configure this backend in the + underlying implementation. + + In either error case, the Message of the `ResolvedRefs` Condition + should be used to provide more detail about the problem. + + Support: Extended for Kubernetes Service + + Support: Implementation-specific for any other resource + properties: + group: + default: "" + description: |- + Group is the group of the referent. For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: |- + Kind is the Kubernetes resource kind of the referent. For example + "Service". + + Defaults to "Service" when not specified. + + ExternalName services can refer to CNAME DNS records that may live + outside of the cluster and as such are difficult to reason about in + terms of conformance. They also may not be safe to forward to (see + CVE-2021-25740 for more information). Implementations SHOULD NOT + support ExternalName Services. + + Support: Core (Services with a type other than ExternalName) + + Support: Implementation-specific (Services with type ExternalName) + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the backend. When unspecified, the local + namespace is inferred. + + Note that when a namespace different than the local namespace is specified, + a ReferenceGrant object is required in the referent namespace to allow that + namespace's owner to accept the reference. See the ReferenceGrant + documentation for details. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port specifies the destination port number to use for this resource. + Port is required when the referent is a Kubernetes Service. In this + case, the port number is the service port number, not the target port. + For other resources, destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + fraction: + description: |- + Fraction represents the fraction of requests that should be + mirrored to BackendRef. + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + properties: + denominator: + default: 100 + format: int32 + minimum: 1 + type: integer + numerator: + format: int32 + minimum: 0 + type: integer + required: + - numerator + type: object + x-kubernetes-validations: + - message: numerator must be less than or equal to + denominator + rule: self.numerator <= self.denominator + percent: + description: |- + Percent represents the percentage of requests that should be + mirrored to BackendRef. Its minimum value is 0 (indicating 0% of + requests) and its maximum value is 100 (indicating 100% of requests). + + Only one of Fraction or Percent may be specified. If neither field + is specified, 100% of requests will be mirrored. + format: int32 + maximum: 100 + minimum: 0 + type: integer + required: + - backendRef + type: object + x-kubernetes-validations: + - message: Only one of percent or fraction may be specified + in HTTPRequestMirrorFilter + rule: '!(has(self.percent) && has(self.fraction))' + requestRedirect: + description: |- + RequestRedirect defines a schema for a filter that responds to the + request with an HTTP redirection. + + Support: Core + properties: + hostname: + description: |- + Hostname is the hostname to be used in the value of the `Location` + header in the response. + When empty, the hostname in the `Host` header of the request is used. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the `Location` header. When + empty, the request path is used as-is. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + + If no port is specified, the redirect port MUST be derived using the + following rules: + + * If redirect scheme is not-empty, the redirect port MUST be the well-known + port associated with the redirect scheme. Specifically "http" to port 80 + and "https" to port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway SHOULD be used. + * If redirect scheme is empty, the redirect port MUST be the Gateway + Listener port. + + Implementations SHOULD NOT add the port number in the 'Location' + header in the following cases: + + * A Location header that will use HTTP (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 80. + * A Location header that will use HTTPS (whether that is determined via + the Listener protocol or the Scheme field) _and_ use port 443. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: |- + Scheme is the scheme to be used in the value of the `Location` header in + the response. When empty, the scheme of the request is used. + + Scheme redirects can affect the port of the redirect, for more information, + refer to the documentation for the port field of this filter. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Extended + enum: + - http + - https + type: string + statusCode: + default: 302 + description: |- + StatusCode is the HTTP status code to be used in response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + + Support: Core + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: |- + ResponseHeaderModifier defines a schema for a filter that modifies response + headers. + + Support: Extended + properties: + add: + description: |- + Add adds the given header(s) (name, value) to the request + before the action. It appends to any existing values associated + with the header name. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + add: + - name: "my-header" + value: "bar,baz" + + Output: + GET /foo HTTP/1.1 + my-header: foo,bar,baz + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: |- + Remove the given header(s) from the HTTP request before the action. The + value of Remove is a list of HTTP header names. Note that the header + names are case-insensitive (see + https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + + Input: + GET /foo HTTP/1.1 + my-header1: foo + my-header2: bar + my-header3: baz + + Config: + remove: ["my-header1", "my-header3"] + + Output: + GET /foo HTTP/1.1 + my-header2: bar + items: + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: set + set: + description: |- + Set overwrites the request with the given header (name, value) + before the action. + + Input: + GET /foo HTTP/1.1 + my-header: foo + + Config: + set: + - name: "my-header" + value: "bar" + + Output: + GET /foo HTTP/1.1 + my-header: bar + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, the first entry with + an equivalent name MUST be considered for a match. Subsequent entries + with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: |- + Type identifies the type of filter to apply. As with other API fields, + types are classified into three conformance levels: + + - Core: Filter types and their corresponding configuration defined by + "Support: Core" in this package, e.g. "RequestHeaderModifier". All + implementations must support core filters. + + - Extended: Filter types and their corresponding configuration defined by + "Support: Extended" in this package, e.g. "RequestMirror". Implementers + are encouraged to support extended filters. + + - Implementation-specific: Filters that are defined and supported by + specific vendors. + In the future, filters showing convergence in behavior across multiple + implementations will be considered for inclusion in extended or core + conformance levels. Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` should be set to + "ExtensionRef" for custom filters. + + Implementers are encouraged to define custom implementation types to + extend the core API with implementation-specific behavior. + + If a reference to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have been processed by + that filter MUST receive a HTTP error response. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: |- + URLRewrite defines a schema for a filter that modifies a request during forwarding. + + Support: Extended + properties: + hostname: + description: |- + Hostname is the value to be used to replace the Host header value during + forwarding. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines a path rewrite. + + Support: Extended + properties: + replaceFullPath: + description: |- + ReplaceFullPath specifies the value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: |- + ReplacePrefixMatch specifies the value with which to replace the prefix + match of a request during a rewrite or redirect. For example, a request + to "/foo/bar" with a prefix match of "/foo" and a ReplacePrefixMatch + of "/xyz" would be modified to "/xyz/bar". + + Note that this matches the behavior of the PathPrefix match type. This + matches full path elements. A path element refers to the list of labels + in the path split by the `/` separator. When specified, a trailing `/` is + ignored. For example, the paths `/abc`, `/abc/`, and `/abc/def` would all + match the prefix `/abc`, but the path `/abcd` would not. + + ReplacePrefixMatch is only compatible with a `PathPrefix` HTTPRouteMatch. + Using any other HTTPRouteMatch type on the same HTTPRouteRule will result in + the implementation setting the Accepted Condition for the Route to `status: False`. + + Request Path | Prefix Match | Replace Prefix | Modified Path + maxLength: 1024 + type: string + type: + description: |- + Type defines the type of path modifier. Additional types may be + added in a future release of the API. + + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause a crash. + + Unknown values here must result in the implementation setting the + Accepted Condition for the Route to `status: False`, with a + Reason of `UnsupportedValue`. + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + x-kubernetes-validations: + - message: replaceFullPath must be specified when + type is set to 'ReplaceFullPath' + rule: 'self.type == ''ReplaceFullPath'' ? has(self.replaceFullPath) + : true' + - message: type must be 'ReplaceFullPath' when replaceFullPath + is set + rule: 'has(self.replaceFullPath) ? self.type == + ''ReplaceFullPath'' : true' + - message: replacePrefixMatch must be specified when + type is set to 'ReplacePrefixMatch' + rule: 'self.type == ''ReplacePrefixMatch'' ? has(self.replacePrefixMatch) + : true' + - message: type must be 'ReplacePrefixMatch' when + replacePrefixMatch is set + rule: 'has(self.replacePrefixMatch) ? self.type + == ''ReplacePrefixMatch'' : true' + type: object + required: + - type + type: object + x-kubernetes-validations: + - message: filter.requestHeaderModifier must be nil if the + filter.type is not RequestHeaderModifier + rule: '!(has(self.requestHeaderModifier) && self.type != + ''RequestHeaderModifier'')' + - message: filter.requestHeaderModifier must be specified + for RequestHeaderModifier filter.type + rule: '!(!has(self.requestHeaderModifier) && self.type == + ''RequestHeaderModifier'')' + - message: filter.responseHeaderModifier must be nil if the + filter.type is not ResponseHeaderModifier + rule: '!(has(self.responseHeaderModifier) && self.type != + ''ResponseHeaderModifier'')' + - message: filter.responseHeaderModifier must be specified + for ResponseHeaderModifier filter.type + rule: '!(!has(self.responseHeaderModifier) && self.type + == ''ResponseHeaderModifier'')' + - message: filter.requestMirror must be nil if the filter.type + is not RequestMirror + rule: '!(has(self.requestMirror) && self.type != ''RequestMirror'')' + - message: filter.requestMirror must be specified for RequestMirror + filter.type + rule: '!(!has(self.requestMirror) && self.type == ''RequestMirror'')' + - message: filter.requestRedirect must be nil if the filter.type + is not RequestRedirect + rule: '!(has(self.requestRedirect) && self.type != ''RequestRedirect'')' + - message: filter.requestRedirect must be specified for RequestRedirect + filter.type + rule: '!(!has(self.requestRedirect) && self.type == ''RequestRedirect'')' + - message: filter.urlRewrite must be nil if the filter.type + is not URLRewrite + rule: '!(has(self.urlRewrite) && self.type != ''URLRewrite'')' + - message: filter.urlRewrite must be specified for URLRewrite + filter.type + rule: '!(!has(self.urlRewrite) && self.type == ''URLRewrite'')' + - message: filter.extensionRef must be nil if the filter.type + is not ExtensionRef + rule: '!(has(self.extensionRef) && self.type != ''ExtensionRef'')' + - message: filter.extensionRef must be specified for ExtensionRef + filter.type + rule: '!(!has(self.extensionRef) && self.type == ''ExtensionRef'')' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: May specify either httpRouteFilterRequestRedirect + or httpRouteFilterRequestRewrite, but not both + rule: '!(self.exists(f, f.type == ''RequestRedirect'') && + self.exists(f, f.type == ''URLRewrite''))' + - message: RequestHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'RequestHeaderModifier').size() + <= 1 + - message: ResponseHeaderModifier filter cannot be repeated + rule: self.filter(f, f.type == 'ResponseHeaderModifier').size() + <= 1 + - message: RequestRedirect filter cannot be repeated + rule: self.filter(f, f.type == 'RequestRedirect').size() <= + 1 + - message: URLRewrite filter cannot be repeated + rule: self.filter(f, f.type == 'URLRewrite').size() <= 1 + matches: + default: + - path: + type: PathPrefix + value: / + description: |- + Matches define conditions used for matching the rule against incoming + HTTP requests. Each match is independent, i.e. this rule will be matched + if **any** one of the matches is satisfied. + + For example, take the following matches configuration: + + ``` + matches: + - path: + value: "/foo" + headers: + - name: "version" + value: "v2" + - path: + value: "/v2/foo" + ``` + + For a request to match against this rule, a request must satisfy + EITHER of the two conditions: + + - path prefixed with `/foo` AND contains the header `version: v2` + - path prefix of `/v2/foo` + + See the documentation for HTTPRouteMatch on how to specify multiple + match conditions that should be ANDed together. + + If no matches are specified, the default is a prefix + path match on "/", which has the effect of matching every + HTTP request. + + Proxy or Load Balancer routing configuration generated from HTTPRoutes + MUST prioritize matches based on the following criteria, continuing on + ties. Across all rules specified on applicable Routes, precedence must be + given to the match having: + + * "Exact" path match. + * "Prefix" path match with largest number of characters. + * Method match. + * Largest number of header matches. + * Largest number of query param matches. + + Note: The precedence of RegularExpression path matches are implementation-specific. + + If ties still exist across multiple Routes, matching precedence MUST be + determined in order of the following criteria, continuing on ties: + + * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by + "{namespace}/{name}". + + If ties still exist within an HTTPRoute, matching precedence MUST be granted + to the FIRST matching rule (in list order) with a match meeting the above + criteria. + + When no rules matching a request have been successfully attached to the + parent a request is coming from, a HTTP 404 status code MUST be returned. + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given\naction. Multiple match types + are ANDed together, i.e. the match will\nevaluate to true + only if all conditions are satisfied.\n\nFor example, the + match below will match a HTTP request only if its path\nstarts + with `/foo` AND it contains the `version: v1` header:\n\n```\nmatch:\n\n\tpath:\n\t + \ value: \"/foo\"\n\theaders:\n\t- name: \"version\"\n\t + \ value \"v1\"\n\n```" + properties: + headers: + description: |- + Headers specifies HTTP request header matchers. Multiple match values are + ANDed together, meaning, a request must match all the specified headers + to select the route. + items: + description: |- + HTTPHeaderMatch describes how to select a HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name matching MUST be + case-insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + + If multiple entries specify equivalent header names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be ignored. Due to the + case-insensitivity of header names, "foo" and "Foo" are considered + equivalent. + + When a header is repeated in an HTTP request, it is + implementation-specific behavior as to how this is represented. + Generally, proxies should follow the guidance from the RFC: + https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 regarding + processing a repeated header, with special handling for "Set-Cookie". + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the header. + + Support: Core (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression HeaderMatchType has implementation-specific + conformance, implementations can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's documentation to + determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: |- + Method specifies HTTP method matcher. + When specified, this route will be matched only if the request has the + specified method. + + Support: Extended + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: |- + Path specifies a HTTP request path matcher. If this field is not + specified, a default prefix match on the "/" path is provided. + properties: + type: + default: PathPrefix + description: |- + Type specifies how to match against the path Value. + + Support: Core (Exact, PathPrefix) + + Support: Implementation-specific (RegularExpression) + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + x-kubernetes-validations: + - message: value must be an absolute path and start with + '/' when type one of ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.startsWith(''/'') + : true' + - message: must not contain '//' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''//'') + : true' + - message: must not contain '/./' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/./'') + : true' + - message: must not contain '/../' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''/../'') + : true' + - message: must not contain '%2f' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2f'') + : true' + - message: must not contain '%2F' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''%2F'') + : true' + - message: must not contain '#' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.contains(''#'') + : true' + - message: must not end with '/..' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/..'') + : true' + - message: must not end with '/.' when type one of ['Exact', + 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? !self.value.endsWith(''/.'') + : true' + - message: type must be one of ['Exact', 'PathPrefix', + 'RegularExpression'] + rule: self.type in ['Exact','PathPrefix'] || self.type + == 'RegularExpression' + - message: must only contain valid characters (matching + ^(?:[-A-Za-z0-9/._~!$&'()*+,;=:@]|[%][0-9a-fA-F]{2})+$) + for types ['Exact', 'PathPrefix'] + rule: '(self.type in [''Exact'',''PathPrefix'']) ? self.value.matches(r"""^(?:[-A-Za-z0-9/._~!$&''()*+,;=:@]|[%][0-9a-fA-F]{2})+$""") + : true' + queryParams: + description: |- + QueryParams specifies HTTP query parameter matchers. Multiple match + values are ANDed together, meaning, a request must match all the + specified query parameters to select the route. + + Support: Extended + items: + description: |- + HTTPQueryParamMatch describes how to select a HTTP route by matching HTTP + query parameters. + properties: + name: + description: |- + Name is the name of the HTTP query param to be matched. This must be an + exact string match. (See + https://tools.ietf.org/html/rfc7230#section-2.7.3). + + If multiple entries specify equivalent query param names, only the first + entry with an equivalent name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST be ignored. + + If a query param is repeated in an HTTP request, the behavior is + purposely left undefined, since different data planes have different + capabilities. However, it is *recommended* that implementations should + match against the first value of the param if the data plane supports it, + as this behavior is expected in other load balancing contexts outside of + the Gateway API. + + Users SHOULD NOT route traffic based on repeated query params to guard + themselves against potential differences in the implementations. + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: |- + Type specifies how to match against the value of the query parameter. + + Support: Extended (Exact) + + Support: Implementation-specific (RegularExpression) + + Since RegularExpression QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, PCRE or any other + dialects of regular expressions. Please read the implementation's + documentation to determine the supported dialect. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 64 + type: array + x-kubernetes-list-type: atomic + name: + description: |- + Name is the name of the route rule. This name MUST be unique within a Route if it is set. + + Support: Extended + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + timeouts: + description: |- + Timeouts defines the timeouts that can be configured for an HTTP request. + + Support: Extended + properties: + backendRequest: + description: |- + BackendRequest specifies a timeout for an individual request from the gateway + to a backend. This covers the time from when the request first starts being + sent from the gateway to when the full response has been received from the backend. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + An entire client HTTP transaction with a gateway, covered by the Request timeout, + may result in more than one call from the gateway to the destination backend, + for example, if automatic retries are supported. + + The value of BackendRequest must be a Gateway API Duration string as defined by + GEP-2257. When this field is unspecified, its behavior is implementation-specific; + when specified, the value of BackendRequest must be no more than the value of the + Request timeout (since the Request timeout encompasses the BackendRequest timeout). + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + request: + description: |- + Request specifies the maximum duration for a gateway to respond to an HTTP request. + If the gateway has not been able to respond before this deadline is met, the gateway + MUST return a timeout error. + + For example, setting the `rules.timeouts.request` field to the value `10s` in an + `HTTPRoute` will cause a timeout if a client request is taking longer than 10 seconds + to complete. + + Setting a timeout to the zero duration (e.g. "0s") SHOULD disable the timeout + completely. Implementations that cannot completely disable the timeout MUST + instead interpret the zero duration as the longest possible value to which + the timeout can be set. + + This timeout is intended to cover as close to the whole request-response transaction + as possible although an implementation MAY choose to start the timeout after the entire + request stream has been received instead of immediately after the transaction is + initiated by the client. + + The value of Request is a Gateway API Duration string as defined by GEP-2257. When this + field is unspecified, request timeout behavior is implementation-specific. + + Support: Extended + pattern: ^([0-9]{1,5}(h|m|s|ms)){1,4}$ + type: string + type: object + x-kubernetes-validations: + - message: backendRequest timeout cannot be longer than request + timeout + rule: '!(has(self.request) && has(self.backendRequest) && + duration(self.request) != duration(''0s'') && duration(self.backendRequest) + > duration(self.request))' + type: object + x-kubernetes-validations: + - message: RequestRedirect filter must not be used together with + backendRefs + rule: '(has(self.backendRefs) && size(self.backendRefs) > 0) ? + (!has(self.filters) || self.filters.all(f, !has(f.requestRedirect))): + true' + - message: When using RequestRedirect filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + ? ((size(self.matches) != 1 || !has(self.matches[0].path) || + self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: When using URLRewrite filter with path.replacePrefixMatch, + exactly one PathPrefix match must be specified + rule: '(has(self.filters) && self.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + - message: Within backendRefs, when using RequestRedirect filter + with path.replacePrefixMatch, exactly one PathPrefix match must + be specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.requestRedirect) + && has(f.requestRedirect.path) && f.requestRedirect.path.type + == ''ReplacePrefixMatch'' && has(f.requestRedirect.path.replacePrefixMatch))) + )) ? ((size(self.matches) != 1 || !has(self.matches[0].path) + || self.matches[0].path.type != ''PathPrefix'') ? false : true) + : true' + - message: Within backendRefs, When using URLRewrite filter with + path.replacePrefixMatch, exactly one PathPrefix match must be + specified + rule: '(has(self.backendRefs) && self.backendRefs.exists_one(b, + (has(b.filters) && b.filters.exists_one(f, has(f.urlRewrite) + && has(f.urlRewrite.path) && f.urlRewrite.path.type == ''ReplacePrefixMatch'' + && has(f.urlRewrite.path.replacePrefixMatch))) )) ? ((size(self.matches) + != 1 || !has(self.matches[0].path) || self.matches[0].path.type + != ''PathPrefix'') ? false : true) : true' + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: While 16 rules and 64 matches per rule are allowed, the + total number of matches across all rules in a route must be less + than 128 + rule: '(self.size() > 0 ? self[0].matches.size() : 0) + (self.size() + > 1 ? self[1].matches.size() : 0) + (self.size() > 2 ? self[2].matches.size() + : 0) + (self.size() > 3 ? self[3].matches.size() : 0) + (self.size() + > 4 ? self[4].matches.size() : 0) + (self.size() > 5 ? self[5].matches.size() + : 0) + (self.size() > 6 ? self[6].matches.size() : 0) + (self.size() + > 7 ? self[7].matches.size() : 0) + (self.size() > 8 ? self[8].matches.size() + : 0) + (self.size() > 9 ? self[9].matches.size() : 0) + (self.size() + > 10 ? self[10].matches.size() : 0) + (self.size() > 11 ? self[11].matches.size() + : 0) + (self.size() > 12 ? self[12].matches.size() : 0) + (self.size() + > 13 ? self[13].matches.size() : 0) + (self.size() > 14 ? self[14].matches.size() + : 0) + (self.size() > 15 ? self[15].matches.size() : 0) <= 128' + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: |- + Parents is a list of parent resources (usually Gateways) that are + associated with the route, and the status of the route with respect to + each parent. When this route attaches to a parent, the controller that + manages the parent must add an entry to this list when the controller + first sees the route and should update the entry as appropriate when the + route or gateway is modified. + + Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this API + can only populate Route status for the Gateways/parent resources they are + responsible for. + + A maximum of 32 Gateways will be represented in this list. An empty list + means the route has not been attached to any Gateway. + items: + description: |- + RouteParentStatus describes the status of a route with respect to an + associated Parent. + properties: + conditions: + description: |- + Conditions describes the status of the route with respect to the Gateway. + Note that the route's availability is also subject to the Gateway's own + status conditions and listener status. + + If the Route's ParentRef specifies an existing Gateway that supports + Routes of this kind AND that Gateway's controller has sufficient access, + then that Gateway's controller MUST set the "Accepted" condition on the + Route, to indicate whether the route has been accepted or rejected by the + Gateway, and why. + + A Route MUST be considered "Accepted" if at least one of the Route's + rules is implemented by the Gateway. + + There are a number of cases where the "Accepted" condition may not be set + due to lack of controller visibility, that includes when: + + * The Route refers to a nonexistent parent. + * The Route is of a type that the controller does not support. + * The Route is in a namespace the controller does not have access to. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: |- + ParentRef corresponds with a ParentRef in the spec that this + RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +--- +# +# config/crd/standard/gateway.networking.k8s.io_referencegrants.yaml +# +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: standard + name: referencegrants.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: ReferenceGrant + listKind: ReferenceGrantList + plural: referencegrants + shortNames: + - refgrant + singular: referencegrant + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: |- + ReferenceGrant identifies kinds of resources in other namespaces that are + trusted to reference the specified kinds of resources in the same namespace + as the policy. + + Each ReferenceGrant can be used to represent a unique trust relationship. + Additional Reference Grants can be used to add to the set of trusted + sources of inbound references for the namespace they are defined within. + + All cross-namespace references in Gateway API (with the exception of cross-namespace + Gateway-route attachment) require a ReferenceGrant. + + ReferenceGrant is a form of runtime verification allowing users to assert + which cross-namespace object references are permitted. Implementations that + support ReferenceGrant MUST NOT permit cross-namespace references which have + no grant, and MUST respond to the removal of a grant by revoking the access + that the grant allowed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of ReferenceGrant. + properties: + from: + description: |- + From describes the trusted namespaces and kinds that can reference the + resources described in "To". Each entry in this list MUST be considered + to be an additional place that references can be valid from, or to put + this another way, entries MUST be combined using OR. + + Support: Core + items: + description: ReferenceGrantFrom describes trusted namespaces and + kinds. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field. + + When used to permit a SecretObjectReference: + + * Gateway + + When used to permit a BackendObjectReference: + + * GRPCRoute + * HTTPRoute + * TCPRoute + * TLSRoute + * UDPRoute + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - group + - kind + - namespace + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + to: + description: |- + To describes the resources that may be referenced by the resources + described in "From". Each entry in this list MUST be considered to be an + additional place that references can be valid to, or to put this another + way, entries MUST be combined using OR. + + Support: Core + items: + description: |- + ReferenceGrantTo describes what Kinds are allowed as targets of the + references. + properties: + group: + description: |- + Group is the group of the referent. + When empty, the Kubernetes core API group is inferred. + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. Although implementations may support + additional resources, the following types are part of the "Core" + support level for this field: + + * Secret when used to permit a SecretObjectReference + * Service when used to permit a BackendObjectReference + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. When unspecified, this policy + refers to all resources of the specified Group and Kind in the local + namespace. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + required: + - from + - to + type: object + type: object + served: true + storage: true + subresources: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: experimental + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: 'TCPRoute provides a way to route TCP requests. When combined + with a Gateway + + listener, it can be used to forward connections on the port specified by + the + + listener to a set of backends specified by the TCPRoute.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways)\ + \ that a Route wants\nto be attached to. Note that the referenced\ + \ parent resource needs to\nallow this for the attachment to be\ + \ complete. For Gateways, that means\nthe Gateway needs to allow\ + \ attachment from Routes of this kind and\nnamespace. For Services,\ + \ that means the Service must either be in the same\nnamespace for\ + \ a \"producer\" route, or the mesh implementation must support\n\ + and allow \"consumer\" routes for the referenced Service. ReferenceGrant\ + \ is\nnot applicable for governing ParentRefs to Services - it is\ + \ not possible to\ncreate a \"producer\" route for a Service in\ + \ a different namespace from the\nRoute.\n\nThere are two kinds\ + \ of parent resources with \"Core\" support:\n\n* Gateway (Gateway\ + \ conformance profile)\n* Service (Mesh conformance profile, ClusterIP\ + \ Services only)\n\nThis API may be extended in the future to support\ + \ additional kinds of parent\nresources.\n\nParentRefs must be _distinct_.\ + \ This means either that:\n\n* They select different objects. If\ + \ this is the case, then parentRef\n entries are distinct. In terms\ + \ of fields, this means that the\n multi-part key defined by `group`,\ + \ `kind`, `namespace`, and `name` must\n be unique across all parentRef\ + \ entries in the Route.\n* They do not select different objects,\ + \ but for each optional field used,\n each ParentRef that selects\ + \ the same object must set the same set of\n optional fields to\ + \ different values. If one ParentRef sets a\n combination of optional\ + \ fields, all must set the same combination.\n\nSome examples:\n\ + \n* If one ParentRef sets `sectionName`, all ParentRefs referencing\ + \ the\n same object must also set `sectionName`.\n* If one ParentRef\ + \ sets `port`, all ParentRefs referencing the same\n object must\ + \ also set `port`.\n* If one ParentRef sets `sectionName` and `port`,\ + \ all ParentRefs\n referencing the same object must also set `sectionName`\ + \ and `port`.\n\nIt is possible to separately reference multiple\ + \ distinct objects that may\nbe collapsed by an implementation.\ + \ For example, some implementations may\nchoose to merge compatible\ + \ Gateway Listeners together. If that is the\ncase, the list of\ + \ routes attached to those resources should also be\nmerged.\n\n\ + Note that for ParentRefs that cross namespace boundaries, there\ + \ are specific\nrules. Cross-namespace references are only valid\ + \ if they are explicitly\nallowed by something in the namespace\ + \ they are referring to. For example,\nGateway has the AllowedRoutes\ + \ field, and ReferenceGrant provides a\ngeneric way to enable other\ + \ kinds of cross-namespace reference.\n\n\nParentRefs from a Route\ + \ to a Service in the same namespace are \"producer\"\nroutes, which\ + \ apply default routing rules to inbound connections from\nany namespace\ + \ to the Service.\n\nParentRefs from a Route to a Service in a different\ + \ namespace are\n\"consumer\" routes, and these routing rules are\ + \ only applied to outbound\nconnections originating from the same\ + \ namespace as the Route, for which\nthe intended destination of\ + \ the connections are a Service targeted as a\nParentRef of the\ + \ Route." + items: + description: 'ParentReference identifies an API object (usually + a Gateway) that can be considered + + a parent of this resource (usually a route). There are two kinds + of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds + of parent + + resources. + + + The API object must be valid in the cluster; the Group and Kind + must + + be registered in the cluster for this reference to be valid.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross + namespace + + boundaries. Cross-namespace references are only valid if they + are explicitly + + allowed by something in the namespace they are referring to. + For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant provides + a + + generic way to enable any other kind of cross-namespace reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the Route, + for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + + listening on the specified port that also support this kind + of Route(and + + select this Route). It''s not recommended to set `Port` unless + the + + networking behaviors specified in a Route must apply to a + specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the selected + listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a specific + port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both specified + values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful + as + + long as the parent resource accepts it partially. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes to + other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the entire + resource. + + For the purpose of status, an attachment is considered successful + if at + + least one section in the parent resource accepts it. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: 'BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a nonexistent resource + or a + + Service with no endpoints), the underlying implementation + MUST actively + + reject connection attempts to this backend. Connection rejections + must + + respect weight; if an invalid backend is requested to have + 80% of + + connections, then 80% of connections must be rejected instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other resource + + + Support for weight: Extended' + items: + description: 'BackendRef defines how a Route should forward + a request to a Kubernetes + + resource. + + + Note that when a namespace different than the local namespace + is specified, a + + ReferenceGrant object is required in the referent namespace + to allow that + + namespace''s owner to accept the reference. See the ReferenceGrant + + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations + SHOULD + + honor the appProtocol field if it is set for the target + Service Port. + + + Implementations supporting appProtocol SHOULD recognize + the Kubernetes + + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn''t specified, an implementation + MAY infer the + + backend protocol through its own means. Implementations + MAY infer the + + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using + the specified + + protocol then the backend is considered invalid. Implementations + MUST set the + + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" + reason. + + + + Note that when the BackendTLSPolicy object is enabled by + the implementation, + + there are some extra rules about validity to consider here. + See the fields + + where this struct is used for more information about the + exact behavior.' + properties: + group: + default: '' + description: 'Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred.' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: 'Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records + that may live + + outside of the cluster and as such are difficult to + reason about in + + terms of conformance. They also may not be safe to forward + to (see + + CVE-2021-25740 for more information). Implementations + SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type + ExternalName)' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace''s owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a Kubernetes Service. + In this + + case, the port number is the service port number, not + the target port. + + For other resources, destination port might be derived + from the referent + + resource or this field.' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: 'Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all weights + in this + + BackendRefs list). For non-zero values, there may be + some epsilon from + + the exact proportion defined here depending on the precision + an + + implementation supports. Weight is not a percentage + and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a weight + greater than 0, 100% + + of the traffic is forwarded to that backend. If weight + is set to 0, no + + traffic should be forwarded for this entry. If unspecified, + weight + + defaults to 1. + + + Support for this field varies based on the context where + used.' + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: 'Name is the name of the route rule. This name + MUST be unique within a Route if it is set. + + + Support: Extended' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: 'UseDefaultGateways indicates the default Gateway scope + to use for this + + Route. If unset (the default) or set to None, the Route will not + be + + attached to any default Gateway; if set, it will be attached to + any + + default Gateway supporting the named scope, subject to the usual + rules + + about which Routes a Gateway is allowed to claim. + + + Think carefully before using this functionality! The set of default + + Gateways supporting the requested scope can change over time without + + any notice to the Route author, and in many situations it will not + be + + appropriate to request a default Gateway for a given Route -- for + + example, a Route with specific security requirements should almost + + certainly not use a default Gateway.' + enum: + - All + - None + type: string + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: 'Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with respect + to + + each parent. When this route attaches to a parent, the controller + that + + manages the parent must add an entry to this list when the controller + + first sees the route and should update the entry as appropriate + when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + + of this API will not be added to this list. Implementations of this + API + + can only populate Route status for the Gateways/parent resources + they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty + list + + means the route has not been attached to any Gateway.' + items: + description: 'RouteParentStatus describes the status of a route + with respect to an + + associated Parent.' + properties: + conditions: + description: 'Conditions describes the status of the route with + respect to the Gateway. + + Note that the route''s availability is also subject to the + Gateway''s own + + status conditions and listener status. + + + If the Route''s ParentRef specifies an existing Gateway that + supports + + Routes of this kind AND that Gateway''s controller has sufficient + access, + + then that Gateway''s controller MUST set the "Accepted" condition + on the + + Route, to indicate whether the route has been accepted or + rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the + Route''s + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition + may not be set + + due to lack of controller visibility, that includes when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not support. + + * The Route is in a namespace the controller does not have + access to.' + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: 'lastTransitionTime is the last time the + condition transitioned from one status to another. + + This should be when the underlying condition changed. If + that is not known, then using the time when the API + field changed is acceptable.' + format: date-time + type: string + message: + description: 'message is a human readable message indicating + details about the transition. + + This may be an empty string.' + maxLength: 32768 + type: string + observedGeneration: + description: 'observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is + 9, the condition is out of date + + with respect to the current state of the instance.' + format: int64 + minimum: 0 + type: integer + reason: + description: 'reason contains a programmatic identifier + indicating the reason for the condition''s last transition. + + Producers of specific condition types may define expected + values and meanings for this field, + + and whether the values are considered a guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty.' + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: 'ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN + and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. + Controllers should ensure that + + entries to status populated with their ControllerName are + cleaned up when they are no + + longer necessary.' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: 'ParentRef corresponds with a ParentRef in the + spec that this + + RouteParentStatus struct describes the status of.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind + referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. + When unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which + cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are referring + to. For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable any other kind of cross-namespace + reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the + Route, for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. + It can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all + listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It''s not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply to + a specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the + selected listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a + specific port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both + specified values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment from + this Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within + the target resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the + entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from + this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: experimental + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: 'The TLSRoute resource is similar to TCPRoute, but can be configured + + to match against TLS-specific metadata. This allows more flexibility + + in matching streams for a given TLS listener. + + + If you need to forward traffic to a single target for a TLS listener, you + + could choose to use a TCPRoute with a TLS listener.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match\ + \ against the\nSNI attribute of TLS ClientHello message in TLS handshake.\ + \ This matches\nthe RFC 1123 definition of a hostname with 2 notable\ + \ exceptions:\n\n1. IPs are not allowed in SNI names per RFC 6066.\n\ + 2. A hostname may be prefixed with a wildcard label (`*.`). The\ + \ wildcard\n label must appear by itself as the first label.\n\ + \nIf a hostname is specified by both the Listener and TLSRoute,\ + \ there\nmust be at least one intersecting hostname for the TLSRoute\ + \ to be\nattached to the Listener. For example:\n\n* A Listener\ + \ with `test.example.com` as the hostname matches TLSRoutes\n that\ + \ have either not specified any hostnames, or have specified at\n\ + \ least one of `test.example.com` or `*.example.com`.\n* A Listener\ + \ with `*.example.com` as the hostname matches TLSRoutes\n that\ + \ have either not specified any hostnames or have specified at least\n\ + \ one hostname that matches the Listener hostname. For example,\n\ + \ `test.example.com` and `*.example.com` would both match. On the\ + \ other\n hand, `example.com` and `test.example.net` would not\ + \ match.\n\nIf both the Listener and TLSRoute have specified hostnames,\ + \ any\nTLSRoute hostnames that do not match the Listener hostname\ + \ MUST be\nignored. For example, if a Listener specified `*.example.com`,\ + \ and the\nTLSRoute specified `test.example.com` and `test.example.net`,\n\ + `test.example.net` must not be considered for a match.\n\nIf both\ + \ the Listener and TLSRoute have specified hostnames, and none\n\ + match with the criteria above, then the TLSRoute is not accepted.\ + \ The\nimplementation must raise an 'Accepted' Condition with a\ + \ status of\n`False` in the corresponding RouteParentStatus.\n\n\ + Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network\ + \ host. This matches\nthe RFC 1123 definition of a hostname with\ + \ 2 notable exceptions:\n\n 1. IPs are not allowed.\n 2. A hostname\ + \ may be prefixed with a wildcard label (`*.`). The wildcard\n\ + \ label must appear by itself as the first label.\n\nHostname\ + \ can be \"precise\" which is a domain name without the terminating\n\ + dot of a network host (e.g. \"foo.example.com\") or \"wildcard\"\ + , which is a\ndomain name prefixed with a single wildcard label\ + \ (e.g. `*.example.com`).\n\nNote that as per RFC1035 and RFC1123,\ + \ a *label* must consist of lower case\nalphanumeric characters\ + \ or '-', and must start and end with an alphanumeric\ncharacter.\ + \ No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: "ParentRefs references the resources (usually Gateways)\ + \ that a Route wants\nto be attached to. Note that the referenced\ + \ parent resource needs to\nallow this for the attachment to be\ + \ complete. For Gateways, that means\nthe Gateway needs to allow\ + \ attachment from Routes of this kind and\nnamespace. For Services,\ + \ that means the Service must either be in the same\nnamespace for\ + \ a \"producer\" route, or the mesh implementation must support\n\ + and allow \"consumer\" routes for the referenced Service. ReferenceGrant\ + \ is\nnot applicable for governing ParentRefs to Services - it is\ + \ not possible to\ncreate a \"producer\" route for a Service in\ + \ a different namespace from the\nRoute.\n\nThere are two kinds\ + \ of parent resources with \"Core\" support:\n\n* Gateway (Gateway\ + \ conformance profile)\n* Service (Mesh conformance profile, ClusterIP\ + \ Services only)\n\nThis API may be extended in the future to support\ + \ additional kinds of parent\nresources.\n\nParentRefs must be _distinct_.\ + \ This means either that:\n\n* They select different objects. If\ + \ this is the case, then parentRef\n entries are distinct. In terms\ + \ of fields, this means that the\n multi-part key defined by `group`,\ + \ `kind`, `namespace`, and `name` must\n be unique across all parentRef\ + \ entries in the Route.\n* They do not select different objects,\ + \ but for each optional field used,\n each ParentRef that selects\ + \ the same object must set the same set of\n optional fields to\ + \ different values. If one ParentRef sets a\n combination of optional\ + \ fields, all must set the same combination.\n\nSome examples:\n\ + \n* If one ParentRef sets `sectionName`, all ParentRefs referencing\ + \ the\n same object must also set `sectionName`.\n* If one ParentRef\ + \ sets `port`, all ParentRefs referencing the same\n object must\ + \ also set `port`.\n* If one ParentRef sets `sectionName` and `port`,\ + \ all ParentRefs\n referencing the same object must also set `sectionName`\ + \ and `port`.\n\nIt is possible to separately reference multiple\ + \ distinct objects that may\nbe collapsed by an implementation.\ + \ For example, some implementations may\nchoose to merge compatible\ + \ Gateway Listeners together. If that is the\ncase, the list of\ + \ routes attached to those resources should also be\nmerged.\n\n\ + Note that for ParentRefs that cross namespace boundaries, there\ + \ are specific\nrules. Cross-namespace references are only valid\ + \ if they are explicitly\nallowed by something in the namespace\ + \ they are referring to. For example,\nGateway has the AllowedRoutes\ + \ field, and ReferenceGrant provides a\ngeneric way to enable other\ + \ kinds of cross-namespace reference.\n\n\nParentRefs from a Route\ + \ to a Service in the same namespace are \"producer\"\nroutes, which\ + \ apply default routing rules to inbound connections from\nany namespace\ + \ to the Service.\n\nParentRefs from a Route to a Service in a different\ + \ namespace are\n\"consumer\" routes, and these routing rules are\ + \ only applied to outbound\nconnections originating from the same\ + \ namespace as the Route, for which\nthe intended destination of\ + \ the connections are a Service targeted as a\nParentRef of the\ + \ Route." + items: + description: 'ParentReference identifies an API object (usually + a Gateway) that can be considered + + a parent of this resource (usually a route). There are two kinds + of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds + of parent + + resources. + + + The API object must be valid in the cluster; the Group and Kind + must + + be registered in the cluster for this reference to be valid.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross + namespace + + boundaries. Cross-namespace references are only valid if they + are explicitly + + allowed by something in the namespace they are referring to. + For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant provides + a + + generic way to enable any other kind of cross-namespace reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the Route, + for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + + listening on the specified port that also support this kind + of Route(and + + select this Route). It''s not recommended to set `Port` unless + the + + networking behaviors specified in a Route must apply to a + specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the selected + listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a specific + port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both specified + values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful + as + + long as the parent resource accepts it partially. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes to + other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the entire + resource. + + For the purpose of status, an attachment is considered successful + if at + + least one section in the parent resource accepts it. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: 'BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a nonexistent resource + or + + a Service with no endpoints), the rule performs no forwarding; + if no + + filters are specified that would result in a response being + sent, the + + underlying implementation must actively reject request attempts + to this + + backend, by rejecting the connection or returning a 500 status + code. + + Request rejections must respect weight; if an invalid backend + is + + requested to have 80% of requests, then 80% of requests must + be rejected + + instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other resource + + + Support for weight: Extended' + items: + description: 'BackendRef defines how a Route should forward + a request to a Kubernetes + + resource. + + + Note that when a namespace different than the local namespace + is specified, a + + ReferenceGrant object is required in the referent namespace + to allow that + + namespace''s owner to accept the reference. See the ReferenceGrant + + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations + SHOULD + + honor the appProtocol field if it is set for the target + Service Port. + + + Implementations supporting appProtocol SHOULD recognize + the Kubernetes + + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn''t specified, an implementation + MAY infer the + + backend protocol through its own means. Implementations + MAY infer the + + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using + the specified + + protocol then the backend is considered invalid. Implementations + MUST set the + + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" + reason. + + + + Note that when the BackendTLSPolicy object is enabled by + the implementation, + + there are some extra rules about validity to consider here. + See the fields + + where this struct is used for more information about the + exact behavior.' + properties: + group: + default: '' + description: 'Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred.' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: 'Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records + that may live + + outside of the cluster and as such are difficult to + reason about in + + terms of conformance. They also may not be safe to forward + to (see + + CVE-2021-25740 for more information). Implementations + SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type + ExternalName)' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace''s owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a Kubernetes Service. + In this + + case, the port number is the service port number, not + the target port. + + For other resources, destination port might be derived + from the referent + + resource or this field.' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: 'Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all weights + in this + + BackendRefs list). For non-zero values, there may be + some epsilon from + + the exact proportion defined here depending on the precision + an + + implementation supports. Weight is not a percentage + and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a weight + greater than 0, 100% + + of the traffic is forwarded to that backend. If weight + is set to 0, no + + traffic should be forwarded for this entry. If unspecified, + weight + + defaults to 1. + + + Support for this field varies based on the context where + used.' + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: 'Name is the name of the route rule. This name + MUST be unique within a Route if it is set. + + + Support: Extended' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: 'UseDefaultGateways indicates the default Gateway scope + to use for this + + Route. If unset (the default) or set to None, the Route will not + be + + attached to any default Gateway; if set, it will be attached to + any + + default Gateway supporting the named scope, subject to the usual + rules + + about which Routes a Gateway is allowed to claim. + + + Think carefully before using this functionality! The set of default + + Gateways supporting the requested scope can change over time without + + any notice to the Route author, and in many situations it will not + be + + appropriate to request a default Gateway for a given Route -- for + + example, a Route with specific security requirements should almost + + certainly not use a default Gateway.' + enum: + - All + - None + type: string + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: 'Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with respect + to + + each parent. When this route attaches to a parent, the controller + that + + manages the parent must add an entry to this list when the controller + + first sees the route and should update the entry as appropriate + when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + + of this API will not be added to this list. Implementations of this + API + + can only populate Route status for the Gateways/parent resources + they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty + list + + means the route has not been attached to any Gateway.' + items: + description: 'RouteParentStatus describes the status of a route + with respect to an + + associated Parent.' + properties: + conditions: + description: 'Conditions describes the status of the route with + respect to the Gateway. + + Note that the route''s availability is also subject to the + Gateway''s own + + status conditions and listener status. + + + If the Route''s ParentRef specifies an existing Gateway that + supports + + Routes of this kind AND that Gateway''s controller has sufficient + access, + + then that Gateway''s controller MUST set the "Accepted" condition + on the + + Route, to indicate whether the route has been accepted or + rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the + Route''s + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition + may not be set + + due to lack of controller visibility, that includes when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not support. + + * The Route is in a namespace the controller does not have + access to.' + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: 'lastTransitionTime is the last time the + condition transitioned from one status to another. + + This should be when the underlying condition changed. If + that is not known, then using the time when the API + field changed is acceptable.' + format: date-time + type: string + message: + description: 'message is a human readable message indicating + details about the transition. + + This may be an empty string.' + maxLength: 32768 + type: string + observedGeneration: + description: 'observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is + 9, the condition is out of date + + with respect to the current state of the instance.' + format: int64 + minimum: 0 + type: integer + reason: + description: 'reason contains a programmatic identifier + indicating the reason for the condition''s last transition. + + Producers of specific condition types may define expected + values and meanings for this field, + + and whether the values are considered a guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty.' + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: 'ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN + and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. + Controllers should ensure that + + entries to status populated with their ControllerName are + cleaned up when they are no + + longer necessary.' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: 'ParentRef corresponds with a ParentRef in the + spec that this + + RouteParentStatus struct describes the status of.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind + referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. + When unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which + cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are referring + to. For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable any other kind of cross-namespace + reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the + Route, for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. + It can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all + listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It''s not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply to + a specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the + selected listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a + specific port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both + specified values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment from + this Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within + the target resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the + entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from + this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + description: 'The TLSRoute resource is similar to TCPRoute, but can be configured + + to match against TLS-specific metadata. This allows more flexibility + + in matching streams for a given TLS listener. + + + If you need to forward traffic to a single target for a TLS listener, you + + could choose to use a TCPRoute with a TLS listener.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI hostnames that should\ + \ match against the\nSNI attribute of TLS ClientHello message in\ + \ TLS handshake. This matches\nthe RFC 1123 definition of a hostname\ + \ with 2 notable exceptions:\n\n1. IPs are not allowed in SNI hostnames\ + \ per RFC 6066.\n2. A hostname may be prefixed with a wildcard label\ + \ (`*.`). The wildcard\n label must appear by itself as the first\ + \ label.\n\nIf a hostname is specified by both the Listener and\ + \ TLSRoute, there\nmust be at least one intersecting hostname for\ + \ the TLSRoute to be\nattached to the Listener. For example:\n\n\ + * A Listener with `test.example.com` as the hostname matches TLSRoutes\n\ + \ that have specified at least one of `test.example.com` or\n \ + \ `*.example.com`.\n* A Listener with `*.example.com` as the hostname\ + \ matches TLSRoutes\n that have specified at least one hostname\ + \ that matches the Listener\n hostname. For example, `test.example.com`\ + \ and `*.example.com` would both\n match. On the other hand, `example.com`\ + \ and `test.example.net` would not\n match.\n\nIf both the Listener\ + \ and TLSRoute have specified hostnames, any\nTLSRoute hostnames\ + \ that do not match the Listener hostname MUST be\nignored. For\ + \ example, if a Listener specified `*.example.com`, and the\nTLSRoute\ + \ specified `test.example.com` and `test.example.net`,\n`test.example.net`\ + \ must not be considered for a match.\n\nIf both the Listener and\ + \ TLSRoute have specified hostnames, and none\nmatch with the criteria\ + \ above, then the TLSRoute is not accepted. The\nimplementation\ + \ must raise an 'Accepted' Condition with a status of\n`False` in\ + \ the corresponding RouteParentStatus.\n\nSupport: Core" + items: + description: "Hostname is the fully qualified domain name of a network\ + \ host. This matches\nthe RFC 1123 definition of a hostname with\ + \ 2 notable exceptions:\n\n 1. IPs are not allowed.\n 2. A hostname\ + \ may be prefixed with a wildcard label (`*.`). The wildcard\n\ + \ label must appear by itself as the first label.\n\nHostname\ + \ can be \"precise\" which is a domain name without the terminating\n\ + dot of a network host (e.g. \"foo.example.com\") or \"wildcard\"\ + , which is a\ndomain name prefixed with a single wildcard label\ + \ (e.g. `*.example.com`).\n\nNote that as per RFC1035 and RFC1123,\ + \ a *label* must consist of lower case\nalphanumeric characters\ + \ or '-', and must start and end with an alphanumeric\ncharacter.\ + \ No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: "ParentRefs references the resources (usually Gateways)\ + \ that a Route wants\nto be attached to. Note that the referenced\ + \ parent resource needs to\nallow this for the attachment to be\ + \ complete. For Gateways, that means\nthe Gateway needs to allow\ + \ attachment from Routes of this kind and\nnamespace. For Services,\ + \ that means the Service must either be in the same\nnamespace for\ + \ a \"producer\" route, or the mesh implementation must support\n\ + and allow \"consumer\" routes for the referenced Service. ReferenceGrant\ + \ is\nnot applicable for governing ParentRefs to Services - it is\ + \ not possible to\ncreate a \"producer\" route for a Service in\ + \ a different namespace from the\nRoute.\n\nThere are two kinds\ + \ of parent resources with \"Core\" support:\n\n* Gateway (Gateway\ + \ conformance profile)\n* Service (Mesh conformance profile, ClusterIP\ + \ Services only)\n\nThis API may be extended in the future to support\ + \ additional kinds of parent\nresources.\n\nParentRefs must be _distinct_.\ + \ This means either that:\n\n* They select different objects. If\ + \ this is the case, then parentRef\n entries are distinct. In terms\ + \ of fields, this means that the\n multi-part key defined by `group`,\ + \ `kind`, `namespace`, and `name` must\n be unique across all parentRef\ + \ entries in the Route.\n* They do not select different objects,\ + \ but for each optional field used,\n each ParentRef that selects\ + \ the same object must set the same set of\n optional fields to\ + \ different values. If one ParentRef sets a\n combination of optional\ + \ fields, all must set the same combination.\n\nSome examples:\n\ + \n* If one ParentRef sets `sectionName`, all ParentRefs referencing\ + \ the\n same object must also set `sectionName`.\n* If one ParentRef\ + \ sets `port`, all ParentRefs referencing the same\n object must\ + \ also set `port`.\n* If one ParentRef sets `sectionName` and `port`,\ + \ all ParentRefs\n referencing the same object must also set `sectionName`\ + \ and `port`.\n\nIt is possible to separately reference multiple\ + \ distinct objects that may\nbe collapsed by an implementation.\ + \ For example, some implementations may\nchoose to merge compatible\ + \ Gateway Listeners together. If that is the\ncase, the list of\ + \ routes attached to those resources should also be\nmerged.\n\n\ + Note that for ParentRefs that cross namespace boundaries, there\ + \ are specific\nrules. Cross-namespace references are only valid\ + \ if they are explicitly\nallowed by something in the namespace\ + \ they are referring to. For example,\nGateway has the AllowedRoutes\ + \ field, and ReferenceGrant provides a\ngeneric way to enable other\ + \ kinds of cross-namespace reference.\n\n\nParentRefs from a Route\ + \ to a Service in the same namespace are \"producer\"\nroutes, which\ + \ apply default routing rules to inbound connections from\nany namespace\ + \ to the Service.\n\nParentRefs from a Route to a Service in a different\ + \ namespace are\n\"consumer\" routes, and these routing rules are\ + \ only applied to outbound\nconnections originating from the same\ + \ namespace as the Route, for which\nthe intended destination of\ + \ the connections are a Service targeted as a\nParentRef of the\ + \ Route." + items: + description: 'ParentReference identifies an API object (usually + a Gateway) that can be considered + + a parent of this resource (usually a route). There are two kinds + of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds + of parent + + resources. + + + The API object must be valid in the cluster; the Group and Kind + must + + be registered in the cluster for this reference to be valid.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross + namespace + + boundaries. Cross-namespace references are only valid if they + are explicitly + + allowed by something in the namespace they are referring to. + For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant provides + a + + generic way to enable any other kind of cross-namespace reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the Route, + for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + + listening on the specified port that also support this kind + of Route(and + + select this Route). It''s not recommended to set `Port` unless + the + + networking behaviors specified in a Route must apply to a + specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the selected + listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a specific + port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both specified + values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful + as + + long as the parent resource accepts it partially. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes to + other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the entire + resource. + + For the purpose of status, an attachment is considered successful + if at + + least one section in the parent resource accepts it. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: 'BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a nonexistent resource + or + + a Service with no endpoints), the rule performs no forwarding; + if no + + filters are specified that would result in a response being + sent, the + + underlying implementation must actively reject request attempts + to this + + backend, by rejecting the connection or returning a 500 status + code. + + Request rejections must respect weight; if an invalid backend + is + + requested to have 80% of requests, then 80% of requests must + be rejected + + instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other resource + + + Support for weight: Extended' + items: + description: 'BackendRef defines how a Route should forward + a request to a Kubernetes + + resource. + + + Note that when a namespace different than the local namespace + is specified, a + + ReferenceGrant object is required in the referent namespace + to allow that + + namespace''s owner to accept the reference. See the ReferenceGrant + + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations + SHOULD + + honor the appProtocol field if it is set for the target + Service Port. + + + Implementations supporting appProtocol SHOULD recognize + the Kubernetes + + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn''t specified, an implementation + MAY infer the + + backend protocol through its own means. Implementations + MAY infer the + + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using + the specified + + protocol then the backend is considered invalid. Implementations + MUST set the + + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" + reason. + + + + Note that when the BackendTLSPolicy object is enabled by + the implementation, + + there are some extra rules about validity to consider here. + See the fields + + where this struct is used for more information about the + exact behavior.' + properties: + group: + default: '' + description: 'Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred.' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: 'Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records + that may live + + outside of the cluster and as such are difficult to + reason about in + + terms of conformance. They also may not be safe to forward + to (see + + CVE-2021-25740 for more information). Implementations + SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type + ExternalName)' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace''s owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a Kubernetes Service. + In this + + case, the port number is the service port number, not + the target port. + + For other resources, destination port might be derived + from the referent + + resource or this field.' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: 'Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all weights + in this + + BackendRefs list). For non-zero values, there may be + some epsilon from + + the exact proportion defined here depending on the precision + an + + implementation supports. Weight is not a percentage + and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a weight + greater than 0, 100% + + of the traffic is forwarded to that backend. If weight + is set to 0, no + + traffic should be forwarded for this entry. If unspecified, + weight + + defaults to 1. + + + Support for this field varies based on the context where + used.' + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: 'Name is the name of the route rule. This name + MUST be unique within a Route if it is set. + + + Support: Extended' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: 'UseDefaultGateways indicates the default Gateway scope + to use for this + + Route. If unset (the default) or set to None, the Route will not + be + + attached to any default Gateway; if set, it will be attached to + any + + default Gateway supporting the named scope, subject to the usual + rules + + about which Routes a Gateway is allowed to claim. + + + Think carefully before using this functionality! The set of default + + Gateways supporting the requested scope can change over time without + + any notice to the Route author, and in many situations it will not + be + + appropriate to request a default Gateway for a given Route -- for + + example, a Route with specific security requirements should almost + + certainly not use a default Gateway.' + enum: + - All + - None + type: string + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: 'Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with respect + to + + each parent. When this route attaches to a parent, the controller + that + + manages the parent must add an entry to this list when the controller + + first sees the route and should update the entry as appropriate + when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + + of this API will not be added to this list. Implementations of this + API + + can only populate Route status for the Gateways/parent resources + they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty + list + + means the route has not been attached to any Gateway.' + items: + description: 'RouteParentStatus describes the status of a route + with respect to an + + associated Parent.' + properties: + conditions: + description: 'Conditions describes the status of the route with + respect to the Gateway. + + Note that the route''s availability is also subject to the + Gateway''s own + + status conditions and listener status. + + + If the Route''s ParentRef specifies an existing Gateway that + supports + + Routes of this kind AND that Gateway''s controller has sufficient + access, + + then that Gateway''s controller MUST set the "Accepted" condition + on the + + Route, to indicate whether the route has been accepted or + rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the + Route''s + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition + may not be set + + due to lack of controller visibility, that includes when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not support. + + * The Route is in a namespace the controller does not have + access to.' + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: 'lastTransitionTime is the last time the + condition transitioned from one status to another. + + This should be when the underlying condition changed. If + that is not known, then using the time when the API + field changed is acceptable.' + format: date-time + type: string + message: + description: 'message is a human readable message indicating + details about the transition. + + This may be an empty string.' + maxLength: 32768 + type: string + observedGeneration: + description: 'observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is + 9, the condition is out of date + + with respect to the current state of the instance.' + format: int64 + minimum: 0 + type: integer + reason: + description: 'reason contains a programmatic identifier + indicating the reason for the condition''s last transition. + + Producers of specific condition types may define expected + values and meanings for this field, + + and whether the values are considered a guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty.' + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: 'ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN + and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. + Controllers should ensure that + + entries to status populated with their ControllerName are + cleaned up when they are no + + longer necessary.' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: 'ParentRef corresponds with a ParentRef in the + spec that this + + RouteParentStatus struct describes the status of.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind + referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. + When unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which + cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are referring + to. For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable any other kind of cross-namespace + reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the + Route, for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. + It can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all + listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It''s not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply to + a specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the + selected listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a + specific port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both + specified values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment from + this Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within + the target resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the + entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from + this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: experimental + name: tcproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TCPRoute + listKind: TCPRouteList + plural: tcproutes + singular: tcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: 'TCPRoute provides a way to route TCP requests. When combined + with a Gateway + + listener, it can be used to forward connections on the port specified by + the + + listener to a set of backends specified by the TCPRoute.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TCPRoute. + properties: + parentRefs: + description: "ParentRefs references the resources (usually Gateways)\ + \ that a Route wants\nto be attached to. Note that the referenced\ + \ parent resource needs to\nallow this for the attachment to be\ + \ complete. For Gateways, that means\nthe Gateway needs to allow\ + \ attachment from Routes of this kind and\nnamespace. For Services,\ + \ that means the Service must either be in the same\nnamespace for\ + \ a \"producer\" route, or the mesh implementation must support\n\ + and allow \"consumer\" routes for the referenced Service. ReferenceGrant\ + \ is\nnot applicable for governing ParentRefs to Services - it is\ + \ not possible to\ncreate a \"producer\" route for a Service in\ + \ a different namespace from the\nRoute.\n\nThere are two kinds\ + \ of parent resources with \"Core\" support:\n\n* Gateway (Gateway\ + \ conformance profile)\n* Service (Mesh conformance profile, ClusterIP\ + \ Services only)\n\nThis API may be extended in the future to support\ + \ additional kinds of parent\nresources.\n\nParentRefs must be _distinct_.\ + \ This means either that:\n\n* They select different objects. If\ + \ this is the case, then parentRef\n entries are distinct. In terms\ + \ of fields, this means that the\n multi-part key defined by `group`,\ + \ `kind`, `namespace`, and `name` must\n be unique across all parentRef\ + \ entries in the Route.\n* They do not select different objects,\ + \ but for each optional field used,\n each ParentRef that selects\ + \ the same object must set the same set of\n optional fields to\ + \ different values. If one ParentRef sets a\n combination of optional\ + \ fields, all must set the same combination.\n\nSome examples:\n\ + \n* If one ParentRef sets `sectionName`, all ParentRefs referencing\ + \ the\n same object must also set `sectionName`.\n* If one ParentRef\ + \ sets `port`, all ParentRefs referencing the same\n object must\ + \ also set `port`.\n* If one ParentRef sets `sectionName` and `port`,\ + \ all ParentRefs\n referencing the same object must also set `sectionName`\ + \ and `port`.\n\nIt is possible to separately reference multiple\ + \ distinct objects that may\nbe collapsed by an implementation.\ + \ For example, some implementations may\nchoose to merge compatible\ + \ Gateway Listeners together. If that is the\ncase, the list of\ + \ routes attached to those resources should also be\nmerged.\n\n\ + Note that for ParentRefs that cross namespace boundaries, there\ + \ are specific\nrules. Cross-namespace references are only valid\ + \ if they are explicitly\nallowed by something in the namespace\ + \ they are referring to. For example,\nGateway has the AllowedRoutes\ + \ field, and ReferenceGrant provides a\ngeneric way to enable other\ + \ kinds of cross-namespace reference.\n\n\nParentRefs from a Route\ + \ to a Service in the same namespace are \"producer\"\nroutes, which\ + \ apply default routing rules to inbound connections from\nany namespace\ + \ to the Service.\n\nParentRefs from a Route to a Service in a different\ + \ namespace are\n\"consumer\" routes, and these routing rules are\ + \ only applied to outbound\nconnections originating from the same\ + \ namespace as the Route, for which\nthe intended destination of\ + \ the connections are a Service targeted as a\nParentRef of the\ + \ Route." + items: + description: 'ParentReference identifies an API object (usually + a Gateway) that can be considered + + a parent of this resource (usually a route). There are two kinds + of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds + of parent + + resources. + + + The API object must be valid in the cluster; the Group and Kind + must + + be registered in the cluster for this reference to be valid.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross + namespace + + boundaries. Cross-namespace references are only valid if they + are explicitly + + allowed by something in the namespace they are referring to. + For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant provides + a + + generic way to enable any other kind of cross-namespace reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the Route, + for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + + listening on the specified port that also support this kind + of Route(and + + select this Route). It''s not recommended to set `Port` unless + the + + networking behaviors specified in a Route must apply to a + specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the selected + listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a specific + port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both specified + values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful + as + + long as the parent resource accepts it partially. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes to + other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the entire + resource. + + For the purpose of status, an attachment is considered successful + if at + + least one section in the parent resource accepts it. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of TCP matchers and actions. + items: + description: TCPRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: 'BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a nonexistent resource + or a + + Service with no endpoints), the underlying implementation + MUST actively + + reject connection attempts to this backend. Connection rejections + must + + respect weight; if an invalid backend is requested to have + 80% of + + connections, then 80% of connections must be rejected instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other resource + + + Support for weight: Extended' + items: + description: 'BackendRef defines how a Route should forward + a request to a Kubernetes + + resource. + + + Note that when a namespace different than the local namespace + is specified, a + + ReferenceGrant object is required in the referent namespace + to allow that + + namespace''s owner to accept the reference. See the ReferenceGrant + + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations + SHOULD + + honor the appProtocol field if it is set for the target + Service Port. + + + Implementations supporting appProtocol SHOULD recognize + the Kubernetes + + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn''t specified, an implementation + MAY infer the + + backend protocol through its own means. Implementations + MAY infer the + + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using + the specified + + protocol then the backend is considered invalid. Implementations + MUST set the + + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" + reason. + + + + Note that when the BackendTLSPolicy object is enabled by + the implementation, + + there are some extra rules about validity to consider here. + See the fields + + where this struct is used for more information about the + exact behavior.' + properties: + group: + default: '' + description: 'Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred.' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: 'Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records + that may live + + outside of the cluster and as such are difficult to + reason about in + + terms of conformance. They also may not be safe to forward + to (see + + CVE-2021-25740 for more information). Implementations + SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type + ExternalName)' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace''s owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a Kubernetes Service. + In this + + case, the port number is the service port number, not + the target port. + + For other resources, destination port might be derived + from the referent + + resource or this field.' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: 'Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all weights + in this + + BackendRefs list). For non-zero values, there may be + some epsilon from + + the exact proportion defined here depending on the precision + an + + implementation supports. Weight is not a percentage + and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a weight + greater than 0, 100% + + of the traffic is forwarded to that backend. If weight + is set to 0, no + + traffic should be forwarded for this entry. If unspecified, + weight + + defaults to 1. + + + Support for this field varies based on the context where + used.' + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: 'Name is the name of the route rule. This name + MUST be unique within a Route if it is set. + + + Support: Extended' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: 'UseDefaultGateways indicates the default Gateway scope + to use for this + + Route. If unset (the default) or set to None, the Route will not + be + + attached to any default Gateway; if set, it will be attached to + any + + default Gateway supporting the named scope, subject to the usual + rules + + about which Routes a Gateway is allowed to claim. + + + Think carefully before using this functionality! The set of default + + Gateways supporting the requested scope can change over time without + + any notice to the Route author, and in many situations it will not + be + + appropriate to request a default Gateway for a given Route -- for + + example, a Route with specific security requirements should almost + + certainly not use a default Gateway.' + enum: + - All + - None + type: string + required: + - rules + type: object + status: + description: Status defines the current state of TCPRoute. + properties: + parents: + description: 'Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with respect + to + + each parent. When this route attaches to a parent, the controller + that + + manages the parent must add an entry to this list when the controller + + first sees the route and should update the entry as appropriate + when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + + of this API will not be added to this list. Implementations of this + API + + can only populate Route status for the Gateways/parent resources + they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty + list + + means the route has not been attached to any Gateway.' + items: + description: 'RouteParentStatus describes the status of a route + with respect to an + + associated Parent.' + properties: + conditions: + description: 'Conditions describes the status of the route with + respect to the Gateway. + + Note that the route''s availability is also subject to the + Gateway''s own + + status conditions and listener status. + + + If the Route''s ParentRef specifies an existing Gateway that + supports + + Routes of this kind AND that Gateway''s controller has sufficient + access, + + then that Gateway''s controller MUST set the "Accepted" condition + on the + + Route, to indicate whether the route has been accepted or + rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the + Route''s + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition + may not be set + + due to lack of controller visibility, that includes when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not support. + + * The Route is in a namespace the controller does not have + access to.' + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: 'lastTransitionTime is the last time the + condition transitioned from one status to another. + + This should be when the underlying condition changed. If + that is not known, then using the time when the API + field changed is acceptable.' + format: date-time + type: string + message: + description: 'message is a human readable message indicating + details about the transition. + + This may be an empty string.' + maxLength: 32768 + type: string + observedGeneration: + description: 'observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is + 9, the condition is out of date + + with respect to the current state of the instance.' + format: int64 + minimum: 0 + type: integer + reason: + description: 'reason contains a programmatic identifier + indicating the reason for the condition''s last transition. + + Producers of specific condition types may define expected + values and meanings for this field, + + and whether the values are considered a guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty.' + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: 'ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN + and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. + Controllers should ensure that + + entries to status populated with their ControllerName are + cleaned up when they are no + + longer necessary.' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: 'ParentRef corresponds with a ParentRef in the + spec that this + + RouteParentStatus struct describes the status of.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind + referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. + When unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which + cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are referring + to. For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable any other kind of cross-namespace + reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the + Route, for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. + It can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all + listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It''s not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply to + a specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the + selected listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a + specific port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both + specified values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment from + this Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within + the target resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the + entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from + this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/3328 + gateway.networking.k8s.io/bundle-version: v1.4.0 + gateway.networking.k8s.io/channel: experimental + name: tlsroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: TLSRoute + listKind: TLSRouteList + plural: tlsroutes + singular: tlsroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: 'The TLSRoute resource is similar to TCPRoute, but can be configured + + to match against TLS-specific metadata. This allows more flexibility + + in matching streams for a given TLS listener. + + + If you need to forward traffic to a single target for a TLS listener, you + + could choose to use a TCPRoute with a TLS listener.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI names that should match\ + \ against the\nSNI attribute of TLS ClientHello message in TLS handshake.\ + \ This matches\nthe RFC 1123 definition of a hostname with 2 notable\ + \ exceptions:\n\n1. IPs are not allowed in SNI names per RFC 6066.\n\ + 2. A hostname may be prefixed with a wildcard label (`*.`). The\ + \ wildcard\n label must appear by itself as the first label.\n\ + \nIf a hostname is specified by both the Listener and TLSRoute,\ + \ there\nmust be at least one intersecting hostname for the TLSRoute\ + \ to be\nattached to the Listener. For example:\n\n* A Listener\ + \ with `test.example.com` as the hostname matches TLSRoutes\n that\ + \ have either not specified any hostnames, or have specified at\n\ + \ least one of `test.example.com` or `*.example.com`.\n* A Listener\ + \ with `*.example.com` as the hostname matches TLSRoutes\n that\ + \ have either not specified any hostnames or have specified at least\n\ + \ one hostname that matches the Listener hostname. For example,\n\ + \ `test.example.com` and `*.example.com` would both match. On the\ + \ other\n hand, `example.com` and `test.example.net` would not\ + \ match.\n\nIf both the Listener and TLSRoute have specified hostnames,\ + \ any\nTLSRoute hostnames that do not match the Listener hostname\ + \ MUST be\nignored. For example, if a Listener specified `*.example.com`,\ + \ and the\nTLSRoute specified `test.example.com` and `test.example.net`,\n\ + `test.example.net` must not be considered for a match.\n\nIf both\ + \ the Listener and TLSRoute have specified hostnames, and none\n\ + match with the criteria above, then the TLSRoute is not accepted.\ + \ The\nimplementation must raise an 'Accepted' Condition with a\ + \ status of\n`False` in the corresponding RouteParentStatus.\n\n\ + Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network\ + \ host. This matches\nthe RFC 1123 definition of a hostname with\ + \ 2 notable exceptions:\n\n 1. IPs are not allowed.\n 2. A hostname\ + \ may be prefixed with a wildcard label (`*.`). The wildcard\n\ + \ label must appear by itself as the first label.\n\nHostname\ + \ can be \"precise\" which is a domain name without the terminating\n\ + dot of a network host (e.g. \"foo.example.com\") or \"wildcard\"\ + , which is a\ndomain name prefixed with a single wildcard label\ + \ (e.g. `*.example.com`).\n\nNote that as per RFC1035 and RFC1123,\ + \ a *label* must consist of lower case\nalphanumeric characters\ + \ or '-', and must start and end with an alphanumeric\ncharacter.\ + \ No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: "ParentRefs references the resources (usually Gateways)\ + \ that a Route wants\nto be attached to. Note that the referenced\ + \ parent resource needs to\nallow this for the attachment to be\ + \ complete. For Gateways, that means\nthe Gateway needs to allow\ + \ attachment from Routes of this kind and\nnamespace. For Services,\ + \ that means the Service must either be in the same\nnamespace for\ + \ a \"producer\" route, or the mesh implementation must support\n\ + and allow \"consumer\" routes for the referenced Service. ReferenceGrant\ + \ is\nnot applicable for governing ParentRefs to Services - it is\ + \ not possible to\ncreate a \"producer\" route for a Service in\ + \ a different namespace from the\nRoute.\n\nThere are two kinds\ + \ of parent resources with \"Core\" support:\n\n* Gateway (Gateway\ + \ conformance profile)\n* Service (Mesh conformance profile, ClusterIP\ + \ Services only)\n\nThis API may be extended in the future to support\ + \ additional kinds of parent\nresources.\n\nParentRefs must be _distinct_.\ + \ This means either that:\n\n* They select different objects. If\ + \ this is the case, then parentRef\n entries are distinct. In terms\ + \ of fields, this means that the\n multi-part key defined by `group`,\ + \ `kind`, `namespace`, and `name` must\n be unique across all parentRef\ + \ entries in the Route.\n* They do not select different objects,\ + \ but for each optional field used,\n each ParentRef that selects\ + \ the same object must set the same set of\n optional fields to\ + \ different values. If one ParentRef sets a\n combination of optional\ + \ fields, all must set the same combination.\n\nSome examples:\n\ + \n* If one ParentRef sets `sectionName`, all ParentRefs referencing\ + \ the\n same object must also set `sectionName`.\n* If one ParentRef\ + \ sets `port`, all ParentRefs referencing the same\n object must\ + \ also set `port`.\n* If one ParentRef sets `sectionName` and `port`,\ + \ all ParentRefs\n referencing the same object must also set `sectionName`\ + \ and `port`.\n\nIt is possible to separately reference multiple\ + \ distinct objects that may\nbe collapsed by an implementation.\ + \ For example, some implementations may\nchoose to merge compatible\ + \ Gateway Listeners together. If that is the\ncase, the list of\ + \ routes attached to those resources should also be\nmerged.\n\n\ + Note that for ParentRefs that cross namespace boundaries, there\ + \ are specific\nrules. Cross-namespace references are only valid\ + \ if they are explicitly\nallowed by something in the namespace\ + \ they are referring to. For example,\nGateway has the AllowedRoutes\ + \ field, and ReferenceGrant provides a\ngeneric way to enable other\ + \ kinds of cross-namespace reference.\n\n\nParentRefs from a Route\ + \ to a Service in the same namespace are \"producer\"\nroutes, which\ + \ apply default routing rules to inbound connections from\nany namespace\ + \ to the Service.\n\nParentRefs from a Route to a Service in a different\ + \ namespace are\n\"consumer\" routes, and these routing rules are\ + \ only applied to outbound\nconnections originating from the same\ + \ namespace as the Route, for which\nthe intended destination of\ + \ the connections are a Service targeted as a\nParentRef of the\ + \ Route." + items: + description: 'ParentReference identifies an API object (usually + a Gateway) that can be considered + + a parent of this resource (usually a route). There are two kinds + of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds + of parent + + resources. + + + The API object must be valid in the cluster; the Group and Kind + must + + be registered in the cluster for this reference to be valid.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross + namespace + + boundaries. Cross-namespace references are only valid if they + are explicitly + + allowed by something in the namespace they are referring to. + For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant provides + a + + generic way to enable any other kind of cross-namespace reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the Route, + for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + + listening on the specified port that also support this kind + of Route(and + + select this Route). It''s not recommended to set `Port` unless + the + + networking behaviors specified in a Route must apply to a + specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the selected + listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a specific + port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both specified + values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful + as + + long as the parent resource accepts it partially. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes to + other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the entire + resource. + + For the purpose of status, an attachment is considered successful + if at + + least one section in the parent resource accepts it. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of TLS matchers and actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: 'BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a nonexistent resource + or + + a Service with no endpoints), the rule performs no forwarding; + if no + + filters are specified that would result in a response being + sent, the + + underlying implementation must actively reject request attempts + to this + + backend, by rejecting the connection or returning a 500 status + code. + + Request rejections must respect weight; if an invalid backend + is + + requested to have 80% of requests, then 80% of requests must + be rejected + + instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other resource + + + Support for weight: Extended' + items: + description: 'BackendRef defines how a Route should forward + a request to a Kubernetes + + resource. + + + Note that when a namespace different than the local namespace + is specified, a + + ReferenceGrant object is required in the referent namespace + to allow that + + namespace''s owner to accept the reference. See the ReferenceGrant + + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations + SHOULD + + honor the appProtocol field if it is set for the target + Service Port. + + + Implementations supporting appProtocol SHOULD recognize + the Kubernetes + + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn''t specified, an implementation + MAY infer the + + backend protocol through its own means. Implementations + MAY infer the + + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using + the specified + + protocol then the backend is considered invalid. Implementations + MUST set the + + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" + reason. + + + + Note that when the BackendTLSPolicy object is enabled by + the implementation, + + there are some extra rules about validity to consider here. + See the fields + + where this struct is used for more information about the + exact behavior.' + properties: + group: + default: '' + description: 'Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred.' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: 'Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records + that may live + + outside of the cluster and as such are difficult to + reason about in + + terms of conformance. They also may not be safe to forward + to (see + + CVE-2021-25740 for more information). Implementations + SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type + ExternalName)' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace''s owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a Kubernetes Service. + In this + + case, the port number is the service port number, not + the target port. + + For other resources, destination port might be derived + from the referent + + resource or this field.' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: 'Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all weights + in this + + BackendRefs list). For non-zero values, there may be + some epsilon from + + the exact proportion defined here depending on the precision + an + + implementation supports. Weight is not a percentage + and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a weight + greater than 0, 100% + + of the traffic is forwarded to that backend. If weight + is set to 0, no + + traffic should be forwarded for this entry. If unspecified, + weight + + defaults to 1. + + + Support for this field varies based on the context where + used.' + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: 'Name is the name of the route rule. This name + MUST be unique within a Route if it is set. + + + Support: Extended' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: 'UseDefaultGateways indicates the default Gateway scope + to use for this + + Route. If unset (the default) or set to None, the Route will not + be + + attached to any default Gateway; if set, it will be attached to + any + + default Gateway supporting the named scope, subject to the usual + rules + + about which Routes a Gateway is allowed to claim. + + + Think carefully before using this functionality! The set of default + + Gateways supporting the requested scope can change over time without + + any notice to the Route author, and in many situations it will not + be + + appropriate to request a default Gateway for a given Route -- for + + example, a Route with specific security requirements should almost + + certainly not use a default Gateway.' + enum: + - All + - None + type: string + required: + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: 'Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with respect + to + + each parent. When this route attaches to a parent, the controller + that + + manages the parent must add an entry to this list when the controller + + first sees the route and should update the entry as appropriate + when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + + of this API will not be added to this list. Implementations of this + API + + can only populate Route status for the Gateways/parent resources + they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty + list + + means the route has not been attached to any Gateway.' + items: + description: 'RouteParentStatus describes the status of a route + with respect to an + + associated Parent.' + properties: + conditions: + description: 'Conditions describes the status of the route with + respect to the Gateway. + + Note that the route''s availability is also subject to the + Gateway''s own + + status conditions and listener status. + + + If the Route''s ParentRef specifies an existing Gateway that + supports + + Routes of this kind AND that Gateway''s controller has sufficient + access, + + then that Gateway''s controller MUST set the "Accepted" condition + on the + + Route, to indicate whether the route has been accepted or + rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the + Route''s + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition + may not be set + + due to lack of controller visibility, that includes when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not support. + + * The Route is in a namespace the controller does not have + access to.' + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: 'lastTransitionTime is the last time the + condition transitioned from one status to another. + + This should be when the underlying condition changed. If + that is not known, then using the time when the API + field changed is acceptable.' + format: date-time + type: string + message: + description: 'message is a human readable message indicating + details about the transition. + + This may be an empty string.' + maxLength: 32768 + type: string + observedGeneration: + description: 'observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is + 9, the condition is out of date + + with respect to the current state of the instance.' + format: int64 + minimum: 0 + type: integer + reason: + description: 'reason contains a programmatic identifier + indicating the reason for the condition''s last transition. + + Producers of specific condition types may define expected + values and meanings for this field, + + and whether the values are considered a guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty.' + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: 'ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN + and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. + Controllers should ensure that + + entries to status populated with their ControllerName are + cleaned up when they are no + + longer necessary.' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: 'ParentRef corresponds with a ParentRef in the + spec that this + + RouteParentStatus struct describes the status of.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind + referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. + When unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which + cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are referring + to. For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable any other kind of cross-namespace + reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the + Route, for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. + It can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all + listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It''s not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply to + a specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the + selected listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a + specific port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both + specified values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment from + this Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within + the target resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the + entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from + this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha3 + schema: + openAPIV3Schema: + description: 'The TLSRoute resource is similar to TCPRoute, but can be configured + + to match against TLS-specific metadata. This allows more flexibility + + in matching streams for a given TLS listener. + + + If you need to forward traffic to a single target for a TLS listener, you + + could choose to use a TCPRoute with a TLS listener.' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. + + Servers should convert recognized schemas to the latest internal value, + and + + may reject unrecognized values. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. + + Servers may infer this from the endpoint the client submits requests + to. + + Cannot be updated. + + In CamelCase. + + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of TLSRoute. + properties: + hostnames: + description: "Hostnames defines a set of SNI hostnames that should\ + \ match against the\nSNI attribute of TLS ClientHello message in\ + \ TLS handshake. This matches\nthe RFC 1123 definition of a hostname\ + \ with 2 notable exceptions:\n\n1. IPs are not allowed in SNI hostnames\ + \ per RFC 6066.\n2. A hostname may be prefixed with a wildcard label\ + \ (`*.`). The wildcard\n label must appear by itself as the first\ + \ label.\n\nIf a hostname is specified by both the Listener and\ + \ TLSRoute, there\nmust be at least one intersecting hostname for\ + \ the TLSRoute to be\nattached to the Listener. For example:\n\n\ + * A Listener with `test.example.com` as the hostname matches TLSRoutes\n\ + \ that have specified at least one of `test.example.com` or\n \ + \ `*.example.com`.\n* A Listener with `*.example.com` as the hostname\ + \ matches TLSRoutes\n that have specified at least one hostname\ + \ that matches the Listener\n hostname. For example, `test.example.com`\ + \ and `*.example.com` would both\n match. On the other hand, `example.com`\ + \ and `test.example.net` would not\n match.\n\nIf both the Listener\ + \ and TLSRoute have specified hostnames, any\nTLSRoute hostnames\ + \ that do not match the Listener hostname MUST be\nignored. For\ + \ example, if a Listener specified `*.example.com`, and the\nTLSRoute\ + \ specified `test.example.com` and `test.example.net`,\n`test.example.net`\ + \ must not be considered for a match.\n\nIf both the Listener and\ + \ TLSRoute have specified hostnames, and none\nmatch with the criteria\ + \ above, then the TLSRoute is not accepted. The\nimplementation\ + \ must raise an 'Accepted' Condition with a status of\n`False` in\ + \ the corresponding RouteParentStatus.\n\nSupport: Core" + items: + description: "Hostname is the fully qualified domain name of a network\ + \ host. This matches\nthe RFC 1123 definition of a hostname with\ + \ 2 notable exceptions:\n\n 1. IPs are not allowed.\n 2. A hostname\ + \ may be prefixed with a wildcard label (`*.`). The wildcard\n\ + \ label must appear by itself as the first label.\n\nHostname\ + \ can be \"precise\" which is a domain name without the terminating\n\ + dot of a network host (e.g. \"foo.example.com\") or \"wildcard\"\ + , which is a\ndomain name prefixed with a single wildcard label\ + \ (e.g. `*.example.com`).\n\nNote that as per RFC1035 and RFC1123,\ + \ a *label* must consist of lower case\nalphanumeric characters\ + \ or '-', and must start and end with an alphanumeric\ncharacter.\ + \ No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + parentRefs: + description: "ParentRefs references the resources (usually Gateways)\ + \ that a Route wants\nto be attached to. Note that the referenced\ + \ parent resource needs to\nallow this for the attachment to be\ + \ complete. For Gateways, that means\nthe Gateway needs to allow\ + \ attachment from Routes of this kind and\nnamespace. For Services,\ + \ that means the Service must either be in the same\nnamespace for\ + \ a \"producer\" route, or the mesh implementation must support\n\ + and allow \"consumer\" routes for the referenced Service. ReferenceGrant\ + \ is\nnot applicable for governing ParentRefs to Services - it is\ + \ not possible to\ncreate a \"producer\" route for a Service in\ + \ a different namespace from the\nRoute.\n\nThere are two kinds\ + \ of parent resources with \"Core\" support:\n\n* Gateway (Gateway\ + \ conformance profile)\n* Service (Mesh conformance profile, ClusterIP\ + \ Services only)\n\nThis API may be extended in the future to support\ + \ additional kinds of parent\nresources.\n\nParentRefs must be _distinct_.\ + \ This means either that:\n\n* They select different objects. If\ + \ this is the case, then parentRef\n entries are distinct. In terms\ + \ of fields, this means that the\n multi-part key defined by `group`,\ + \ `kind`, `namespace`, and `name` must\n be unique across all parentRef\ + \ entries in the Route.\n* They do not select different objects,\ + \ but for each optional field used,\n each ParentRef that selects\ + \ the same object must set the same set of\n optional fields to\ + \ different values. If one ParentRef sets a\n combination of optional\ + \ fields, all must set the same combination.\n\nSome examples:\n\ + \n* If one ParentRef sets `sectionName`, all ParentRefs referencing\ + \ the\n same object must also set `sectionName`.\n* If one ParentRef\ + \ sets `port`, all ParentRefs referencing the same\n object must\ + \ also set `port`.\n* If one ParentRef sets `sectionName` and `port`,\ + \ all ParentRefs\n referencing the same object must also set `sectionName`\ + \ and `port`.\n\nIt is possible to separately reference multiple\ + \ distinct objects that may\nbe collapsed by an implementation.\ + \ For example, some implementations may\nchoose to merge compatible\ + \ Gateway Listeners together. If that is the\ncase, the list of\ + \ routes attached to those resources should also be\nmerged.\n\n\ + Note that for ParentRefs that cross namespace boundaries, there\ + \ are specific\nrules. Cross-namespace references are only valid\ + \ if they are explicitly\nallowed by something in the namespace\ + \ they are referring to. For example,\nGateway has the AllowedRoutes\ + \ field, and ReferenceGrant provides a\ngeneric way to enable other\ + \ kinds of cross-namespace reference.\n\n\nParentRefs from a Route\ + \ to a Service in the same namespace are \"producer\"\nroutes, which\ + \ apply default routing rules to inbound connections from\nany namespace\ + \ to the Service.\n\nParentRefs from a Route to a Service in a different\ + \ namespace are\n\"consumer\" routes, and these routing rules are\ + \ only applied to outbound\nconnections originating from the same\ + \ namespace as the Route, for which\nthe intended destination of\ + \ the connections are a Service targeted as a\nParentRef of the\ + \ Route." + items: + description: 'ParentReference identifies an API object (usually + a Gateway) that can be considered + + a parent of this resource (usually a route). There are two kinds + of parent resources + + with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + This API may be extended in the future to support additional kinds + of parent + + resources. + + + The API object must be valid in the cluster; the Group and Kind + must + + be registered in the cluster for this reference to be valid.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. When + unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which cross + namespace + + boundaries. Cross-namespace references are only valid if they + are explicitly + + allowed by something in the namespace they are referring to. + For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant provides + a + + generic way to enable any other kind of cross-namespace reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the Route, + for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. It + can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all listeners + + listening on the specified port that also support this kind + of Route(and + + select this Route). It''s not recommended to set `Port` unless + the + + networking behaviors specified in a Route must apply to a + specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the selected + listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a specific + port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both specified + values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered successful + as + + long as the parent resource accepts it partially. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within the + target resource. In the + + following resources, SectionName is interpreted as the following: + + + * Gateway: Listener name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes to + other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the entire + resource. + + For the purpose of status, an attachment is considered successful + if at + + least one section in the parent resource accepts it. For example, + Gateway + + listeners can restrict which Routes can attach to them by + Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from this + Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: sectionName or port must be specified when parentRefs includes + 2 or more references to the same parent + rule: 'self.all(p1, self.all(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '''') && (!has(p2.__namespace__) || p2.__namespace__ + == '''')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__)) ? ((!has(p1.sectionName) + || p1.sectionName == '''') == (!has(p2.sectionName) || p2.sectionName + == '''') && (!has(p1.port) || p1.port == 0) == (!has(p2.port) + || p2.port == 0)): true))' + - message: sectionName or port must be unique when parentRefs includes + 2 or more references to the same parent + rule: self.all(p1, self.exists_one(p2, p1.group == p2.group && p1.kind + == p2.kind && p1.name == p2.name && (((!has(p1.__namespace__) + || p1.__namespace__ == '') && (!has(p2.__namespace__) || p2.__namespace__ + == '')) || (has(p1.__namespace__) && has(p2.__namespace__) && + p1.__namespace__ == p2.__namespace__ )) && (((!has(p1.sectionName) + || p1.sectionName == '') && (!has(p2.sectionName) || p2.sectionName + == '')) || ( has(p1.sectionName) && has(p2.sectionName) && p1.sectionName + == p2.sectionName)) && (((!has(p1.port) || p1.port == 0) && (!has(p2.port) + || p2.port == 0)) || (has(p1.port) && has(p2.port) && p1.port + == p2.port)))) + rules: + description: Rules are a list of actions. + items: + description: TLSRouteRule is the configuration for a given rule. + properties: + backendRefs: + description: 'BackendRefs defines the backend(s) where matching + requests should be + + sent. If unspecified or invalid (refers to a nonexistent resource + or + + a Service with no endpoints), the rule performs no forwarding; + if no + + filters are specified that would result in a response being + sent, the + + underlying implementation must actively reject request attempts + to this + + backend, by rejecting the connection or returning a 500 status + code. + + Request rejections must respect weight; if an invalid backend + is + + requested to have 80% of requests, then 80% of requests must + be rejected + + instead. + + + Support: Core for Kubernetes Service + + + Support: Extended for Kubernetes ServiceImport + + + Support: Implementation-specific for any other resource + + + Support for weight: Extended' + items: + description: 'BackendRef defines how a Route should forward + a request to a Kubernetes + + resource. + + + Note that when a namespace different than the local namespace + is specified, a + + ReferenceGrant object is required in the referent namespace + to allow that + + namespace''s owner to accept the reference. See the ReferenceGrant + + documentation for details. + + + + When the BackendRef points to a Kubernetes Service, implementations + SHOULD + + honor the appProtocol field if it is set for the target + Service Port. + + + Implementations supporting appProtocol SHOULD recognize + the Kubernetes + + Standard Application Protocols defined in KEP-3726. + + + If a Service appProtocol isn''t specified, an implementation + MAY infer the + + backend protocol through its own means. Implementations + MAY infer the + + protocol from the Route type referring to the backend Service. + + + If a Route is not able to send traffic to the backend using + the specified + + protocol then the backend is considered invalid. Implementations + MUST set the + + "ResolvedRefs" condition to "False" with the "UnsupportedProtocol" + reason. + + + + Note that when the BackendTLSPolicy object is enabled by + the implementation, + + there are some extra rules about validity to consider here. + See the fields + + where this struct is used for more information about the + exact behavior.' + properties: + group: + default: '' + description: 'Group is the group of the referent. For + example, "gateway.networking.k8s.io". + + When unspecified or empty string, core API group is + inferred.' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: 'Kind is the Kubernetes resource kind of + the referent. For example + + "Service". + + + Defaults to "Service" when not specified. + + + ExternalName services can refer to CNAME DNS records + that may live + + outside of the cluster and as such are difficult to + reason about in + + terms of conformance. They also may not be safe to forward + to (see + + CVE-2021-25740 for more information). Implementations + SHOULD NOT + + support ExternalName Services. + + + Support: Core (Services with a type other than ExternalName) + + + Support: Implementation-specific (Services with type + ExternalName)' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the backend. + When unspecified, the local + + namespace is inferred. + + + Note that when a namespace different than the local + namespace is specified, + + a ReferenceGrant object is required in the referent + namespace to allow that + + namespace''s owner to accept the reference. See the + ReferenceGrant + + documentation for details. + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port specifies the destination port number + to use for this resource. + + Port is required when the referent is a Kubernetes Service. + In this + + case, the port number is the service port number, not + the target port. + + For other resources, destination port might be derived + from the referent + + resource or this field.' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: 'Weight specifies the proportion of requests + forwarded to the referenced + + backend. This is computed as weight/(sum of all weights + in this + + BackendRefs list). For non-zero values, there may be + some epsilon from + + the exact proportion defined here depending on the precision + an + + implementation supports. Weight is not a percentage + and the sum of + + weights does not need to equal 100. + + + If only one backend is specified and it has a weight + greater than 0, 100% + + of the traffic is forwarded to that backend. If weight + is set to 0, no + + traffic should be forwarded for this entry. If unspecified, + weight + + defaults to 1. + + + Support for this field varies based on the context where + used.' + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + x-kubernetes-validations: + - message: Must have port for Service reference + rule: '(size(self.group) == 0 && self.kind == ''Service'') + ? has(self.port) : true' + maxItems: 16 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + name: + description: 'Name is the name of the route rule. This name + MUST be unique within a Route if it is set. + + + Support: Extended' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - backendRefs + type: object + maxItems: 1 + minItems: 1 + type: array + x-kubernetes-list-type: atomic + x-kubernetes-validations: + - message: Rule name must be unique within the route + rule: self.all(l1, !has(l1.name) || self.exists_one(l2, has(l2.name) + && l1.name == l2.name)) + useDefaultGateways: + description: 'UseDefaultGateways indicates the default Gateway scope + to use for this + + Route. If unset (the default) or set to None, the Route will not + be + + attached to any default Gateway; if set, it will be attached to + any + + default Gateway supporting the named scope, subject to the usual + rules + + about which Routes a Gateway is allowed to claim. + + + Think carefully before using this functionality! The set of default + + Gateways supporting the requested scope can change over time without + + any notice to the Route author, and in many situations it will not + be + + appropriate to request a default Gateway for a given Route -- for + + example, a Route with specific security requirements should almost + + certainly not use a default Gateway.' + enum: + - All + - None + type: string + required: + - hostnames + - rules + type: object + status: + description: Status defines the current state of TLSRoute. + properties: + parents: + description: 'Parents is a list of parent resources (usually Gateways) + that are + + associated with the route, and the status of the route with respect + to + + each parent. When this route attaches to a parent, the controller + that + + manages the parent must add an entry to this list when the controller + + first sees the route and should update the entry as appropriate + when the + + route or gateway is modified. + + + Note that parent references that cannot be resolved by an implementation + + of this API will not be added to this list. Implementations of this + API + + can only populate Route status for the Gateways/parent resources + they are + + responsible for. + + + A maximum of 32 Gateways will be represented in this list. An empty + list + + means the route has not been attached to any Gateway.' + items: + description: 'RouteParentStatus describes the status of a route + with respect to an + + associated Parent.' + properties: + conditions: + description: 'Conditions describes the status of the route with + respect to the Gateway. + + Note that the route''s availability is also subject to the + Gateway''s own + + status conditions and listener status. + + + If the Route''s ParentRef specifies an existing Gateway that + supports + + Routes of this kind AND that Gateway''s controller has sufficient + access, + + then that Gateway''s controller MUST set the "Accepted" condition + on the + + Route, to indicate whether the route has been accepted or + rejected by the + + Gateway, and why. + + + A Route MUST be considered "Accepted" if at least one of the + Route''s + + rules is implemented by the Gateway. + + + There are a number of cases where the "Accepted" condition + may not be set + + due to lack of controller visibility, that includes when: + + + * The Route refers to a nonexistent parent. + + * The Route is of a type that the controller does not support. + + * The Route is in a namespace the controller does not have + access to.' + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: 'lastTransitionTime is the last time the + condition transitioned from one status to another. + + This should be when the underlying condition changed. If + that is not known, then using the time when the API + field changed is acceptable.' + format: date-time + type: string + message: + description: 'message is a human readable message indicating + details about the transition. + + This may be an empty string.' + maxLength: 32768 + type: string + observedGeneration: + description: 'observedGeneration represents the .metadata.generation + that the condition was set based upon. + + For instance, if .metadata.generation is currently 12, + but the .status.conditions[x].observedGeneration is + 9, the condition is out of date + + with respect to the current state of the instance.' + format: int64 + minimum: 0 + type: integer + reason: + description: 'reason contains a programmatic identifier + indicating the reason for the condition''s last transition. + + Producers of specific condition types may define expected + values and meanings for this field, + + and whether the values are considered a guaranteed API. + + The value should be a CamelCase string. + + This field may not be empty.' + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - 'True' + - 'False' + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: 'ControllerName is a domain/path string that indicates + the name of the + + controller that wrote this status. This corresponds with the + + controllerName field on GatewayClass. + + + Example: "example.net/gateway-controller". + + + The format of this field is DOMAIN "/" PATH, where DOMAIN + and PATH are + + valid Kubernetes names + + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + + Controllers MUST populate this field when writing status. + Controllers should ensure that + + entries to status populated with their ControllerName are + cleaned up when they are no + + longer necessary.' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: 'ParentRef corresponds with a ParentRef in the + spec that this + + RouteParentStatus struct describes the status of.' + properties: + group: + default: gateway.networking.k8s.io + description: 'Group is the group of the referent. + + When unspecified, "gateway.networking.k8s.io" is inferred. + + To set the core API group (such as for a "Service" kind + referent), + + Group must be explicitly set to "" (empty string). + + + Support: Core' + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: 'Kind is kind of the referent. + + + There are two kinds of parent resources with "Core" support: + + + * Gateway (Gateway conformance profile) + + * Service (Mesh conformance profile, ClusterIP Services + only) + + + Support for other resources is Implementation-Specific.' + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: 'Name is the name of the referent. + + + Support: Core' + maxLength: 253 + minLength: 1 + type: string + namespace: + description: 'Namespace is the namespace of the referent. + When unspecified, this refers + + to the local namespace of the Route. + + + Note that there are specific rules for ParentRefs which + cross namespace + + boundaries. Cross-namespace references are only valid + if they are explicitly + + allowed by something in the namespace they are referring + to. For example: + + Gateway has the AllowedRoutes field, and ReferenceGrant + provides a + + generic way to enable any other kind of cross-namespace + reference. + + + + ParentRefs from a Route to a Service in the same namespace + are "producer" + + routes, which apply default routing rules to inbound connections + from + + any namespace to the Service. + + + ParentRefs from a Route to a Service in a different namespace + are + + "consumer" routes, and these routing rules are only applied + to outbound + + connections originating from the same namespace as the + Route, for which + + the intended destination of the connections are a Service + targeted as a + + ParentRef of the Route. + + + + Support: Core' + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: 'Port is the network port this Route targets. + It can be interpreted + + differently based on the type of parent resource. + + + When the parent resource is a Gateway, this targets all + listeners + + listening on the specified port that also support this + kind of Route(and + + select this Route). It''s not recommended to set `Port` + unless the + + networking behaviors specified in a Route must apply to + a specific port + + as opposed to a listener(s) whose port(s) may be changed. + When both Port + + and SectionName are specified, the name and port of the + selected listener + + must match both specified values. + + + + When the parent resource is a Service, this targets a + specific port in the + + Service spec. When both Port (experimental) and SectionName + are specified, + + the name and port of the selected port must match both + specified values. + + + + Implementations MAY choose to support other parent resources. + + Implementations supporting other types of parent resources + MUST clearly + + document how/if Port is interpreted. + + + For the purpose of status, an attachment is considered + successful as + + long as the parent resource accepts it partially. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment + + from the referencing Route, the Route MUST be considered + successfully + + attached. If no Gateway listeners accept attachment from + this Route, + + the Route MUST be considered detached from the Gateway. + + + Support: Extended' + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: 'SectionName is the name of a section within + the target resource. In the + + following resources, SectionName is interpreted as the + following: + + + * Gateway: Listener name. When both Port (experimental) + and SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + * Service: Port name. When both Port (experimental) and + SectionName + + are specified, the name and port of the selected listener + must match + + both specified values. + + + Implementations MAY choose to support attaching Routes + to other resources. + + If that is the case, they MUST clearly document how SectionName + is + + interpreted. + + + When unspecified (empty string), this will reference the + entire resource. + + For the purpose of status, an attachment is considered + successful if at + + least one section in the parent resource accepts it. For + example, Gateway + + listeners can restrict which Routes can attach to them + by Route kind, + + namespace, or hostname. If 1 of 2 Gateway listeners accept + attachment from + + the referencing Route, the Route MUST be considered successfully + + attached. If no Gateway listeners accept attachment from + this Route, the + + Route MUST be considered detached from the Gateway. + + + Support: Core' + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - conditions + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + x-kubernetes-list-type: atomic + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: '' + plural: '' + conditions: null + storedVersions: null diff --git a/config/test/crd/istio/istio.banzaicloud.io_istiomeshgateways.yaml b/config/test/crd/istio/istio.banzaicloud.io_istiomeshgateways.yaml deleted file mode 100644 index 44b719238..000000000 --- a/config/test/crd/istio/istio.banzaicloud.io_istiomeshgateways.yaml +++ /dev/null @@ -1,1716 +0,0 @@ -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - name: istiomeshgateways.servicemesh.cisco.com - labels: - resource.alpha.banzaicloud.io/revision: 1.15.0 -spec: - group: servicemesh.cisco.com - names: - kind: IstioMeshGateway - listKind: IstioMeshGatewayList - plural: istiomeshgateways - shortNames: - - imgw - - istiomgw - singular: istiomeshgateway - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: Type of the gateway - jsonPath: .spec.type - name: Type - type: string - - description: Type of the service - jsonPath: .spec.service.type - name: Service Type - type: string - - description: Status of the resource - jsonPath: .status.Status - name: Status - type: string - - description: Ingress gateway addresses of the resource - jsonPath: .status.GatewayAddress - name: Ingress IPs - type: string - - description: Error message - jsonPath: .status.ErrorMessage - name: Error - type: string - - jsonPath: .metadata.creationTimestamp - name: Age - type: date - - jsonPath: .spec.istioControlPlane - name: Control Plane - type: string - name: v1alpha1 - schema: - openAPIV3Schema: - properties: - spec: - properties: - deployment: - properties: - affinity: - properties: - nodeAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - preference: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - type: object - weight: - format: int32 - type: integer - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - properties: - nodeSelectorTerms: - items: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchFields: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - type: object - type: array - type: object - type: object - podAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - type: object - type: array - type: object - podAntiAffinity: - properties: - preferredDuringSchedulingIgnoredDuringExecution: - items: - properties: - podAffinityTerm: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - type: object - weight: - format: int32 - type: integer - type: object - type: array - requiredDuringSchedulingIgnoredDuringExecution: - items: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaceSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - namespaces: - items: - type: string - type: array - topologyKey: - type: string - type: object - type: array - type: object - type: object - deploymentStrategy: - properties: - rollingUpdate: - properties: - maxSurge: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: - type: string - type: object - env: - items: - properties: - name: - type: string - value: - type: string - valueFrom: - properties: - configMapKeyRef: - properties: - key: - type: string - localObjectReference: - properties: - name: - type: string - type: object - optional: - type: boolean - type: object - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - type: object - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - type: object - secretKeyRef: - properties: - key: - type: string - localObjectReference: - properties: - name: - type: string - type: object - optional: - type: boolean - type: object - type: object - type: object - type: array - image: - type: string - imagePullPolicy: - type: string - imagePullSecrets: - items: - properties: - name: - type: string - type: object - type: array - livenessProbe: - properties: - failureThreshold: - format: int32 - type: integer - handler: - properties: - exec: - properties: - command: - items: - type: string - type: array - type: object - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - type: object - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - nodeSelector: - additionalProperties: - type: string - type: object - podDisruptionBudget: - properties: - maxUnavailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - minAvailable: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - podMetadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - podSecurityContext: - properties: - fsGroup: - format: int64 - type: integer - fsGroupChangePolicy: - type: string - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - seccompProfile: - properties: - localhostProfile: - type: string - type: - type: string - type: object - supplementalGroups: - items: - format: int64 - type: integer - type: array - sysctls: - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - windowsOptions: - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - type: object - type: object - priorityClassName: - type: string - readinessProbe: - properties: - failureThreshold: - format: int32 - type: integer - handler: - properties: - exec: - properties: - command: - items: - type: string - type: array - type: object - grpc: - properties: - port: - format: int32 - type: integer - service: - default: "" - type: string - type: object - httpGet: - properties: - host: - type: string - httpHeaders: - items: - properties: - name: - type: string - value: - type: string - type: object - type: array - path: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - scheme: - type: string - type: object - tcpSocket: - properties: - host: - type: string - port: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - initialDelaySeconds: - format: int32 - type: integer - periodSeconds: - format: int32 - type: integer - successThreshold: - format: int32 - type: integer - terminationGracePeriodSeconds: - format: int64 - type: integer - timeoutSeconds: - format: int32 - type: integer - type: object - replicas: - properties: - count: - minimum: 0 - nullable: true - type: integer - max: - minimum: 1 - nullable: true - type: integer - min: - minimum: 0 - nullable: true - type: integer - targetCPUUtilizationPercentage: - minimum: 0 - nullable: true - type: integer - type: object - resources: - properties: - limits: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - requests: - additionalProperties: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - type: object - type: object - securityContext: - properties: - allowPrivilegeEscalation: - type: boolean - capabilities: - properties: - add: - items: - type: string - type: array - drop: - items: - type: string - type: array - type: object - privileged: - type: boolean - procMount: - type: string - readOnlyRootFilesystem: - type: boolean - runAsGroup: - format: int64 - type: integer - runAsNonRoot: - type: boolean - runAsUser: - format: int64 - type: integer - seLinuxOptions: - properties: - level: - type: string - role: - type: string - type: - type: string - user: - type: string - type: object - seccompProfile: - properties: - localhostProfile: - type: string - type: - type: string - type: object - windowsOptions: - properties: - gmsaCredentialSpec: - type: string - gmsaCredentialSpecName: - type: string - hostProcess: - type: boolean - runAsUserName: - type: string - type: object - type: object - tolerations: - items: - properties: - effect: - type: string - key: - type: string - operator: - type: string - tolerationSeconds: - format: int64 - type: integer - value: - type: string - type: object - type: array - topologySpreadConstraints: - properties: - labelSelector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - maxSkew: - format: int32 - type: integer - topologyKey: - type: string - whenUnsatisfiable: - type: string - type: object - volumeMounts: - items: - properties: - mountPath: - type: string - mountPropagation: - type: string - name: - type: string - readOnly: - type: boolean - subPath: - type: string - subPathExpr: - type: string - type: object - type: array - volumes: - items: - properties: - name: - type: string - volumeSource: - properties: - awsElasticBlockStore: - properties: - fsType: - type: string - partition: - format: int32 - type: integer - readOnly: - type: boolean - volumeID: - type: string - type: object - azureDisk: - properties: - cachingMode: - type: string - diskName: - type: string - diskURI: - type: string - fsType: - type: string - kind: - type: string - readOnly: - type: boolean - type: object - azureFile: - properties: - readOnly: - type: boolean - secretName: - type: string - shareName: - type: string - type: object - cephfs: - properties: - monitors: - items: - type: string - type: array - path: - type: string - readOnly: - type: boolean - secretFile: - type: string - secretRef: - properties: - name: - type: string - type: object - user: - type: string - type: object - cinder: - properties: - fsType: - type: string - readOnly: - type: boolean - secretRef: - properties: - name: - type: string - type: object - volumeID: - type: string - type: object - configMap: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - type: object - type: array - localObjectReference: - properties: - name: - type: string - type: object - optional: - type: boolean - type: object - csi: - properties: - driver: - type: string - fsType: - type: string - nodePublishSecretRef: - properties: - name: - type: string - type: object - readOnly: - type: boolean - volumeAttributes: - additionalProperties: - type: string - type: object - type: object - downwardAPI: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - type: object - mode: - format: int32 - type: integer - path: - type: string - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - type: object - type: object - type: array - type: object - emptyDir: - properties: - medium: - type: string - sizeLimit: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - type: object - ephemeral: - properties: - volumeClaimTemplate: - properties: - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - clusterName: - type: string - creationTimestamp: - properties: - nanos: - format: int32 - type: integer - seconds: - format: int64 - type: integer - type: object - deletionGracePeriodSeconds: - format: int64 - type: integer - deletionTimestamp: - properties: - nanos: - format: int32 - type: integer - seconds: - format: int64 - type: integer - type: object - finalizers: - items: - type: string - type: array - generateName: - type: string - generation: - format: int64 - type: integer - labels: - additionalProperties: - type: string - type: object - managedFields: - items: - properties: - apiVersion: - type: string - fieldsType: - type: string - fieldsV1: - properties: - Raw: - format: binary - type: string - type: object - manager: - type: string - operation: - type: string - subresource: - type: string - time: - properties: - nanos: - format: int32 - type: integer - seconds: - format: int64 - type: integer - type: object - type: object - type: array - name: - type: string - namespace: - type: string - ownerReferences: - items: - properties: - apiVersion: - type: string - blockOwnerDeletion: - type: boolean - controller: - type: boolean - kind: - type: string - name: - type: string - uid: - type: string - type: object - type: array - resourceVersion: - type: string - selfLink: - type: string - uid: - type: string - type: object - spec: - properties: - accessModes: - items: - type: string - type: array - dataSource: - properties: - apiGroup: - type: string - kind: - type: string - name: - type: string - type: object - dataSourceRef: - properties: - apiGroup: - type: string - kind: - type: string - name: - type: string - type: object - resources: - properties: - limits: - additionalProperties: - properties: - string: - type: string - type: object - type: object - requests: - additionalProperties: - properties: - string: - type: string - type: object - type: object - type: object - selector: - properties: - matchExpressions: - items: - properties: - key: - type: string - operator: - type: string - values: - items: - type: string - type: array - type: object - type: array - matchLabels: - additionalProperties: - type: string - type: object - type: object - storageClassName: - type: string - volumeMode: - type: string - volumeName: - type: string - type: object - type: object - type: object - fc: - properties: - fsType: - type: string - lun: - format: int32 - type: integer - readOnly: - type: boolean - targetWWNs: - items: - type: string - type: array - wwids: - items: - type: string - type: array - type: object - flexVolume: - properties: - driver: - type: string - fsType: - type: string - options: - additionalProperties: - type: string - type: object - readOnly: - type: boolean - secretRef: - properties: - name: - type: string - type: object - type: object - flocker: - properties: - datasetName: - type: string - datasetUUID: - type: string - type: object - gcePersistentDisk: - properties: - fsType: - type: string - partition: - format: int32 - type: integer - pdName: - type: string - readOnly: - type: boolean - type: object - gitRepo: - properties: - directory: - type: string - repository: - type: string - revision: - type: string - type: object - glusterfs: - properties: - endpoints: - type: string - path: - type: string - readOnly: - type: boolean - type: object - hostPath: - properties: - path: - type: string - type: - type: string - type: object - iscsi: - properties: - chapAuthDiscovery: - type: boolean - chapAuthSession: - type: boolean - fsType: - type: string - initiatorName: - type: string - iqn: - type: string - iscsiInterface: - type: string - lun: - format: int32 - type: integer - portals: - items: - type: string - type: array - readOnly: - type: boolean - secretRef: - properties: - name: - type: string - type: object - targetPortal: - type: string - type: object - nfs: - properties: - path: - type: string - readOnly: - type: boolean - server: - type: string - type: object - persistentVolumeClaim: - properties: - claimName: - type: string - readOnly: - type: boolean - type: object - photonPersistentDisk: - properties: - fsType: - type: string - pdID: - type: string - type: object - portworxVolume: - properties: - fsType: - type: string - readOnly: - type: boolean - volumeID: - type: string - type: object - projected: - properties: - defaultMode: - format: int32 - type: integer - sources: - items: - properties: - configMap: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - type: object - type: array - localObjectReference: - properties: - name: - type: string - type: object - optional: - type: boolean - type: object - downwardAPI: - properties: - items: - items: - properties: - fieldRef: - properties: - apiVersion: - type: string - fieldPath: - type: string - type: object - mode: - format: int32 - type: integer - path: - type: string - resourceFieldRef: - properties: - containerName: - type: string - divisor: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - resource: - type: string - type: object - type: object - type: array - type: object - secret: - properties: - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - type: object - type: array - localObjectReference: - properties: - name: - type: string - type: object - optional: - type: boolean - type: object - serviceAccountToken: - properties: - audience: - type: string - expirationSeconds: - format: int64 - type: integer - path: - type: string - type: object - type: object - type: array - type: object - quobyte: - properties: - group: - type: string - readOnly: - type: boolean - registry: - type: string - tenant: - type: string - user: - type: string - volume: - type: string - type: object - rbd: - properties: - fsType: - type: string - image: - type: string - keyring: - type: string - monitors: - items: - type: string - type: array - pool: - type: string - readOnly: - type: boolean - secretRef: - properties: - name: - type: string - type: object - user: - type: string - type: object - scaleIO: - properties: - fsType: - type: string - gateway: - type: string - protectionDomain: - type: string - readOnly: - type: boolean - secretRef: - properties: - name: - type: string - type: object - sslEnabled: - type: boolean - storageMode: - type: string - storagePool: - type: string - system: - type: string - volumeName: - type: string - type: object - secret: - properties: - defaultMode: - format: int32 - type: integer - items: - items: - properties: - key: - type: string - mode: - format: int32 - type: integer - path: - type: string - type: object - type: array - optional: - type: boolean - secretName: - type: string - type: object - storageos: - properties: - fsType: - type: string - readOnly: - type: boolean - secretRef: - properties: - name: - type: string - type: object - volumeName: - type: string - volumeNamespace: - type: string - type: object - vsphereVolume: - properties: - fsType: - type: string - storagePolicyID: - type: string - storagePolicyName: - type: string - volumePath: - type: string - type: object - type: object - type: object - type: array - type: object - istioControlPlane: - properties: - name: - type: string - namespace: - type: string - type: object - k8sResourceOverlays: - items: - properties: - groupVersionKind: - properties: - group: - type: string - kind: - type: string - version: - type: string - type: object - objectKey: - properties: - name: - type: string - namespace: - type: string - type: object - patches: - items: - properties: - parseValue: - type: boolean - path: - type: string - type: - enum: - - unspecified - - replace - - remove - type: string - value: - type: string - type: object - type: array - type: object - type: array - runAsRoot: - nullable: true - type: boolean - service: - properties: - clusterIP: - type: string - externalIPs: - items: - type: string - type: array - externalName: - type: string - externalTrafficPolicy: - type: string - healthCheckNodePort: - format: int32 - type: integer - ipFamily: - type: string - loadBalancerIP: - type: string - loadBalancerSourceRanges: - items: - type: string - type: array - metadata: - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - ports: - items: - properties: - name: - type: string - nodePort: - format: int32 - type: integer - port: - format: int32 - type: integer - protocol: - default: TCP - type: string - targetPort: - anyOf: - - type: integer - - type: string - x-kubernetes-int-or-string: true - required: - - port - type: object - minItems: 1 - type: array - x-kubernetes-list-map-keys: - - port - - protocol - x-kubernetes-list-type: map - publishNotReadyAddresses: - nullable: true - type: boolean - selector: - additionalProperties: - type: string - type: object - sessionAffinity: - type: string - sessionAffinityConfig: - properties: - clientIP: - properties: - timeoutSeconds: - format: int32 - type: integer - type: object - type: object - type: - enum: - - ClusterIP - - NodePort - - LoadBalancer - type: string - required: - - ports - - type - type: object - type: - enum: - - ingress - - egress - type: string - required: - - istioControlPlane - - service - - type - type: object - status: - properties: - ErrorMessage: - type: string - GatewayAddress: - items: - type: string - type: array - Status: - enum: - - Unspecified - - Created - - ReconcileFailed - - Reconciling - - Available - - Unmanaged - type: string - type: object - required: - - spec - type: object - served: true - storage: true - subresources: - status: {} diff --git a/config/test/crd/istio/networking.istio.io_gateway.yaml b/config/test/crd/istio/networking.istio.io_gateway.yaml deleted file mode 100644 index 6647563ac..000000000 --- a/config/test/crd/istio/networking.istio.io_gateway.yaml +++ /dev/null @@ -1,258 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: gateways.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: Gateway - listKind: GatewayList - plural: gateways - shortNames: - - gw - singular: gateway - scope: Namespaced - versions: - - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting edge load balancer. See more details - at: https://istio.io/docs/reference/config/networking/gateway.html' - properties: - selector: - additionalProperties: - type: string - type: object - servers: - description: A list of server specifications. - items: - properties: - bind: - type: string - defaultEndpoint: - type: string - hosts: - description: One or more hosts exposed by this gateway. - items: - type: string - type: array - name: - description: An optional name of the server, when set must be - unique across all servers. - type: string - port: - properties: - name: - description: Label assigned to the port. - type: string - number: - description: A valid non-negative integer port number. - type: integer - protocol: - description: The protocol exposed on the port. - type: string - targetPort: - type: integer - type: object - tls: - description: Set of TLS related options that govern the server's - behavior. - properties: - caCertificates: - description: REQUIRED if mode is `MUTUAL`. - type: string - cipherSuites: - description: 'Optional: If specified, only support the specified - cipher list.' - items: - type: string - type: array - credentialName: - type: string - httpsRedirect: - type: boolean - maxProtocolVersion: - description: 'Optional: Maximum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - minProtocolVersion: - description: 'Optional: Minimum TLS protocol version.' - enum: - - TLS_AUTO - - TLSV1_0 - - TLSV1_1 - - TLSV1_2 - - TLSV1_3 - type: string - mode: - enum: - - PASSTHROUGH - - SIMPLE - - MUTUAL - - AUTO_PASSTHROUGH - - ISTIO_MUTUAL - type: string - privateKey: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - serverCertificate: - description: REQUIRED if mode is `SIMPLE` or `MUTUAL`. - type: string - subjectAltNames: - items: - type: string - type: array - verifyCertificateHash: - items: - type: string - type: array - verifyCertificateSpki: - items: - type: string - type: array - type: object - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} diff --git a/config/test/crd/istio/networking.istio.io_virtualservice.yaml b/config/test/crd/istio/networking.istio.io_virtualservice.yaml deleted file mode 100644 index 82ecb5673..000000000 --- a/config/test/crd/istio/networking.istio.io_virtualservice.yaml +++ /dev/null @@ -1,1524 +0,0 @@ ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio - name: virtualservices.networking.istio.io -spec: - group: networking.istio.io - names: - categories: - - istio-io - - networking-istio-io - kind: VirtualService - listKind: VirtualServiceList - plural: virtualservices - shortNames: - - vs - singular: virtualservice - scope: Namespaced - versions: - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1alpha3 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - - additionalPrinterColumns: - - description: The names of gateways and sidecars that should apply these routes - jsonPath: .spec.gateways - name: Gateways - type: string - - description: The destination hosts to which traffic is being sent - jsonPath: .spec.hosts - name: Hosts - type: string - - description: 'CreationTimestamp is a timestamp representing the server time - when this object was created. It is not guaranteed to be set in happens-before - order across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - properties: - spec: - description: 'Configuration affecting label/content routing, sni routing, - etc. See more details at: https://istio.io/docs/reference/config/networking/virtual-service.html' - properties: - exportTo: - description: A list of namespaces to which this virtual service is - exported. - items: - type: string - type: array - gateways: - description: The names of gateways and sidecars that should apply - these routes. - items: - type: string - type: array - hosts: - description: The destination hosts to which traffic is being sent. - items: - type: string - type: array - http: - description: An ordered list of route rules for HTTP traffic. - items: - properties: - corsPolicy: - description: Cross-Origin Resource Sharing policy (CORS). - properties: - allowCredentials: - nullable: true - type: boolean - allowHeaders: - items: - type: string - type: array - allowMethods: - description: List of HTTP methods allowed to access the - resource. - items: - type: string - type: array - allowOrigin: - description: The list of origins that are allowed to perform - CORS requests. - items: - type: string - type: array - allowOrigins: - description: String patterns that match allowed origins. - items: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: array - exposeHeaders: - items: - type: string - type: array - maxAge: - type: string - type: object - delegate: - properties: - name: - description: Name specifies the name of the delegate VirtualService. - type: string - namespace: - description: Namespace specifies the namespace where the - delegate VirtualService resides. - type: string - type: object - fault: - description: Fault injection policy to apply on HTTP traffic - at the client side. - properties: - abort: - oneOf: - - not: - anyOf: - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - - required: - - httpStatus - - required: - - grpcStatus - - required: - - http2Error - properties: - grpcStatus: - type: string - http2Error: - type: string - httpStatus: - description: HTTP status code to use to abort the Http - request. - format: int32 - type: integer - percentage: - description: Percentage of requests to be aborted with - the error code provided. - properties: - value: - format: double - type: number - type: object - type: object - delay: - oneOf: - - not: - anyOf: - - required: - - fixedDelay - - required: - - exponentialDelay - - required: - - fixedDelay - - required: - - exponentialDelay - properties: - exponentialDelay: - type: string - fixedDelay: - description: Add a fixed delay before forwarding the - request. - type: string - percent: - description: Percentage of requests on which the delay - will be injected (0-100). - format: int32 - type: integer - percentage: - description: Percentage of requests on which the delay - will be injected. - properties: - value: - format: double - type: number - type: object - type: object - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - match: - items: - properties: - authority: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - headers: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - type: object - ignoreUriCase: - description: Flag to specify whether the URI matching - should be case-insensitive. - type: boolean - method: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - name: - description: The name assigned to a match. - type: string - port: - description: Specifies the ports on the host that is being - addressed. - type: integer - queryParams: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: Query parameters for matching. - type: object - scheme: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - uri: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - withoutHeaders: - additionalProperties: - oneOf: - - not: - anyOf: - - required: - - exact - - required: - - prefix - - required: - - regex - - required: - - exact - - required: - - prefix - - required: - - regex - properties: - exact: - type: string - prefix: - type: string - regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). - type: string - type: object - description: withoutHeader has the same syntax with the - header, but has opposite meaning. - type: object - type: object - type: array - mirror: - properties: - host: - description: The name of a service from the service registry. - type: string - port: - description: Specifies the port on the host that is being - addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - mirror_percent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercent: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - nullable: true - type: integer - mirrorPercentage: - description: Percentage of the traffic to be mirrored by the - `mirror` field. - properties: - value: - format: double - type: number - type: object - name: - description: The name assigned to the route for debugging purposes. - type: string - redirect: - description: A HTTP rule can either redirect or forward (default) - traffic. - oneOf: - - not: - anyOf: - - required: - - port - - required: - - derivePort - - required: - - port - - required: - - derivePort - properties: - authority: - type: string - derivePort: - enum: - - FROM_PROTOCOL_DEFAULT - - FROM_REQUEST_PORT - type: string - port: - description: On a redirect, overwrite the port portion of - the URL with this value. - type: integer - redirectCode: - type: integer - scheme: - description: On a redirect, overwrite the scheme portion - of the URL with this value. - type: string - uri: - type: string - type: object - retries: - description: Retry policy for HTTP requests. - properties: - attempts: - description: Number of retries to be allowed for a given - request. - format: int32 - type: integer - perTryTimeout: - description: Timeout per attempt for a given request, including - the initial call and any retries. - type: string - retryOn: - description: Specifies the conditions under which retry - takes place. - type: string - retryRemoteLocalities: - description: Flag to specify whether the retries should - retry to other localities. - nullable: true - type: boolean - type: object - rewrite: - description: Rewrite HTTP URIs and Authority headers. - properties: - authority: - description: rewrite the Authority/Host header with this - value. - type: string - uri: - type: string - type: object - route: - description: A HTTP rule can either redirect or forward (default) - traffic. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - headers: - properties: - request: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - response: - properties: - add: - additionalProperties: - type: string - type: object - remove: - items: - type: string - type: array - set: - additionalProperties: - type: string - type: object - type: object - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - timeout: - description: Timeout for HTTP requests, default is disabled. - type: string - type: object - type: array - tcp: - description: An ordered list of route rules for opaque TCP traffic. - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - sourceSubnet: - description: IPv4 or IPv6 ip address of source with optional - subnet. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - tls: - items: - properties: - match: - items: - properties: - destinationSubnets: - description: IPv4 or IPv6 ip addresses of destination - with optional subnet. - items: - type: string - type: array - gateways: - description: Names of gateways where the rule should be - applied. - items: - type: string - type: array - port: - description: Specifies the port on the host that is being - addressed. - type: integer - sniHosts: - description: SNI (server name indicator) to match on. - items: - type: string - type: array - sourceLabels: - additionalProperties: - type: string - type: object - sourceNamespace: - description: Source namespace constraining the applicability - of a rule to workloads in that namespace. - type: string - type: object - type: array - route: - description: The destination to which the connection should - be forwarded to. - items: - properties: - destination: - properties: - host: - description: The name of a service from the service - registry. - type: string - port: - description: Specifies the port on the host that is - being addressed. - properties: - number: - type: integer - type: object - subset: - description: The name of a subset within the service. - type: string - type: object - weight: - description: Weight specifies the relative proportion - of traffic to be forwarded to the destination. - format: int32 - type: integer - type: object - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: false - subresources: - status: {} diff --git a/controllers/kafkacluster_controller.go b/controllers/kafkacluster_controller.go index a955bb50e..b04642fa7 100644 --- a/controllers/kafkacluster_controller.go +++ b/controllers/kafkacluster_controller.go @@ -48,7 +48,7 @@ import ( "github.com/banzaicloud/koperator/pkg/resources/cruisecontrol" "github.com/banzaicloud/koperator/pkg/resources/cruisecontrolmonitoring" "github.com/banzaicloud/koperator/pkg/resources/envoy" - "github.com/banzaicloud/koperator/pkg/resources/istioingress" + "github.com/banzaicloud/koperator/pkg/resources/envoygateway" "github.com/banzaicloud/koperator/pkg/resources/kafka" "github.com/banzaicloud/koperator/pkg/resources/kafkamonitoring" "github.com/banzaicloud/koperator/pkg/resources/nodeportexternalaccess" @@ -87,10 +87,10 @@ type KafkaClusterReconciler struct { // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters/status,verbs=get;update;patch // +kubebuilder:rbac:groups=kafka.banzaicloud.io,resources=kafkaclusters/finalizers,verbs=create;update;patch;delete -// +kubebuilder:rbac:groups=servicemesh.cisco.com,resources=istiomeshgateways,verbs=get;list;watch;create;update;patch;delete -// +kubebuilder:rbac:groups=networking.istio.io,resources=*,verbs=* -// +kubebuilder:rbac:groups=apps,resources=deployments,verbs=get;list;watch;create;update;patch;delete // +kubebuilder:rbac:groups=projectcontour.io,resources=httpproxies,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=gateways,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=tlsroutes,verbs=get;list;watch;create;update;patch;delete +// +kubebuilder:rbac:groups=gateway.networking.k8s.io,resources=tcproutes,verbs=get;list;watch;create;update;patch;delete func (r *KafkaClusterReconciler) Reconcile(ctx context.Context, request ctrl.Request) (ctrl.Result, error) { log := logr.FromContextOrDiscard(ctx) @@ -123,9 +123,9 @@ func (r *KafkaClusterReconciler) Reconcile(ctx context.Context, request ctrl.Req reconcilers := []resources.ComponentReconciler{ envoy.New(r.Client, instance), - istioingress.New(r.Client, instance), nodeportexternalaccess.New(r.Client, instance), contouringress.New(r.Client, instance), + envoygateway.New(r.Client, instance), kafkamonitoring.New(r.Client, instance), cruisecontrolmonitoring.New(r.Client, instance), kafka.New(r.Client, r.DirectClient, instance, r.KafkaClientProvider), diff --git a/controllers/tests/clusterregistry/suite_test.go b/controllers/tests/clusterregistry/suite_test.go index e5a6ec895..aa30f80ff 100644 --- a/controllers/tests/clusterregistry/suite_test.go +++ b/controllers/tests/clusterregistry/suite_test.go @@ -55,8 +55,6 @@ import ( cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" - istioclientv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1" - banzaiistiov1alpha1 "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" contour "github.com/projectcontour/contour/apis/projectcontour/v1" banzaicloudv1alpha1 "github.com/banzaicloud/koperator/api/v1alpha1" @@ -99,7 +97,6 @@ var _ = BeforeSuite(func() { filepath.Join("..", "..", "..", "config", "base", "crds"), filepath.Join("..", "..", "..", "config", "test", "crd", "cert-manager"), filepath.Join("..", "..", "..", "config", "test", "crd", "projectcontour"), - filepath.Join("..", "..", "..", "config", "test", "crd", "istio"), }, ControlPlaneStopTimeout: stopTimeout, AttachControlPlaneOutput: false, @@ -121,13 +118,11 @@ var _ = BeforeSuite(func() { scheme := runtime.NewScheme() - Expect(banzaiistiov1alpha1.AddToScheme(scheme)).To(Succeed()) Expect(k8sscheme.AddToScheme(scheme)).To(Succeed()) Expect(apiv1.AddToScheme(scheme)).To(Succeed()) Expect(cmv1.AddToScheme(scheme)).To(Succeed()) Expect(banzaicloudv1alpha1.AddToScheme(scheme)).To(Succeed()) Expect(banzaicloudv1beta1.AddToScheme(scheme)).To(Succeed()) - Expect(istioclientv1beta1.AddToScheme(scheme)).To(Succeed()) Expect(contour.AddToScheme(scheme)).To(Succeed()) // +kubebuilder:scaffold:scheme diff --git a/controllers/tests/kafkacluster_controller_envoygateway_test.go b/controllers/tests/kafkacluster_controller_envoygateway_test.go new file mode 100644 index 000000000..13966cd17 --- /dev/null +++ b/controllers/tests/kafkacluster_controller_envoygateway_test.go @@ -0,0 +1,173 @@ +// Copyright 2025 Adobe. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package tests + +import ( + "context" + "fmt" + "sync/atomic" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/types" + gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" + gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + + "github.com/banzaicloud/koperator/api/v1beta1" +) + +var _ = Describe("KafkaClusterWithEnvoyGatewayIngressController", Label("envoygateway"), func() { + var ( + count uint64 = 0 + namespace string + namespaceObj *corev1.Namespace + kafkaCluster *v1beta1.KafkaCluster + ) + + BeforeEach(func() { + atomic.AddUint64(&count, 1) + namespace = fmt.Sprintf("kafkaenvoygatewaytest-%v", count) + namespaceObj = &corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: namespace, + }, + } + + kafkaCluster = createMinimalKafkaClusterCR(fmt.Sprintf("kafkacluster-%d", count), namespace) + kafkaCluster.Spec.IngressController = "envoygateway" + kafkaCluster.Spec.EnvoyGatewayConfig = v1beta1.EnvoyGatewayIngressConfig{ + GatewayClassName: "eg", + BrokerHostnameTemplate: "broker-%id.kafka.cluster.local", + } + + envoyGatewayListener := kafkaCluster.Spec.ListenersConfig.ExternalListeners[0] + envoyGatewayListener.AccessMethod = corev1.ServiceTypeLoadBalancer + envoyGatewayListener.ExternalStartingPort = 19090 + envoyGatewayListener.Type = "plaintext" + envoyGatewayListener.Name = "listener1" + + kafkaCluster.Spec.ListenersConfig.ExternalListeners[0] = envoyGatewayListener + }) + + JustBeforeEach(func(ctx SpecContext) { + By("creating namespace " + namespace) + err := k8sClient.Create(ctx, namespaceObj) + Expect(err).NotTo(HaveOccurred()) + + By("creating kafka cluster object " + kafkaCluster.Name + " in namespace " + namespace) + err = k8sClient.Create(ctx, kafkaCluster) + Expect(err).NotTo(HaveOccurred()) + + waitForClusterRunningState(ctx, kafkaCluster, namespace) + }) + + JustAfterEach(func(ctx SpecContext) { + By("deleting Kafka cluster object " + kafkaCluster.Name + " in namespace " + namespace) + err := k8sClient.Delete(ctx, kafkaCluster) + Expect(err).NotTo(HaveOccurred()) + + kafkaCluster = nil + }) + + When("configuring Envoy Gateway ingress with TCP routes", func() { + It("should reconcile Gateway and TCPRoute objects properly", func(ctx SpecContext) { + expectEnvoyGateway(ctx, kafkaCluster, "listener1") + expectEnvoyGatewayTCPRoutes(ctx, kafkaCluster, "listener1") + }) + }) +}) + +func expectEnvoyGatewayLabels(labels map[string]string, eListenerName, crName string) { + Expect(labels).To(HaveKeyWithValue(v1beta1.AppLabelKey, "envoygateway")) + Expect(labels).To(HaveKeyWithValue("eListenerName", eListenerName)) + Expect(labels).To(HaveKeyWithValue(v1beta1.KafkaCRLabelKey, crName)) +} + +func expectEnvoyGateway(ctx context.Context, kafkaCluster *v1beta1.KafkaCluster, eListenerName string) { + var gateway gatewayv1.Gateway + gatewayName := fmt.Sprintf("kafka-gateway-%s", eListenerName) + Eventually(ctx, func() error { + err := k8sClient.Get(ctx, types.NamespacedName{Namespace: kafkaCluster.Namespace, Name: gatewayName}, &gateway) + return err + }).Should(Succeed()) + + expectEnvoyGatewayLabels(gateway.Labels, eListenerName, kafkaCluster.Name) + Expect(string(gateway.Spec.GatewayClassName)).To(Equal("eg")) + + // Check listeners + if kafkaCluster.Spec.KRaftMode { + // 2 brokers + 1 anycast = 3 listeners + Expect(gateway.Spec.Listeners).To(HaveLen(3)) + } else { + // 3 brokers + 1 anycast = 4 listeners + Expect(gateway.Spec.Listeners).To(HaveLen(4)) + } + + // Verify broker listeners + brokerCount := len(kafkaCluster.Spec.Brokers) + for i := 0; i < brokerCount; i++ { + listener := gateway.Spec.Listeners[i] + Expect(string(listener.Name)).To(Equal(fmt.Sprintf("broker-%d", kafkaCluster.Spec.Brokers[i].Id))) + Expect(listener.Port).To(BeEquivalentTo(19090 + kafkaCluster.Spec.Brokers[i].Id)) + Expect(listener.Protocol).To(Equal(gatewayv1.TCPProtocolType)) + } + + // Verify anycast listener + anycastListener := gateway.Spec.Listeners[brokerCount] + Expect(string(anycastListener.Name)).To(Equal("anycast")) + // Anycast listener should use the default anycast port (29092), not ExternalStartingPort + Expect(anycastListener.Port).To(BeEquivalentTo(29092)) + Expect(anycastListener.Protocol).To(Equal(gatewayv1.TCPProtocolType)) +} + +func expectEnvoyGatewayTCPRoutes(ctx context.Context, kafkaCluster *v1beta1.KafkaCluster, eListenerName string) { + brokerCount := len(kafkaCluster.Spec.Brokers) + + // Check TCPRoute for each broker + for i := 0; i < brokerCount; i++ { + var tcpRoute gatewayv1alpha2.TCPRoute + tcpRouteName := fmt.Sprintf("kafka-tcproute-%s-%d", eListenerName, kafkaCluster.Spec.Brokers[i].Id) + Eventually(ctx, func() error { + err := k8sClient.Get(ctx, types.NamespacedName{Namespace: kafkaCluster.Namespace, Name: tcpRouteName}, &tcpRoute) + return err + }).Should(Succeed()) + + expectEnvoyGatewayLabels(tcpRoute.Labels, eListenerName, kafkaCluster.Name) + + // Verify parent reference + Expect(tcpRoute.Spec.ParentRefs).To(HaveLen(1)) + Expect(string(tcpRoute.Spec.ParentRefs[0].Name)).To(Equal(fmt.Sprintf("kafka-gateway-%s", eListenerName))) + Expect(string(*tcpRoute.Spec.ParentRefs[0].SectionName)).To(Equal(fmt.Sprintf("broker-%d", kafkaCluster.Spec.Brokers[i].Id))) + + // Verify backend reference + Expect(tcpRoute.Spec.Rules).To(HaveLen(1)) + Expect(tcpRoute.Spec.Rules[0].BackendRefs).To(HaveLen(1)) + Expect(string(tcpRoute.Spec.Rules[0].BackendRefs[0].Name)).To(Equal(fmt.Sprintf("%s-all-broker", kafkaCluster.Name))) + } + + // Check anycast TCPRoute + var anycastTCPRoute gatewayv1alpha2.TCPRoute + anycastTCPRouteName := fmt.Sprintf("kafka-tcproute-%s-anycast", eListenerName) + Eventually(ctx, func() error { + err := k8sClient.Get(ctx, types.NamespacedName{Namespace: kafkaCluster.Namespace, Name: anycastTCPRouteName}, &anycastTCPRoute) + return err + }).Should(Succeed()) + + expectEnvoyGatewayLabels(anycastTCPRoute.Labels, eListenerName, kafkaCluster.Name) + Expect(anycastTCPRoute.Spec.ParentRefs).To(HaveLen(1)) + Expect(string(*anycastTCPRoute.Spec.ParentRefs[0].SectionName)).To(Equal("anycast")) +} diff --git a/controllers/tests/kafkacluster_controller_istioingress_test.go b/controllers/tests/kafkacluster_controller_istioingress_test.go deleted file mode 100644 index a3aa96e3c..000000000 --- a/controllers/tests/kafkacluster_controller_istioingress_test.go +++ /dev/null @@ -1,774 +0,0 @@ -// Copyright © 2020 Cisco Systems, Inc. and/or its affiliates -// Copyright 2025 Adobe. All rights reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package tests - -import ( - "context" - "encoding/json" - "fmt" - "sync/atomic" - - "google.golang.org/protobuf/types/known/wrapperspb" - - istioclientv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1" - - istioOperatorApi "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" - - "github.com/google/go-cmp/cmp" - "github.com/google/go-cmp/cmp/cmpopts" - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/api/resource" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" - "k8s.io/apimachinery/pkg/util/intstr" - - "github.com/banzaicloud/koperator/api/v1beta1" - "github.com/banzaicloud/koperator/pkg/util" - "github.com/banzaicloud/koperator/pkg/util/istioingress" -) - -var _ = Describe("KafkaClusterIstioIngressController", func() { - var ( - count uint64 = 0 - namespace string - namespaceObj *corev1.Namespace - kafkaClusterCRName string - kafkaCluster *v1beta1.KafkaCluster - ) - - ExpectIstioIngressLabels := func(labels map[string]string, eListenerName, crName string) { - Expect(labels).To(HaveKeyWithValue(v1beta1.AppLabelKey, "istioingress")) - Expect(labels).To(HaveKeyWithValue("eListenerName", eListenerName)) - Expect(labels).To(HaveKeyWithValue(v1beta1.KafkaCRLabelKey, crName)) - } - - BeforeEach(func() { - atomic.AddUint64(&count, 1) - - namespace = fmt.Sprintf("kafka-istioingress-%v", count) - namespaceObj = &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: namespace, - }, - } - - kafkaClusterCRName = fmt.Sprintf("kafkacluster-%v", count) - kafkaCluster = createMinimalKafkaClusterCR(kafkaClusterCRName, namespace) - - kafkaCluster.Spec.IngressController = istioingress.IngressControllerName - kafkaCluster.Spec.IstioControlPlane = &v1beta1.IstioControlPlaneReference{Name: "icp-v115x-sample", Namespace: "istio-system"} - kafkaCluster.Spec.ListenersConfig.ExternalListeners = []v1beta1.ExternalListenerConfig{ - { - CommonListenerSpec: v1beta1.CommonListenerSpec{ - Type: "plaintext", - Name: "external", - ContainerPort: 9094, - }, - ExternalStartingPort: 19090, - }, - } - }) - - JustBeforeEach(func(ctx SpecContext) { - By("creating namespace " + namespace) - err := k8sClient.Create(ctx, namespaceObj) - Expect(err).NotTo(HaveOccurred()) - - By("creating Kafka cluster object " + kafkaCluster.Name + " in namespace " + namespace) - err = k8sClient.Create(ctx, kafkaCluster) - Expect(err).NotTo(HaveOccurred()) - - svcName := fmt.Sprintf("meshgateway-external-%s", kafkaCluster.Name) - svcFromMeshGateway := corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: svcName, - Namespace: namespace, - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeLoadBalancer, - Ports: []corev1.ServicePort{ - // other ports omitted - { - Name: "tcp-all-broker", - Port: 29092, // from MeshGateway (guarded by the tests) - Protocol: corev1.ProtocolTCP, - }, - }, - }, - } - err = k8sClient.Create(ctx, &svcFromMeshGateway) - Expect(err).NotTo(HaveOccurred()) - svcFromMeshGateway.Status.LoadBalancer.Ingress = []corev1.LoadBalancerIngress{{Hostname: "ingress.test.host.com"}} - err = k8sClient.Status().Update(ctx, &svcFromMeshGateway) - Expect(err).NotTo(HaveOccurred()) - - waitForClusterRunningState(ctx, kafkaCluster, namespace) - }) - - JustAfterEach(func(ctx SpecContext) { - By("deleting Kafka cluster object " + kafkaCluster.Name + " in namespace " + namespace) - err := k8sClient.Delete(ctx, kafkaCluster) - Expect(err).NotTo(HaveOccurred()) - kafkaCluster = nil - }) - - When("Istio ingress controller is configured", func() { - BeforeEach(func() { - kafkaCluster.Spec.IngressController = istioingress.IngressControllerName - }) - - It("creates Istio ingress related objects", func(ctx SpecContext) { - var meshGateway istioOperatorApi.IstioMeshGateway - meshGatewayName := fmt.Sprintf("meshgateway-external-%s", kafkaCluster.Name) - Eventually(ctx, func() error { - err := k8sClient.Get(context.Background(), types.NamespacedName{Namespace: namespace, Name: meshGatewayName}, &meshGateway) - return err - }).Should(Succeed()) - - meshGatewaySpec := meshGateway.Spec - ExpectIstioIngressLabels(meshGatewaySpec.Deployment.Metadata.Labels, "external", kafkaClusterCRName) - Expect(meshGatewaySpec.Service.Type).To(Equal(string(corev1.ServiceTypeLoadBalancer))) - deploymentConf := meshGatewaySpec.Deployment - - Expect(cmp.Equal(deploymentConf.Replicas.Count, wrapperspb.Int32(1), cmpopts.IgnoreUnexported(wrapperspb.Int32Value{}))).To(BeTrue()) - Expect(cmp.Equal(deploymentConf.Replicas.Min, wrapperspb.Int32(1), cmpopts.IgnoreUnexported(wrapperspb.Int32Value{}))).To(BeTrue()) - Expect(cmp.Equal(deploymentConf.Replicas.Max, wrapperspb.Int32(1), cmpopts.IgnoreUnexported(wrapperspb.Int32Value{}))).To(BeTrue()) - - actualResourceJSON, err := json.Marshal(deploymentConf.Resources) - Expect(err).NotTo(HaveOccurred()) - expectedResource := &istioOperatorApi.ResourceRequirements{ - Limits: map[string]*istioOperatorApi.Quantity{ - "cpu": {Quantity: resource.MustParse("2000m")}, - "memory": {Quantity: resource.MustParse("1024Mi")}, - }, - Requests: map[string]*istioOperatorApi.Quantity{ - "cpu": {Quantity: resource.MustParse("100m")}, - "memory": {Quantity: resource.MustParse("128Mi")}, - }, - } - expectedResourceJSON, err := json.Marshal(expectedResource) - Expect(err).NotTo(HaveOccurred()) - Expect(actualResourceJSON).To(Equal(expectedResourceJSON)) - - Expect(len(meshGatewaySpec.Service.Ports)).To(Equal(4)) - - expectedPort := &istioOperatorApi.ServicePort{ - Name: "tcp-broker-0", - Protocol: string(corev1.ProtocolTCP), - Port: 19090, - TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(19090)}, - } - Expect(cmp.Equal(meshGatewaySpec.Service.Ports[0], expectedPort, cmpopts.IgnoreUnexported(istioOperatorApi.ServicePort{}))).To(BeTrue()) - - expectedPort = &istioOperatorApi.ServicePort{ - Name: "tcp-broker-1", - Protocol: string(corev1.ProtocolTCP), - Port: 19091, - TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(19091)}, - } - Expect(cmp.Equal(meshGatewaySpec.Service.Ports[1], expectedPort, cmpopts.IgnoreUnexported(istioOperatorApi.ServicePort{}))).To(BeTrue()) - expectedPort = &istioOperatorApi.ServicePort{ - Name: "tcp-broker-2", - Protocol: string(corev1.ProtocolTCP), - Port: 19092, - TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(19092)}, - } - Expect(cmp.Equal(meshGatewaySpec.Service.Ports[2], expectedPort, cmpopts.IgnoreUnexported(istioOperatorApi.ServicePort{}))).To(BeTrue()) - expectedPort = &istioOperatorApi.ServicePort{ - Name: "tcp-all-broker", - Protocol: string(corev1.ProtocolTCP), - Port: 29092, - TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(29092)}, - } - Expect(cmp.Equal(meshGatewaySpec.Service.Ports[3], expectedPort, cmpopts.IgnoreUnexported(istioOperatorApi.ServicePort{}))).To(BeTrue()) - - Expect(meshGatewaySpec.Type).To(Equal(istioOperatorApi.GatewayType_ingress)) - - var gateway istioclientv1beta1.Gateway - gatewayName := fmt.Sprintf("%s-external-gateway", kafkaCluster.Name) - Eventually(ctx, func() error { - err := k8sClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: gatewayName}, &gateway) - return err - }).Should(Succeed()) - - ExpectIstioIngressLabels(gateway.Labels, "external", kafkaClusterCRName) - ExpectIstioIngressLabels(gateway.Spec.Selector, "external", kafkaClusterCRName) - Expect(gateway.Spec.Servers).To(ConsistOf( - istioclientv1beta1.Server{ - Port: &istioclientv1beta1.Port{ - Number: 19090, - Protocol: "TCP", - Name: "tcp-broker-0"}, - Hosts: []string{"*"}, - }, - istioclientv1beta1.Server{ - Port: &istioclientv1beta1.Port{ - Number: 19091, - Protocol: "TCP", - Name: "tcp-broker-1"}, - Hosts: []string{"*"}, - }, - istioclientv1beta1.Server{ - Port: &istioclientv1beta1.Port{ - Number: 19092, - Protocol: "TCP", - Name: "tcp-broker-2"}, - Hosts: []string{"*"}, - }, - istioclientv1beta1.Server{ - Port: &istioclientv1beta1.Port{ - Number: 29092, - Protocol: "TCP", - Name: "tcp-all-broker", - }, - Hosts: []string{"*"}, - })) - - var virtualService istioclientv1beta1.VirtualService - virtualServiceName := fmt.Sprintf("%s-external-virtualservice", kafkaCluster.Name) - Eventually(ctx, func() error { - err := k8sClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: virtualServiceName}, &virtualService) - return err - }).Should(Succeed()) - - ExpectIstioIngressLabels(virtualService.Labels, "external", kafkaClusterCRName) - Expect(virtualService.Spec).To(Equal(istioclientv1beta1.VirtualServiceSpec{ - Hosts: []string{"*"}, - Gateways: []string{fmt.Sprintf("%s-external-gateway", kafkaClusterCRName)}, - TCP: []istioclientv1beta1.TCPRoute{ - { - Match: []istioclientv1beta1.L4MatchAttributes{{Port: util.IntPointer(19090)}}, - Route: []*istioclientv1beta1.RouteDestination{{ - Destination: &istioclientv1beta1.Destination{ - Host: "kafkacluster-1-0", - Port: &istioclientv1beta1.PortSelector{Number: 9094}, - }, - }}, - }, - { - Match: []istioclientv1beta1.L4MatchAttributes{{Port: util.IntPointer(19091)}}, - Route: []*istioclientv1beta1.RouteDestination{{ - Destination: &istioclientv1beta1.Destination{ - Host: "kafkacluster-1-1", - Port: &istioclientv1beta1.PortSelector{Number: 9094}, - }, - }}, - }, - { - Match: []istioclientv1beta1.L4MatchAttributes{{Port: util.IntPointer(19092)}}, - Route: []*istioclientv1beta1.RouteDestination{{ - Destination: &istioclientv1beta1.Destination{ - Host: "kafkacluster-1-2", - Port: &istioclientv1beta1.PortSelector{Number: 9094}, - }, - }}, - }, - { - Match: []istioclientv1beta1.L4MatchAttributes{{Port: util.IntPointer(29092)}}, - Route: []*istioclientv1beta1.RouteDestination{{ - Destination: &istioclientv1beta1.Destination{ - Host: "kafkacluster-1-all-broker", - Port: &istioclientv1beta1.PortSelector{Number: 9094}, - }, - }}, - }, - }, - })) - - // expect kafkaCluster listener status - err = k8sClient.Get(ctx, types.NamespacedName{ - Name: kafkaCluster.Name, - Namespace: kafkaCluster.Namespace, - }, kafkaCluster) - Expect(err).NotTo(HaveOccurred()) - - Expect(kafkaCluster.Status.ListenerStatuses).To(Equal(v1beta1.ListenerStatuses{ - InternalListeners: map[string]v1beta1.ListenerStatusList{ - "internal": { - { - Name: "any-broker", - Address: fmt.Sprintf("%s-all-broker.kafka-istioingress-%d.svc.cluster.local:29092", kafkaCluster.Name, count), - }, - { - Name: "broker-0", - Address: fmt.Sprintf("%s-0.kafka-istioingress-%d.svc.cluster.local:29092", kafkaCluster.Name, count), - }, - { - Name: "broker-1", - Address: fmt.Sprintf("%s-1.kafka-istioingress-%d.svc.cluster.local:29092", kafkaCluster.Name, count), - }, - { - Name: "broker-2", - Address: fmt.Sprintf("%s-2.kafka-istioingress-%d.svc.cluster.local:29092", kafkaCluster.Name, count), - }, - }, - }, - ExternalListeners: map[string]v1beta1.ListenerStatusList{ - "external": { - { - Name: "any-broker", - Address: "ingress.test.host.com:29092", - }, - { - Name: "broker-0", - Address: "ingress.test.host.com:19090", - }, - { - Name: "broker-1", - Address: "ingress.test.host.com:19091", - }, - { - Name: "broker-2", - Address: "ingress.test.host.com:19092", - }, - }, - }, - })) - }) - }) - - When("Headless mode is turned on", func() { - BeforeEach(func() { - kafkaCluster.Spec.HeadlessServiceEnabled = true - }) - - It("does not add the all-broker service to the listener status", func(ctx SpecContext) { - err := k8sClient.Get(ctx, types.NamespacedName{ - Name: kafkaCluster.Name, - Namespace: kafkaCluster.Namespace, - }, kafkaCluster) - Expect(err).NotTo(HaveOccurred()) - - Expect(kafkaCluster.Status.ListenerStatuses).To(Equal(v1beta1.ListenerStatuses{ - InternalListeners: map[string]v1beta1.ListenerStatusList{ - "internal": { - { - Name: "headless", - Address: fmt.Sprintf("%s-headless.kafka-istioingress-%d.svc.cluster.local:29092", kafkaCluster.Name, count), - }, - { - Name: "broker-0", - Address: fmt.Sprintf("%s-0.%s-headless.kafka-istioingress-%d.svc.cluster.local:29092", kafkaCluster.Name, kafkaCluster.Name, count), - }, - { - Name: "broker-1", - Address: fmt.Sprintf("%s-1.%s-headless.kafka-istioingress-%d.svc.cluster.local:29092", kafkaCluster.Name, kafkaCluster.Name, count), - }, - { - Name: "broker-2", - Address: fmt.Sprintf("%s-2.%s-headless.kafka-istioingress-%d.svc.cluster.local:29092", kafkaCluster.Name, kafkaCluster.Name, count), - }, - }, - }, - ExternalListeners: map[string]v1beta1.ListenerStatusList{ - "external": { - { - Name: "any-broker", - Address: "ingress.test.host.com:29092", - }, - { - Name: "broker-0", - Address: "ingress.test.host.com:19090", - }, - { - Name: "broker-1", - Address: "ingress.test.host.com:19091", - }, - { - Name: "broker-2", - Address: "ingress.test.host.com:19092", - }, - }, - }, - })) - }) - }) -}) - -var _ = Describe("KafkaClusterIstioIngressControllerWithBrokerIdBindings", func() { - var ( - count uint64 = 0 - namespace string - namespaceObj *corev1.Namespace - kafkaClusterCRName string - kafkaCluster *v1beta1.KafkaCluster - ) - - ExpectIstioIngressLabels := func(labels map[string]string, eListenerName, crName string) { - Expect(labels).To(HaveKeyWithValue(v1beta1.AppLabelKey, "istioingress")) - Expect(labels).To(HaveKeyWithValue("eListenerName", eListenerName)) - Expect(labels).To(HaveKeyWithValue(v1beta1.KafkaCRLabelKey, crName)) - } - - BeforeEach(func() { - atomic.AddUint64(&count, 1) - - namespace = fmt.Sprintf("kafka-istioingress-with-bindings-%v", count) - namespaceObj = &corev1.Namespace{ - ObjectMeta: metav1.ObjectMeta{ - Name: namespace, - }, - } - - kafkaClusterCRName = fmt.Sprintf("kafkacluster-%v", count) - kafkaCluster = createMinimalKafkaClusterCR(kafkaClusterCRName, namespace) - - kafkaCluster.Spec.IngressController = istioingress.IngressControllerName - kafkaCluster.Spec.IstioControlPlane = &v1beta1.IstioControlPlaneReference{Name: "icp-v115x-sample", Namespace: "istio-system"} - kafkaCluster.Spec.ListenersConfig.ExternalListeners = []v1beta1.ExternalListenerConfig{ - { - CommonListenerSpec: v1beta1.CommonListenerSpec{ - Type: "plaintext", - Name: "external", - ContainerPort: 9094, - }, - ExternalStartingPort: 19090, - Config: &v1beta1.Config{ - DefaultIngressConfig: "az1", - IngressConfig: map[string]v1beta1.IngressConfig{ - "az1": {IstioIngressConfig: &v1beta1.IstioIngressConfig{ - Annotations: map[string]string{"zone": "az1"}, - }, - }, - "az2": {IstioIngressConfig: &v1beta1.IstioIngressConfig{ - Annotations: map[string]string{"zone": "az2"}, - TLSOptions: &istioclientv1beta1.TLSOptions{ - Mode: istioclientv1beta1.TLSModeSimple, - CredentialName: util.StringPointer("foobar"), - }, - }, - }, - }, - }, - }, - } - kafkaCluster.Spec.Brokers[0].BrokerConfig = &v1beta1.BrokerConfig{BrokerIngressMapping: []string{"az1"}} - kafkaCluster.Spec.Brokers[1].BrokerConfig = &v1beta1.BrokerConfig{BrokerIngressMapping: []string{"az2"}} - }) - - JustBeforeEach(func(ctx SpecContext) { - By("creating namespace " + namespace) - err := k8sClient.Create(ctx, namespaceObj) - Expect(err).NotTo(HaveOccurred()) - - By("creating Kafka cluster object " + kafkaCluster.Name + " in namespace " + namespace) - err = k8sClient.Create(ctx, kafkaCluster) - Expect(err).NotTo(HaveOccurred()) - - createMeshGatewayService(ctx, "external.az1.host.com", - fmt.Sprintf("meshgateway-external-az1-%s", kafkaCluster.Name), namespace) - createMeshGatewayService(ctx, "external.az2.host.com", - fmt.Sprintf("meshgateway-external-az2-%s", kafkaCluster.Name), namespace) - - waitForClusterRunningState(ctx, kafkaCluster, namespace) - }) - - JustAfterEach(func(ctx SpecContext) { - By("deleting Kafka cluster object " + kafkaCluster.Name + " in namespace " + namespace) - err := k8sClient.Delete(ctx, kafkaCluster) - Expect(err).NotTo(HaveOccurred()) - kafkaCluster = nil - }) - - When("Istio ingress controller is configured", func() { - - It("creates Istio ingress related objects", func(ctx SpecContext) { - // Istio ingress Az1 related objects - var meshGateway istioOperatorApi.IstioMeshGateway - meshGatewayAz1Name := fmt.Sprintf("meshgateway-external-az1-%s", kafkaCluster.Name) - Eventually(ctx, func() error { - err := k8sClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: meshGatewayAz1Name}, &meshGateway) - return err - }).Should(Succeed()) - - meshGatewaySpec := meshGateway.Spec - ExpectIstioIngressLabels(meshGatewaySpec.Deployment.Metadata.Labels, "external-az1", kafkaClusterCRName) - - Expect(len(meshGatewaySpec.Service.Ports)).To(Equal(3)) - - expectedPort := &istioOperatorApi.ServicePort{ - Name: "tcp-broker-0", - Protocol: string(corev1.ProtocolTCP), - Port: 19090, - TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(19090)}, - } - Expect(cmp.Equal(meshGatewaySpec.Service.Ports[0], expectedPort, cmpopts.IgnoreUnexported(istioOperatorApi.ServicePort{}))).To(BeTrue()) - - expectedPort = &istioOperatorApi.ServicePort{ - Name: "tcp-broker-2", - Protocol: string(corev1.ProtocolTCP), - Port: 19092, - TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(19092)}, - } - Expect(cmp.Equal(meshGatewaySpec.Service.Ports[1], expectedPort, cmpopts.IgnoreUnexported(istioOperatorApi.ServicePort{}))).To(BeTrue()) - expectedPort = &istioOperatorApi.ServicePort{ - Name: "tcp-all-broker", - Protocol: string(corev1.ProtocolTCP), - Port: 29092, - TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(29092)}, - } - Expect(cmp.Equal(meshGatewaySpec.Service.Ports[2], expectedPort, cmpopts.IgnoreUnexported(istioOperatorApi.ServicePort{}))).To(BeTrue()) - - var gateway istioclientv1beta1.Gateway - gatewayName := fmt.Sprintf("%s-external-az1-gateway", kafkaCluster.Name) - Eventually(ctx, func() error { - err := k8sClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: gatewayName}, &gateway) - return err - }).Should(Succeed()) - - ExpectIstioIngressLabels(gateway.Labels, "external-az1", kafkaClusterCRName) - ExpectIstioIngressLabels(gateway.Spec.Selector, "external-az1", kafkaClusterCRName) - Expect(gateway.Spec.Servers).To(ConsistOf( - istioclientv1beta1.Server{ - Port: &istioclientv1beta1.Port{ - Number: 19090, - Protocol: "TCP", - Name: "tcp-broker-0"}, - Hosts: []string{"*"}, - }, - istioclientv1beta1.Server{ - Port: &istioclientv1beta1.Port{ - Number: 19092, - Protocol: "TCP", - Name: "tcp-broker-2"}, - Hosts: []string{"*"}, - }, - istioclientv1beta1.Server{ - Port: &istioclientv1beta1.Port{ - Number: 29092, - Protocol: "TCP", - Name: "tcp-all-broker", - }, - Hosts: []string{"*"}, - })) - - var virtualService istioclientv1beta1.VirtualService - virtualServiceName := fmt.Sprintf("%s-external-az1-virtualservice", kafkaCluster.Name) - Eventually(ctx, func() error { - err := k8sClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: virtualServiceName}, &virtualService) - return err - }).Should(Succeed()) - - ExpectIstioIngressLabels(virtualService.Labels, "external-az1", kafkaClusterCRName) - Expect(virtualService.Spec).To(Equal(istioclientv1beta1.VirtualServiceSpec{ - Hosts: []string{"*"}, - Gateways: []string{gatewayName}, - TCP: []istioclientv1beta1.TCPRoute{ - { - Match: []istioclientv1beta1.L4MatchAttributes{{Port: util.IntPointer(19090)}}, - Route: []*istioclientv1beta1.RouteDestination{{ - Destination: &istioclientv1beta1.Destination{ - Host: "kafkacluster-1-0", - Port: &istioclientv1beta1.PortSelector{Number: 9094}, - }, - }}, - }, - { - Match: []istioclientv1beta1.L4MatchAttributes{{Port: util.IntPointer(19092)}}, - Route: []*istioclientv1beta1.RouteDestination{{ - Destination: &istioclientv1beta1.Destination{ - Host: "kafkacluster-1-2", - Port: &istioclientv1beta1.PortSelector{Number: 9094}, - }, - }}, - }, - { - Match: []istioclientv1beta1.L4MatchAttributes{{Port: util.IntPointer(29092)}}, - Route: []*istioclientv1beta1.RouteDestination{{ - Destination: &istioclientv1beta1.Destination{ - Host: "kafkacluster-1-all-broker", - Port: &istioclientv1beta1.PortSelector{Number: 9094}, - }, - }}, - }, - }, - })) - // Istio Ingress Az2 related objects - meshGatewayAz2Name := fmt.Sprintf("meshgateway-external-az2-%s", kafkaCluster.Name) - Eventually(ctx, func() error { - err := k8sClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: meshGatewayAz2Name}, &meshGateway) - return err - }).Should(Succeed()) - - meshGatewaySpec = meshGateway.Spec - ExpectIstioIngressLabels(meshGatewaySpec.Deployment.Metadata.Labels, "external-az2", kafkaClusterCRName) - - Expect(len(meshGatewaySpec.Service.Ports)).To(Equal(2)) - - expectedPort = &istioOperatorApi.ServicePort{ - Name: "tcp-broker-1", - Protocol: string(corev1.ProtocolTCP), - Port: 19091, - TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(19091)}, - } - Expect(cmp.Equal(meshGatewaySpec.Service.Ports[0], expectedPort, cmpopts.IgnoreUnexported(istioOperatorApi.ServicePort{}))).To(BeTrue()) - - expectedPort = &istioOperatorApi.ServicePort{ - Name: "tcp-all-broker", - Protocol: string(corev1.ProtocolTCP), - Port: 29092, - TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(29092)}, - } - Expect(cmp.Equal(meshGatewaySpec.Service.Ports[1], expectedPort, cmpopts.IgnoreUnexported(istioOperatorApi.ServicePort{}))).To(BeTrue()) - - gatewayName = fmt.Sprintf("%s-external-az2-gateway", kafkaCluster.Name) - Eventually(ctx, func() error { - err := k8sClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: gatewayName}, &gateway) - return err - }).Should(Succeed()) - - ExpectIstioIngressLabels(gateway.Labels, "external-az2", kafkaClusterCRName) - ExpectIstioIngressLabels(gateway.Spec.Selector, "external-az2", kafkaClusterCRName) - Expect(gateway.Spec.Servers).To(ConsistOf( - istioclientv1beta1.Server{ - TLS: &istioclientv1beta1.TLSOptions{ - Mode: istioclientv1beta1.TLSModeSimple, - CredentialName: util.StringPointer("foobar"), - }, - Port: &istioclientv1beta1.Port{ - Number: 19091, - Protocol: "TLS", - Name: "tcp-broker-1"}, - Hosts: []string{"*"}, - }, - istioclientv1beta1.Server{ - TLS: &istioclientv1beta1.TLSOptions{ - Mode: istioclientv1beta1.TLSModeSimple, - CredentialName: util.StringPointer("foobar"), - }, - Port: &istioclientv1beta1.Port{ - Number: 29092, - Protocol: "TLS", - Name: "tcp-all-broker", - }, - Hosts: []string{"*"}, - })) - - virtualServiceName = fmt.Sprintf("%s-external-az2-virtualservice", kafkaCluster.Name) - Eventually(ctx, func() error { - err := k8sClient.Get(ctx, types.NamespacedName{Namespace: namespace, Name: virtualServiceName}, &virtualService) - return err - }).Should(Succeed()) - - ExpectIstioIngressLabels(virtualService.Labels, "external-az2", kafkaClusterCRName) - Expect(virtualService.Spec).To(Equal(istioclientv1beta1.VirtualServiceSpec{ - Hosts: []string{"*"}, - Gateways: []string{gatewayName}, - TCP: []istioclientv1beta1.TCPRoute{ - { - Match: []istioclientv1beta1.L4MatchAttributes{{Port: util.IntPointer(19091)}}, - Route: []*istioclientv1beta1.RouteDestination{{ - Destination: &istioclientv1beta1.Destination{ - Host: "kafkacluster-1-1", - Port: &istioclientv1beta1.PortSelector{Number: 9094}, - }, - }}, - }, - { - Match: []istioclientv1beta1.L4MatchAttributes{{Port: util.IntPointer(29092)}}, - Route: []*istioclientv1beta1.RouteDestination{{ - Destination: &istioclientv1beta1.Destination{ - Host: "kafkacluster-1-all-broker", - Port: &istioclientv1beta1.PortSelector{Number: 9094}, - }, - }}, - }, - }, - })) - - // expect kafkaCluster listener status - err := k8sClient.Get(ctx, types.NamespacedName{ - Name: kafkaCluster.Name, - Namespace: kafkaCluster.Namespace, - }, kafkaCluster) - Expect(err).NotTo(HaveOccurred()) - - Expect(kafkaCluster.Status.ListenerStatuses).To(Equal(v1beta1.ListenerStatuses{ - InternalListeners: map[string]v1beta1.ListenerStatusList{ - "internal": { - { - Name: "any-broker", - Address: fmt.Sprintf("%s-all-broker.kafka-istioingress-with-bindings-%d.svc.cluster.local:29092", kafkaCluster.Name, count), - }, - { - Name: "broker-0", - Address: fmt.Sprintf("%s-0.kafka-istioingress-with-bindings-%d.svc.cluster.local:29092", kafkaCluster.Name, count), - }, - { - Name: "broker-1", - Address: fmt.Sprintf("%s-1.kafka-istioingress-with-bindings-%d.svc.cluster.local:29092", kafkaCluster.Name, count), - }, - { - Name: "broker-2", - Address: fmt.Sprintf("%s-2.kafka-istioingress-with-bindings-%d.svc.cluster.local:29092", kafkaCluster.Name, count), - }, - }, - }, - ExternalListeners: map[string]v1beta1.ListenerStatusList{ - "external": { - { - Name: "any-broker-az1", - Address: "external.az1.host.com:29092", - }, - { - Name: "any-broker-az2", - Address: "external.az2.host.com:29092", - }, - { - Name: "broker-0", - Address: "external.az1.host.com:19090", - }, - { - Name: "broker-1", - Address: "external.az2.host.com:19091", - }, - { - Name: "broker-2", - Address: "external.az1.host.com:19092", - }, - }, - }, - })) - }) - }) -}) - -func createMeshGatewayService(ctx context.Context, extListenerName, extListenerServiceName, namespace string) { - svcFromMeshGateway := corev1.Service{ - ObjectMeta: metav1.ObjectMeta{ - Name: extListenerServiceName, - Namespace: namespace, - }, - Spec: corev1.ServiceSpec{ - Type: corev1.ServiceTypeLoadBalancer, - Ports: []corev1.ServicePort{ - // other ports omitted - { - Name: "tcp-all-broker", - Port: 29092, // from MeshGateway (guarded by the tests) - Protocol: corev1.ProtocolTCP, - }, - }, - }, - } - err := k8sClient.Create(ctx, &svcFromMeshGateway) - Expect(err).NotTo(HaveOccurred()) - svcFromMeshGateway.Status.LoadBalancer.Ingress = []corev1.LoadBalancerIngress{{Hostname: extListenerName}} - err = k8sClient.Status().Update(ctx, &svcFromMeshGateway) - Expect(err).NotTo(HaveOccurred()) -} diff --git a/controllers/tests/suite_test.go b/controllers/tests/suite_test.go index e3a5234f8..af2caa1d2 100644 --- a/controllers/tests/suite_test.go +++ b/controllers/tests/suite_test.go @@ -54,9 +54,9 @@ import ( cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" - istioclientv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1" - banzaiistiov1alpha1 "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" contour "github.com/projectcontour/contour/apis/projectcontour/v1" + gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" + gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" banzaicloudv1alpha1 "github.com/banzaicloud/koperator/api/v1alpha1" banzaicloudv1beta1 "github.com/banzaicloud/koperator/api/v1beta1" @@ -94,7 +94,7 @@ var _ = BeforeSuite(func(ctx SpecContext) { filepath.Join("..", "..", "config", "base", "crds"), filepath.Join("..", "..", "config", "test", "crd", "cert-manager"), filepath.Join("..", "..", "config", "test", "crd", "projectcontour"), - filepath.Join("..", "..", "config", "test", "crd", "istio"), + filepath.Join("..", "..", "config", "test", "crd", "gateway-api"), }, ControlPlaneStartTimeout: timeout, ControlPlaneStopTimeout: timeout, @@ -119,14 +119,14 @@ var _ = BeforeSuite(func(ctx SpecContext) { scheme := runtime.NewScheme() - Expect(banzaiistiov1alpha1.AddToScheme(scheme)).To(Succeed()) Expect(k8sscheme.AddToScheme(scheme)).To(Succeed()) Expect(apiv1.AddToScheme(scheme)).To(Succeed()) Expect(cmv1.AddToScheme(scheme)).To(Succeed()) Expect(banzaicloudv1alpha1.AddToScheme(scheme)).To(Succeed()) Expect(banzaicloudv1beta1.AddToScheme(scheme)).To(Succeed()) - Expect(istioclientv1beta1.AddToScheme(scheme)).To(Succeed()) Expect(contour.AddToScheme(scheme)).To(Succeed()) + Expect(gatewayv1.Install(scheme)).To(Succeed()) + Expect(gatewayv1alpha2.Install(scheme)).To(Succeed()) // +kubebuilder:scaffold:scheme diff --git a/docs/developer.md b/docs/developer.md index eecd3e132..53c2d2a04 100644 --- a/docs/developer.md +++ b/docs/developer.md @@ -37,4 +37,4 @@ Minikube does not have a load balancer implementation, thus our envoy service wi A possible solution to overcome this problem is to use https://github.com/elsonrodriguez/minikube-lb-patch. The operator will be able to proceed if you run the following command: ```go kubectl run minikube-lb-patch --replicas=1 --image=elsonrodriguez/minikube-lb-patch:0.1 --namespace=kube-system -``` +``` diff --git a/go.mod b/go.mod index e17b83695..93947aef8 100644 --- a/go.mod +++ b/go.mod @@ -8,8 +8,6 @@ require ( github.com/IBM/sarama v1.46.3 github.com/Masterminds/sprig/v3 v3.3.0 github.com/banzaicloud/go-cruise-control v0.6.0 - github.com/banzaicloud/istio-client-go v0.0.17 - github.com/banzaicloud/istio-operator/api/v2 v2.17.4 github.com/banzaicloud/k8s-objectmatcher v1.8.0 github.com/banzaicloud/koperator/api v0.28.8 github.com/banzaicloud/koperator/properties v0.4.1 @@ -74,7 +72,7 @@ require ( require ( github.com/Masterminds/goutils v1.1.1 // indirect github.com/Masterminds/semver/v3 v3.4.0 // indirect - github.com/banzaicloud/operator-tools v0.28.10 + github.com/banzaicloud/operator-tools v0.28.10 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/briandowns/spinner v1.23.2 // indirect github.com/cespare/xxhash/v2 v2.3.0 // indirect @@ -93,7 +91,6 @@ require ( github.com/go-openapi/jsonreference v0.21.2 // indirect github.com/go-openapi/swag v0.25.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect - github.com/golang/protobuf v1.5.4 // indirect github.com/golang/snappy v1.0.0 // indirect github.com/google/go-cmp v0.7.0 github.com/google/uuid v1.6.0 @@ -138,19 +135,16 @@ require ( golang.org/x/time v0.14.0 // indirect gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - istio.io/api v1.27.3 // indirect k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 // indirect k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect - sigs.k8s.io/gateway-api v1.4.0 // indirect + sigs.k8s.io/gateway-api v1.4.0 sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect sigs.k8s.io/yaml v1.6.0 ) replace ( github.com/banzaicloud/go-cruise-control => ./third_party/github.com/banzaicloud/go-cruise-control - github.com/banzaicloud/istio-client-go => ./third_party/github.com/banzaicloud/istio-client-go - github.com/banzaicloud/istio-operator/api/v2 => ./third_party/github.com/banzaicloud/istio-operator/api github.com/banzaicloud/k8s-objectmatcher => ./third_party/github.com/banzaicloud/k8s-objectmatcher github.com/banzaicloud/koperator/api => ./api github.com/banzaicloud/koperator/properties => ./properties diff --git a/go.sum b/go.sum index dfff19228..93577e208 100644 --- a/go.sum +++ b/go.sum @@ -104,8 +104,6 @@ github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= -github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs= github.com/golang/snappy v1.0.0/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg= @@ -342,8 +340,6 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= -istio.io/api v1.27.3 h1:Ek00/+kB0wepYuevSfE0Edh2o5ndEtekmo/Nkx5LIYA= -istio.io/api v1.27.3/go.mod h1:DTVGH6CLXj5W8FF9JUD3Tis78iRgT1WeuAnxfTz21Wg= k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= diff --git a/main.go b/main.go index 05d8f4548..843c4c130 100644 --- a/main.go +++ b/main.go @@ -42,15 +42,13 @@ import ( "sigs.k8s.io/controller-runtime/pkg/metrics/server" "sigs.k8s.io/controller-runtime/pkg/webhook" - istioclientv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1" - - banzaiistiov1alpha1 "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" - certv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1" "k8s.io/apimachinery/pkg/runtime" clientgoscheme "k8s.io/client-go/kubernetes/scheme" _ "k8s.io/client-go/plugin/pkg/client/auth/gcp" ctrl "sigs.k8s.io/controller-runtime" + gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" + gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" contour "github.com/projectcontour/contour/apis/projectcontour/v1" @@ -77,11 +75,10 @@ func init() { _ = banzaicloudv1beta1.AddToScheme(scheme) - _ = banzaiistiov1alpha1.AddToScheme(scheme) - - _ = istioclientv1beta1.AddToScheme(scheme) - _ = contour.AddToScheme(scheme) + + _ = gatewayv1.Install(scheme) + _ = gatewayv1alpha2.Install(scheme) // +kubebuilder:scaffold:scheme } diff --git a/pkg/k8sutil/resource_test.go b/pkg/k8sutil/resource_test.go new file mode 100644 index 000000000..6b5745b36 --- /dev/null +++ b/pkg/k8sutil/resource_test.go @@ -0,0 +1,278 @@ +// Copyright © 2019 Cisco Systems, Inc. and/or its affiliates +// Copyright 2025 Adobe. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package k8sutil + +import ( + "context" + "testing" + + "github.com/go-logr/logr" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + + "github.com/banzaicloud/koperator/api/v1beta1" +) + +// MockClient is a mock implementation of client.Client +type MockClient struct { + mock.Mock +} + +func (m *MockClient) Get(ctx context.Context, key types.NamespacedName, obj client.Object, opts ...client.GetOption) error { + args := m.Called(ctx, key, obj, opts) + return args.Error(0) +} + +func (m *MockClient) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error { + args := m.Called(ctx, list, opts) + return args.Error(0) +} + +func (m *MockClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Delete(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Update(ctx context.Context, obj client.Object, opts ...client.UpdateOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error { + args := m.Called(ctx, obj, patch, opts) + return args.Error(0) +} + +func (m *MockClient) DeleteAllOf(ctx context.Context, obj client.Object, opts ...client.DeleteAllOfOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Status() client.StatusWriter { + args := m.Called() + return args.Get(0).(client.StatusWriter) +} + +func (m *MockClient) Scheme() *runtime.Scheme { + args := m.Called() + return args.Get(0).(*runtime.Scheme) +} + +func (m *MockClient) RESTMapper() meta.RESTMapper { + args := m.Called() + return args.Get(0).(meta.RESTMapper) +} + +func (m *MockClient) GroupVersionKindFor(obj runtime.Object) (schema.GroupVersionKind, error) { + args := m.Called(obj) + return args.Get(0).(schema.GroupVersionKind), args.Error(1) +} + +func (m *MockClient) IsObjectNamespaced(obj runtime.Object) (bool, error) { + args := m.Called(obj) + return args.Bool(0), args.Error(1) +} + +func (m *MockClient) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...client.ApplyOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) SubResource(subResource string) client.SubResourceClient { + args := m.Called(subResource) + return args.Get(0).(client.SubResourceClient) +} + +func TestReconcile_CreateResource(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + } + + // Create a test ConfigMap + desired := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-configmap", + Namespace: "test-namespace", + }, + Data: map[string]string{ + "key": "value", + }, + } + + // Mock Get to return NotFound error (resource doesn't exist) + mockClient.On("Get", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(errors.NewNotFound(schema.GroupResource{}, "test-configmap")) + // Mock Create to succeed + mockClient.On("Create", mock.Anything, mock.Anything, mock.Anything).Return(nil) + + err := Reconcile(logr.Discard(), mockClient, desired, cluster) + assert.NoError(t, err) + + // Verify that Create was called + mockClient.AssertCalled(t, "Create", mock.Anything, mock.Anything, mock.Anything) +} + +func TestReconcile_UpdateResource(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + } + + // Create a test ConfigMap + desired := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-configmap", + Namespace: "test-namespace", + }, + Data: map[string]string{ + "key": "value", + }, + } + + // Mock Get to return existing resource + existing := desired.DeepCopy() + existing.Data["existing-key"] = "existing-value" + mockClient.On("Get", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil).Run(func(args mock.Arguments) { + obj := args.Get(2).(client.Object) + // Set the existing data + if cm, ok := obj.(*corev1.ConfigMap); ok { + cm.Data = map[string]string{ + "existing-key": "existing-value", + } + } + }) + // Mock Update to succeed + mockClient.On("Update", mock.Anything, mock.Anything, mock.Anything).Return(nil) + + err := Reconcile(logr.Discard(), mockClient, desired, cluster) + assert.NoError(t, err) +} + +func TestReconcile_ErrorHandling(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + } + + // Create a test ConfigMap + desired := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-configmap", + Namespace: "test-namespace", + }, + Data: map[string]string{ + "key": "value", + }, + } + + // Mock Get to return an error + mockClient.On("Get", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(assert.AnError) + + err := Reconcile(logr.Discard(), mockClient, desired, cluster) + assert.Error(t, err) +} + +func TestReconcile_CreateErrorHandling(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + } + + // Create a test ConfigMap + desired := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-configmap", + Namespace: "test-namespace", + }, + Data: map[string]string{ + "key": "value", + }, + } + + // Mock Get to return NotFound error (resource doesn't exist) + mockClient.On("Get", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(assert.AnError) + // Mock Create to return an error + mockClient.On("Create", mock.Anything, mock.Anything, mock.Anything).Return(assert.AnError) + + err := Reconcile(logr.Discard(), mockClient, desired, cluster) + assert.Error(t, err) +} + +func TestReconcile_UpdateErrorHandling(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + } + + // Create a test ConfigMap + desired := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-configmap", + Namespace: "test-namespace", + }, + Data: map[string]string{ + "key": "value", + }, + } + + // Mock Get to return a different existing resource (so update is needed) + existing := &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-configmap", + Namespace: "test-namespace", + }, + Data: map[string]string{ + "key": "different-value", + }, + } + mockClient.On("Get", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil).Run(func(args mock.Arguments) { + obj := args.Get(2).(*corev1.ConfigMap) + *obj = *existing + }) + // Mock Update to return an error + mockClient.On("Update", mock.Anything, mock.Anything, mock.Anything).Return(assert.AnError) + + err := Reconcile(logr.Discard(), mockClient, desired, cluster) + assert.Error(t, err) +} diff --git a/pkg/pki/k8scsrpki/k8scsr_user_test.go b/pkg/pki/k8scsrpki/k8scsr_user_test.go index 3f78d7ea7..0e55c5ec2 100644 --- a/pkg/pki/k8scsrpki/k8scsr_user_test.go +++ b/pkg/pki/k8scsrpki/k8scsr_user_test.go @@ -30,9 +30,6 @@ import ( "k8s.io/client-go/kubernetes/scheme" "sigs.k8s.io/controller-runtime/pkg/client/fake" - istioclientv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1" - banzaiistiov1alpha1 "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" - "github.com/banzaicloud/koperator/api/v1alpha1" "github.com/banzaicloud/koperator/api/v1beta1" "github.com/banzaicloud/koperator/pkg/util" @@ -79,14 +76,6 @@ func setupSchemeForTests() (*runtime.Scheme, error) { if err != nil { return nil, err } - err = banzaiistiov1alpha1.AddToScheme(sch) - if err != nil { - return nil, err - } - err = istioclientv1beta1.AddToScheme(sch) - if err != nil { - return nil, err - } return sch, nil } diff --git a/pkg/resources/envoy/envoy_test.go b/pkg/resources/envoy/envoy_test.go new file mode 100644 index 000000000..e1e39d40c --- /dev/null +++ b/pkg/resources/envoy/envoy_test.go @@ -0,0 +1,303 @@ +// Copyright © 2019 Cisco Systems, Inc. and/or its affiliates +// Copyright 2025 Adobe. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package envoy + +import ( + "context" + "testing" + + "github.com/go-logr/logr" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + + "github.com/banzaicloud/koperator/api/v1beta1" + "github.com/banzaicloud/koperator/pkg/util" +) + +// MockClient is a mock implementation of client.Client +type MockClient struct { + mock.Mock +} + +func (m *MockClient) Get(ctx context.Context, key types.NamespacedName, obj client.Object, opts ...client.GetOption) error { + args := m.Called(ctx, key, obj, opts) + return args.Error(0) +} + +func (m *MockClient) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error { + args := m.Called(ctx, list, opts) + return args.Error(0) +} + +func (m *MockClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Delete(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Update(ctx context.Context, obj client.Object, opts ...client.UpdateOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error { + args := m.Called(ctx, obj, patch, opts) + return args.Error(0) +} + +func (m *MockClient) DeleteAllOf(ctx context.Context, obj client.Object, opts ...client.DeleteAllOfOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Status() client.StatusWriter { + args := m.Called() + return args.Get(0).(client.StatusWriter) +} + +func (m *MockClient) Scheme() *runtime.Scheme { + args := m.Called() + return args.Get(0).(*runtime.Scheme) +} + +func (m *MockClient) RESTMapper() meta.RESTMapper { + args := m.Called() + return args.Get(0).(meta.RESTMapper) +} + +func (m *MockClient) GroupVersionKindFor(obj runtime.Object) (schema.GroupVersionKind, error) { + args := m.Called(obj) + return args.Get(0).(schema.GroupVersionKind), args.Error(1) +} + +func (m *MockClient) IsObjectNamespaced(obj runtime.Object) (bool, error) { + args := m.Called(obj) + return args.Bool(0), args.Error(1) +} + +func (m *MockClient) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...client.ApplyOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) SubResource(subResource string) client.SubResourceClient { + args := m.Called(subResource) + return args.Get(0).(client.SubResourceClient) +} + +func TestNew(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + } + + reconciler := New(mockClient, cluster) + + assert.NotNil(t, reconciler) + assert.Equal(t, mockClient, reconciler.Client) + assert.Equal(t, cluster, reconciler.KafkaCluster) +} + +func TestLabelsForEnvoyIngress(t *testing.T) { + tests := []struct { + name string + crName string + eLName string + expectedLabels map[string]string + }{ + { + name: "basic labels", + crName: "test-cluster", + eLName: "external", + expectedLabels: map[string]string{ + v1beta1.AppLabelKey: "envoyingress", + v1beta1.KafkaCRLabelKey: "test-cluster", + util.ExternalListenerLabelNameKey: "external", + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + labels := labelsForEnvoyIngress(tt.crName, tt.eLName) + assert.Equal(t, tt.expectedLabels, labels) + }) + } +} + +func TestLabelsForEnvoyIngressWithoutEListenerName(t *testing.T) { + tests := []struct { + name string + crName string + expectedLabels map[string]string + }{ + { + name: "basic labels without external listener", + crName: "test-cluster", + expectedLabels: map[string]string{ + v1beta1.AppLabelKey: "envoyingress", + v1beta1.KafkaCRLabelKey: "test-cluster", + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + labels := labelsForEnvoyIngressWithoutEListenerName(tt.crName) + assert.Equal(t, tt.expectedLabels, labels) + }) + } +} + +func TestReconcile_WithEnvoyIngressController(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + ListenersConfig: v1beta1.ListenersConfig{ + ExternalListeners: []v1beta1.ExternalListenerConfig{ + { + CommonListenerSpec: v1beta1.CommonListenerSpec{ + Name: "external", + ContainerPort: 9094, + }, + AccessMethod: corev1.ServiceTypeLoadBalancer, + ExternalStartingPort: 19090, + }, + }, + }, + IngressController: "envoy", + }, + } + + reconciler := New(mockClient, cluster) + + // Mock the k8sutil.Reconcile calls + mockClient.On("Get", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(nil) + mockClient.On("Create", mock.Anything, mock.Anything, mock.Anything).Return(nil) + mockClient.On("Update", mock.Anything, mock.Anything, mock.Anything).Return(nil) + + log := logr.Discard() + err := reconciler.Reconcile(log) + assert.NoError(t, err) +} + +func TestReconcile_WithRemoveUnusedIngressResources(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + ListenersConfig: v1beta1.ListenersConfig{ + ExternalListeners: []v1beta1.ExternalListenerConfig{ + { + CommonListenerSpec: v1beta1.CommonListenerSpec{ + Name: "external", + ContainerPort: 9094, + }, + AccessMethod: corev1.ServiceTypeNodePort, // Not LoadBalancer + ExternalStartingPort: 19090, + }, + }, + }, + IngressController: "nginx", // Not envoy + RemoveUnusedIngressResources: true, + }, + } + + reconciler := New(mockClient, cluster) + + // Mock the List call to return empty list (no resources to delete) + mockClient.On("List", mock.Anything, mock.Anything, mock.Anything).Return(nil) + + log := logr.Discard() + err := reconciler.Reconcile(log) + assert.NoError(t, err) +} + +func TestReconcile_NoExternalListeners(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + ListenersConfig: v1beta1.ListenersConfig{ + ExternalListeners: nil, // No external listeners + }, + }, + } + + reconciler := New(mockClient, cluster) + + log := logr.Discard() + err := reconciler.Reconcile(log) + assert.NoError(t, err) +} + +func TestReconcile_ErrorHandling(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + ListenersConfig: v1beta1.ListenersConfig{ + ExternalListeners: []v1beta1.ExternalListenerConfig{ + { + CommonListenerSpec: v1beta1.CommonListenerSpec{ + Name: "external", + ContainerPort: 9094, + }, + AccessMethod: corev1.ServiceTypeLoadBalancer, + ExternalStartingPort: 19090, + }, + }, + }, + IngressController: "envoy", + }, + } + + reconciler := New(mockClient, cluster) + + // Mock k8sutil.Reconcile to return an error + mockClient.On("Get", mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(assert.AnError) + + log := logr.Discard() + err := reconciler.Reconcile(log) + assert.Error(t, err) +} diff --git a/pkg/resources/envoygateway/envoygateway.go b/pkg/resources/envoygateway/envoygateway.go new file mode 100644 index 000000000..76ac429d8 --- /dev/null +++ b/pkg/resources/envoygateway/envoygateway.go @@ -0,0 +1,170 @@ +// Copyright 2025 Adobe. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package envoygateway + +import ( + "context" + "fmt" + "strings" + + "emperror.dev/errors" + "github.com/go-logr/logr" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/apimachinery/pkg/runtime/schema" + "sigs.k8s.io/controller-runtime/pkg/client" + gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" + + apiutil "github.com/banzaicloud/koperator/api/util" + "github.com/banzaicloud/koperator/api/v1beta1" + "github.com/banzaicloud/koperator/pkg/k8sutil" + "github.com/banzaicloud/koperator/pkg/resources" + "github.com/banzaicloud/koperator/pkg/util" + envoygatewayutils "github.com/banzaicloud/koperator/pkg/util/envoygateway" +) + +const ( + componentName = "envoygateway" +) + +// labelsForEnvoyGateway returns the labels for selecting the resources +// belonging to the given kafka CR name. +func labelsForEnvoyGateway(crName, eLName string) map[string]string { + return apiutil.MergeLabels(labelsForEnvoyGatewayWithoutEListenerName(crName), map[string]string{util.ExternalListenerLabelNameKey: eLName}) +} + +func labelsForEnvoyGatewayWithoutEListenerName(crName string) map[string]string { + return map[string]string{v1beta1.AppLabelKey: "envoygateway", v1beta1.KafkaCRLabelKey: crName} +} + +// Reconciler implements the Component Reconciler +type Reconciler struct { + resources.Reconciler +} + +// New creates a new reconciler for Envoy Gateway +func New(client client.Client, cluster *v1beta1.KafkaCluster) *Reconciler { + return &Reconciler{ + Reconciler: resources.Reconciler{ + Client: client, + KafkaCluster: cluster, + }, + } +} + +// Reconcile implements the reconcile logic for Envoy Gateway +func (r *Reconciler) Reconcile(log logr.Logger) error { + log = log.WithValues("component", componentName) + + log.V(1).Info("Reconciling") + for _, eListener := range r.KafkaCluster.Spec.ListenersConfig.ExternalListeners { + if r.KafkaCluster.Spec.GetIngressController() == envoygatewayutils.IngressControllerName && eListener.GetAccessMethod() == corev1.ServiceTypeLoadBalancer { + ingressConfigs, defaultControllerName, err := util.GetIngressConfigs(r.KafkaCluster.Spec, eListener) + if err != nil { + return err + } + + for name, ingressConfig := range ingressConfigs { + if !util.IsIngressConfigInUse(name, defaultControllerName, r.KafkaCluster, log) { + continue + } + + // Validate TLS configuration for envoygateway + // EnvoyGateway ONLY supports TLS termination at the gateway level + if eListener.TLSEnabled() { + if ingressConfig.EnvoyGatewayConfig == nil || ingressConfig.EnvoyGatewayConfig.TLSSecretName == "" { + return errors.New("envoygateway ingress controller requires TLSSecretName to be set in envoyGatewayConfig when TLS is enabled (externalStartingPort == -1). EnvoyGateway only supports TLS termination at the gateway level") + } + } + + // Create Gateway resource + gateway := r.gateway(eListener, ingressConfig) + err := k8sutil.Reconcile(log, r.Client, gateway, r.KafkaCluster) + if err != nil { + return err + } + + // Create TCPRoute for each broker + // Note: We always use TCPRoute because EnvoyGateway performs TLS termination + // at the gateway level, so traffic to backends is plain TCP + for _, broker := range r.KafkaCluster.Spec.Brokers { + route := r.tcpRoute(broker.Id, eListener, ingressConfig) + err := k8sutil.Reconcile(log, r.Client, route, r.KafkaCluster) + if err != nil { + return err + } + } + + // Create TCPRoute for anycast (all-broker) service + anyCastRoute := r.tcpRouteAllBroker(eListener, ingressConfig) + err = k8sutil.Reconcile(log, r.Client, anyCastRoute, r.KafkaCluster) + if err != nil { + return err + } + } + } else if r.KafkaCluster.Spec.RemoveUnusedIngressResources { + // Cleaning up unused envoy gateway resources when ingress controller is not envoygateway or externalListener access method is not LoadBalancer + deletionCounter := 0 + ctx := context.Background() + envoyGatewayResourcesGVK := []schema.GroupVersionKind{ + { + Version: gatewayv1.GroupVersion.Version, + Group: gatewayv1.GroupVersion.Group, + Kind: "Gateway", + }, + { + Version: "v1alpha2", + Group: gatewayv1.GroupVersion.Group, + Kind: "TLSRoute", + }, + { + Version: "v1alpha2", + Group: gatewayv1.GroupVersion.Group, + Kind: "TCPRoute", + }, + } + + for _, gvk := range envoyGatewayResourcesGVK { + var envoyGatewayResources unstructured.UnstructuredList + envoyGatewayResources.SetGroupVersionKind(gvk) + err := r.List(ctx, &envoyGatewayResources, + client.InNamespace(r.KafkaCluster.Namespace), + client.MatchingLabels(labelsForEnvoyGatewayWithoutEListenerName(r.KafkaCluster.Name))) + if err != nil { + return errors.WrapIfWithDetails(err, "failed to list envoy gateway resources", "gvk", gvk) + } + + for _, removeObject := range envoyGatewayResources.Items { + if !strings.Contains(removeObject.GetLabels()[util.ExternalListenerLabelNameKey], eListener.Name) || + util.ObjectManagedByClusterRegistry(&removeObject) || + !removeObject.GetDeletionTimestamp().IsZero() { + continue + } + if err := r.Delete(ctx, &removeObject); client.IgnoreNotFound(err) != nil { + return errors.Wrap(err, "error when removing envoy gateway ingress resources") + } + log.V(1).Info(fmt.Sprintf("Deleted envoy gateway ingress '%s' resource '%s' for externalListener '%s'", gvk.Kind, removeObject.GetName(), eListener.Name)) + deletionCounter++ + } + } + if deletionCounter > 0 { + log.Info(fmt.Sprintf("Removed '%d' resources for envoy gateway ingress", deletionCounter)) + } + } + } + log.V(1).Info("Reconciled") + + return nil +} diff --git a/pkg/resources/envoygateway/envoygateway_test.go b/pkg/resources/envoygateway/envoygateway_test.go new file mode 100644 index 000000000..383867e13 --- /dev/null +++ b/pkg/resources/envoygateway/envoygateway_test.go @@ -0,0 +1,237 @@ +// Copyright 2025 Adobe. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package envoygateway + +import ( + "testing" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" + gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + + "github.com/banzaicloud/koperator/api/v1beta1" + "github.com/banzaicloud/koperator/pkg/resources" +) + +func TestGatewayGeneration(t *testing.T) { + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + Brokers: []v1beta1.Broker{ + {Id: 0}, + {Id: 1}, + {Id: 2}, + }, + EnvoyGatewayConfig: v1beta1.EnvoyGatewayIngressConfig{ + GatewayClassName: "test-gateway-class", + }, + }, + } + + reconciler := &Reconciler{ + Reconciler: resources.Reconciler{ + KafkaCluster: cluster, + }, + } + + eListener := v1beta1.ExternalListenerConfig{ + CommonListenerSpec: v1beta1.CommonListenerSpec{ + Name: "test-listener", + ContainerPort: 9092, + }, + ExternalStartingPort: 19090, + } + + ingressConfig := v1beta1.IngressConfig{ + EnvoyGatewayConfig: &cluster.Spec.EnvoyGatewayConfig, + } + + gateway := reconciler.gateway(eListener, ingressConfig) + + gw, ok := gateway.(*gatewayv1.Gateway) + if !ok { + t.Fatal("Expected Gateway type") + } + + if gw.Name != "kafka-gateway-test-listener" { + t.Errorf("Expected gateway name 'kafka-gateway-test-listener', got '%s'", gw.Name) + } + + if string(gw.Spec.GatewayClassName) != "test-gateway-class" { + t.Errorf("Expected gateway class 'test-gateway-class', got '%s'", gw.Spec.GatewayClassName) + } + + // 3 brokers + 1 anycast = 4 listeners + if len(gw.Spec.Listeners) != 4 { + t.Errorf("Expected 4 listeners, got %d", len(gw.Spec.Listeners)) + } + + // Check broker listeners + for i := 0; i < 3; i++ { + expectedName := gatewayv1.SectionName("broker-" + string(rune('0'+i))) + if gw.Spec.Listeners[i].Name != expectedName { + t.Errorf("Expected listener name '%s', got '%s'", expectedName, gw.Spec.Listeners[i].Name) + } + expectedPort := gatewayv1.PortNumber(19090 + i) + if gw.Spec.Listeners[i].Port != expectedPort { + t.Errorf("Expected port %d, got %d", expectedPort, gw.Spec.Listeners[i].Port) + } + } + + // Check anycast listener + if gw.Spec.Listeners[3].Name != "anycast" { + t.Errorf("Expected anycast listener name 'anycast', got '%s'", gw.Spec.Listeners[3].Name) + } + // Anycast listener should use the default anycast port (29092), not ExternalStartingPort + expectedAnycastPort := gatewayv1.PortNumber(29092) + if gw.Spec.Listeners[3].Port != expectedAnycastPort { + t.Errorf("Expected anycast port %d, got %d", expectedAnycastPort, gw.Spec.Listeners[3].Port) + } +} + +func TestTCPRouteGeneration(t *testing.T) { + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + Brokers: []v1beta1.Broker{ + {Id: 0}, + }, + }, + } + + reconciler := &Reconciler{ + Reconciler: resources.Reconciler{ + KafkaCluster: cluster, + }, + } + + eListener := v1beta1.ExternalListenerConfig{ + CommonListenerSpec: v1beta1.CommonListenerSpec{ + Name: "test-listener", + ContainerPort: 9092, + }, + ExternalStartingPort: 19090, + } + + ingressConfig := v1beta1.IngressConfig{ + EnvoyGatewayConfig: &v1beta1.EnvoyGatewayIngressConfig{}, + } + + route := reconciler.tcpRoute(0, eListener, ingressConfig) + + tcpRoute, ok := route.(*gatewayv1alpha2.TCPRoute) + if !ok { + t.Fatal("Expected TCPRoute type") + } + + if tcpRoute.Name != "kafka-tcproute-test-listener-0" { + t.Errorf("Expected route name 'kafka-tcproute-test-listener-0', got '%s'", tcpRoute.Name) + } + + if len(tcpRoute.Spec.ParentRefs) != 1 { + t.Errorf("Expected 1 parent ref, got %d", len(tcpRoute.Spec.ParentRefs)) + } + + if string(tcpRoute.Spec.ParentRefs[0].Name) != "kafka-gateway-test-listener" { + t.Errorf("Expected parent gateway 'kafka-gateway-test-listener', got '%s'", tcpRoute.Spec.ParentRefs[0].Name) + } + + if len(tcpRoute.Spec.Rules) != 1 { + t.Errorf("Expected 1 rule, got %d", len(tcpRoute.Spec.Rules)) + } + + if len(tcpRoute.Spec.Rules[0].BackendRefs) != 1 { + t.Errorf("Expected 1 backend ref, got %d", len(tcpRoute.Spec.Rules[0].BackendRefs)) + } + + if string(tcpRoute.Spec.Rules[0].BackendRefs[0].Name) != "test-cluster-all-broker" { + t.Errorf("Expected backend 'test-cluster-all-broker', got '%s'", tcpRoute.Spec.Rules[0].BackendRefs[0].Name) + } +} + +func TestGatewayGenerationWithTLS(t *testing.T) { + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + Brokers: []v1beta1.Broker{ + {Id: 0}, + {Id: 1}, + {Id: 2}, + }, + EnvoyGatewayConfig: v1beta1.EnvoyGatewayIngressConfig{ + GatewayClassName: "test-gateway-class", + TLSSecretName: "test-tls-secret", + }, + }, + } + + reconciler := &Reconciler{ + Reconciler: resources.Reconciler{ + KafkaCluster: cluster, + }, + } + + eListener := v1beta1.ExternalListenerConfig{ + CommonListenerSpec: v1beta1.CommonListenerSpec{ + Name: "test-listener", + ContainerPort: 9092, + }, + ExternalStartingPort: -1, // TLS enabled + } + + ingressConfig := v1beta1.IngressConfig{ + EnvoyGatewayConfig: &cluster.Spec.EnvoyGatewayConfig, + } + + gateway := reconciler.gateway(eListener, ingressConfig) + + gw, ok := gateway.(*gatewayv1.Gateway) + if !ok { + t.Fatal("Expected Gateway type") + } + + // 3 brokers + 1 anycast = 4 listeners + if len(gw.Spec.Listeners) != 4 { + t.Errorf("Expected 4 listeners, got %d", len(gw.Spec.Listeners)) + } + + // When TLS is enabled (externalStartingPort == -1), all broker listeners should use the anycast port + expectedPort := gatewayv1.PortNumber(29092) // default anycast port + for i := 0; i < 3; i++ { + if gw.Spec.Listeners[i].Port != expectedPort { + t.Errorf("Expected broker %d port %d (anycast port when TLS enabled), got %d", i, expectedPort, gw.Spec.Listeners[i].Port) + } + if gw.Spec.Listeners[i].Protocol != gatewayv1.TLSProtocolType { + t.Errorf("Expected broker %d protocol TLS, got %s", i, gw.Spec.Listeners[i].Protocol) + } + if gw.Spec.Listeners[i].TLS == nil { + t.Errorf("Expected broker %d to have TLS config", i) + } + } + + // Check anycast listener also uses the same port + if gw.Spec.Listeners[3].Port != expectedPort { + t.Errorf("Expected anycast port %d, got %d", expectedPort, gw.Spec.Listeners[3].Port) + } +} diff --git a/pkg/resources/envoygateway/gateway.go b/pkg/resources/envoygateway/gateway.go new file mode 100644 index 000000000..5e881c2ec --- /dev/null +++ b/pkg/resources/envoygateway/gateway.go @@ -0,0 +1,132 @@ +// Copyright 2025 Adobe. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package envoygateway + +import ( + "fmt" + + "sigs.k8s.io/controller-runtime/pkg/client" + gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" + + apiutil "github.com/banzaicloud/koperator/api/util" + "github.com/banzaicloud/koperator/api/v1beta1" + "github.com/banzaicloud/koperator/pkg/resources/templates" + envoygatewayutils "github.com/banzaicloud/koperator/pkg/util/envoygateway" +) + +func (r *Reconciler) gateway(eListener v1beta1.ExternalListenerConfig, + ingressConfig v1beta1.IngressConfig) client.Object { + gatewayName := fmt.Sprintf(envoygatewayutils.GatewayNameTemplate, eListener.Name) + if ingressConfig.EnvoyGatewayConfig != nil && ingressConfig.EnvoyGatewayConfig.GatewayName != "" { + gatewayName = ingressConfig.EnvoyGatewayConfig.GatewayName + } + + gatewayClassName := "eg" + if ingressConfig.EnvoyGatewayConfig != nil { + gatewayClassName = ingressConfig.EnvoyGatewayConfig.GetGatewayClassName() + } + + labels := labelsForEnvoyGateway(r.KafkaCluster.Name, eListener.Name) + if r.KafkaCluster.Spec.PropagateLabels { + labels = apiutil.MergeLabels(r.KafkaCluster.Labels, labels) + } + + annotations := make(map[string]string) + if ingressConfig.EnvoyGatewayConfig != nil { + annotations = ingressConfig.EnvoyGatewayConfig.GetAnnotations() + } + + // Build listeners for the Gateway + var listeners []gatewayv1.Listener + + // Add listener for each broker + for _, broker := range r.KafkaCluster.Spec.Brokers { + listenerName := gatewayv1.SectionName(fmt.Sprintf("broker-%d", broker.Id)) + port := eListener.GetBrokerPort(broker.Id) + + listener := gatewayv1.Listener{ + Name: listenerName, + Port: port, + Protocol: gatewayv1.TCPProtocolType, + } + + if eListener.TLSEnabled() { + listener.Protocol = gatewayv1.TLSProtocolType + + // When TLS is enabled, use hostname-based routing (SNI) + // Each broker needs a unique hostname to satisfy Gateway API uniqueness constraint + if ingressConfig.EnvoyGatewayConfig != nil && ingressConfig.EnvoyGatewayConfig.BrokerHostnameTemplate != "" { + hostname := gatewayv1.Hostname(envoygatewayutils.GetBrokerHostname(ingressConfig.EnvoyGatewayConfig.BrokerHostnameTemplate, broker.Id)) + listener.Hostname = &hostname + } + + // EnvoyGateway only supports TLS termination at the gateway level + // TLSSecretName is validated to be present in the Reconcile method + listener.TLS = &gatewayv1.ListenerTLSConfig{ + Mode: func() *gatewayv1.TLSModeType { + mode := gatewayv1.TLSModeTerminate + return &mode + }(), + CertificateRefs: []gatewayv1.SecretObjectReference{ + { + Name: gatewayv1.ObjectName(ingressConfig.EnvoyGatewayConfig.TLSSecretName), + }, + }, + } + } + + listeners = append(listeners, listener) + } + + // Add anycast listener (all-broker) + anycastListenerName := gatewayv1.SectionName("anycast") + anycastPort := eListener.GetAnyCastPort() + + anycastListener := gatewayv1.Listener{ + Name: anycastListenerName, + Port: anycastPort, + Protocol: gatewayv1.TCPProtocolType, + } + + if eListener.TLSEnabled() { + anycastListener.Protocol = gatewayv1.TLSProtocolType + + // EnvoyGateway only supports TLS termination at the gateway level + // TLSSecretName is validated to be present in the Reconcile method + anycastListener.TLS = &gatewayv1.ListenerTLSConfig{ + Mode: func() *gatewayv1.TLSModeType { + mode := gatewayv1.TLSModeTerminate + return &mode + }(), + CertificateRefs: []gatewayv1.SecretObjectReference{ + { + Name: gatewayv1.ObjectName(ingressConfig.EnvoyGatewayConfig.TLSSecretName), + }, + }, + } + } + + listeners = append(listeners, anycastListener) + + gateway := &gatewayv1.Gateway{ + ObjectMeta: templates.ObjectMetaWithAnnotations(gatewayName, labels, annotations, r.KafkaCluster), + Spec: gatewayv1.GatewaySpec{ + GatewayClassName: gatewayv1.ObjectName(gatewayClassName), + Listeners: listeners, + }, + } + + return gateway +} diff --git a/pkg/resources/envoygateway/tcproute.go b/pkg/resources/envoygateway/tcproute.go new file mode 100644 index 000000000..bff370566 --- /dev/null +++ b/pkg/resources/envoygateway/tcproute.go @@ -0,0 +1,135 @@ +// Copyright 2025 Adobe. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package envoygateway + +import ( + "fmt" + + "sigs.k8s.io/controller-runtime/pkg/client" + gatewayv1 "sigs.k8s.io/gateway-api/apis/v1" + gatewayv1alpha2 "sigs.k8s.io/gateway-api/apis/v1alpha2" + + apiutil "github.com/banzaicloud/koperator/api/util" + "github.com/banzaicloud/koperator/api/v1beta1" + "github.com/banzaicloud/koperator/pkg/resources/templates" + envoygatewayutils "github.com/banzaicloud/koperator/pkg/util/envoygateway" + "github.com/banzaicloud/koperator/pkg/util/kafka" +) + +func (r *Reconciler) tcpRoute(brokerId int32, eListener v1beta1.ExternalListenerConfig, + ingressConfig v1beta1.IngressConfig) client.Object { + tcpRouteName := fmt.Sprintf(envoygatewayutils.TCPRouteNameTemplate, eListener.Name, fmt.Sprintf("%d", brokerId)) + + gatewayName := fmt.Sprintf(envoygatewayutils.GatewayNameTemplate, eListener.Name) + if ingressConfig.EnvoyGatewayConfig != nil && ingressConfig.EnvoyGatewayConfig.GatewayName != "" { + gatewayName = ingressConfig.EnvoyGatewayConfig.GatewayName + } + + labels := labelsForEnvoyGateway(r.KafkaCluster.Name, eListener.Name) + if r.KafkaCluster.Spec.PropagateLabels { + labels = apiutil.MergeLabels(r.KafkaCluster.Labels, labels) + } + + // Backend service reference + serviceName := fmt.Sprintf(kafka.AllBrokerServiceTemplate, r.KafkaCluster.Name) + servicePort := eListener.ContainerPort + + tcpRoute := &gatewayv1alpha2.TCPRoute{ + ObjectMeta: templates.ObjectMeta(tcpRouteName, labels, r.KafkaCluster), + Spec: gatewayv1alpha2.TCPRouteSpec{ + CommonRouteSpec: gatewayv1.CommonRouteSpec{ + ParentRefs: []gatewayv1.ParentReference{ + { + Name: gatewayv1.ObjectName(gatewayName), + SectionName: func() *gatewayv1.SectionName { + name := gatewayv1.SectionName(fmt.Sprintf("broker-%d", brokerId)) + return &name + }(), + }, + }, + }, + Rules: []gatewayv1alpha2.TCPRouteRule{ + { + BackendRefs: []gatewayv1.BackendRef{ + { + BackendObjectReference: gatewayv1.BackendObjectReference{ + Name: gatewayv1.ObjectName(serviceName), + Port: func() *gatewayv1.PortNumber { + port := servicePort + return &port + }(), + }, + }, + }, + }, + }, + }, + } + + return tcpRoute +} + +func (r *Reconciler) tcpRouteAllBroker(eListener v1beta1.ExternalListenerConfig, + ingressConfig v1beta1.IngressConfig) client.Object { + tcpRouteName := fmt.Sprintf(envoygatewayutils.TCPRouteNameTemplate, eListener.Name, "anycast") + + gatewayName := fmt.Sprintf(envoygatewayutils.GatewayNameTemplate, eListener.Name) + if ingressConfig.EnvoyGatewayConfig != nil && ingressConfig.EnvoyGatewayConfig.GatewayName != "" { + gatewayName = ingressConfig.EnvoyGatewayConfig.GatewayName + } + + labels := labelsForEnvoyGateway(r.KafkaCluster.Name, eListener.Name) + if r.KafkaCluster.Spec.PropagateLabels { + labels = apiutil.MergeLabels(r.KafkaCluster.Labels, labels) + } + + // Backend service reference + serviceName := fmt.Sprintf(kafka.AllBrokerServiceTemplate, r.KafkaCluster.Name) + servicePort := eListener.ContainerPort + + tcpRoute := &gatewayv1alpha2.TCPRoute{ + ObjectMeta: templates.ObjectMeta(tcpRouteName, labels, r.KafkaCluster), + Spec: gatewayv1alpha2.TCPRouteSpec{ + CommonRouteSpec: gatewayv1.CommonRouteSpec{ + ParentRefs: []gatewayv1.ParentReference{ + { + Name: gatewayv1.ObjectName(gatewayName), + SectionName: func() *gatewayv1.SectionName { + name := gatewayv1.SectionName("anycast") + return &name + }(), + }, + }, + }, + Rules: []gatewayv1alpha2.TCPRouteRule{ + { + BackendRefs: []gatewayv1.BackendRef{ + { + BackendObjectReference: gatewayv1.BackendObjectReference{ + Name: gatewayv1.ObjectName(serviceName), + Port: func() *gatewayv1.PortNumber { + port := servicePort + return &port + }(), + }, + }, + }, + }, + }, + }, + } + + return tcpRoute +} diff --git a/pkg/resources/istioingress/gateway.go b/pkg/resources/istioingress/gateway.go deleted file mode 100644 index 2313bcbce..000000000 --- a/pkg/resources/istioingress/gateway.go +++ /dev/null @@ -1,110 +0,0 @@ -// Copyright © 2020 Cisco Systems, Inc. and/or its affiliates -// Copyright 2025 Adobe. All rights reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package istioingress - -import ( - "fmt" - "math" - - istioclientv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1" - - "github.com/go-logr/logr" - "k8s.io/apimachinery/pkg/runtime" - - "github.com/banzaicloud/koperator/api/v1beta1" - "github.com/banzaicloud/koperator/pkg/resources/templates" - "github.com/banzaicloud/koperator/pkg/util" - kafkautils "github.com/banzaicloud/koperator/pkg/util/kafka" -) - -func (r *Reconciler) gateway(log logr.Logger, externalListenerConfig v1beta1.ExternalListenerConfig, - ingressConf v1beta1.IngressConfig, ingressConfigName, defaultIngressConfigName, istioRevision string) runtime.Object { - eListenerLabelName := util.ConstructEListenerLabelName(ingressConfigName, externalListenerConfig.Name) - - var gatewayName string - if ingressConfigName == util.IngressConfigGlobalName { - gatewayName = fmt.Sprintf(gatewayNameTemplate, r.KafkaCluster.Name, externalListenerConfig.Name) - } else { - gatewayName = fmt.Sprintf(gatewayNameTemplateWithScope, r.KafkaCluster.Name, externalListenerConfig.Name, ingressConfigName) - } - return &istioclientv1beta1.Gateway{ - ObjectMeta: templates.ObjectMeta(gatewayName, - labelsForIstioIngress(r.KafkaCluster.Name, eListenerLabelName, istioRevision), r.KafkaCluster), - Spec: istioclientv1beta1.GatewaySpec{ - Selector: labelsForIstioIngress(r.KafkaCluster.Name, eListenerLabelName, istioRevision), - Servers: generateServers(r.KafkaCluster, externalListenerConfig, log, ingressConf, - ingressConfigName, defaultIngressConfigName), - }, - } -} - -func generateServers(kc *v1beta1.KafkaCluster, externalListenerConfig v1beta1.ExternalListenerConfig, log logr.Logger, - ingressConf v1beta1.IngressConfig, ingressConfigName, defaultIngressConfigName string) []istioclientv1beta1.Server { - servers := make([]istioclientv1beta1.Server, 0) - protocol := istioclientv1beta1.ProtocolTCP - var tlsConfig *istioclientv1beta1.TLSOptions - if ingressConf.IstioIngressConfig.TLSOptions != nil { - tlsConfig = ingressConf.IstioIngressConfig.TLSOptions - protocol = istioclientv1beta1.ProtocolTLS - } - - brokerIds := util.GetBrokerIdsFromStatusAndSpec(kc.Status.BrokersState, kc.Spec.Brokers, log) - - for _, brokerId := range brokerIds { - brokerConfig, err := kafkautils.GatherBrokerConfigIfAvailable(kc.Spec, brokerId) - if err != nil { - log.Error(err, "could not determine brokerConfig") - continue - } - if util.ShouldIncludeBroker(brokerConfig, kc.Status, brokerId, defaultIngressConfigName, ingressConfigName) { - servers = append(servers, istioclientv1beta1.Server{ - Port: &istioclientv1beta1.Port{ - Number: func() int { - // Broker IDs are always within valid range for int32 conversion - if brokerId < 0 || brokerId > math.MaxInt32 { - // This should never happen as broker IDs are small positive integers - log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in gateway port") - return 0 - } - brokerPort := externalListenerConfig.GetBrokerPort(int32(brokerId)) - // Port numbers are always within valid range for int conversion - if brokerPort < 0 || brokerPort > 65535 { - // This should never happen as GetBrokerPort returns valid port numbers - log.Error(fmt.Errorf("broker port %d out of valid range [0-65535] for broker %d", brokerPort, brokerId), "Invalid broker port detected in gateway port") - return 0 - } - return int(brokerPort) - }(), - Protocol: protocol, - Name: fmt.Sprintf("tcp-broker-%d", brokerId), - }, - TLS: tlsConfig, - Hosts: []string{"*"}, - }) - } - } - servers = append(servers, istioclientv1beta1.Server{ - Port: &istioclientv1beta1.Port{ - Number: int(externalListenerConfig.GetAnyCastPort()), - Protocol: protocol, - Name: fmt.Sprintf(kafkautils.AllBrokerServiceTemplate, "tcp"), - }, - Hosts: []string{"*"}, - TLS: tlsConfig, - }) - - return servers -} diff --git a/pkg/resources/istioingress/istioingress.go b/pkg/resources/istioingress/istioingress.go deleted file mode 100644 index 8e1c6b48f..000000000 --- a/pkg/resources/istioingress/istioingress.go +++ /dev/null @@ -1,168 +0,0 @@ -// Copyright © 2020 Cisco Systems, Inc. and/or its affiliates -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package istioingress - -import ( - "context" - "fmt" - "reflect" - "strings" - - "emperror.dev/errors" - - istioclientv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1" - istioOperatorApi "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" - "github.com/banzaicloud/operator-tools/pkg/utils" - - "github.com/banzaicloud/koperator/api/v1beta1" - "github.com/banzaicloud/koperator/pkg/k8sutil" - "github.com/banzaicloud/koperator/pkg/resources" - "github.com/banzaicloud/koperator/pkg/util" - "github.com/banzaicloud/koperator/pkg/util/istioingress" - - corev1 "k8s.io/api/core/v1" - apimeta "k8s.io/apimachinery/pkg/api/meta" - "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "k8s.io/apimachinery/pkg/runtime/schema" - - "github.com/go-logr/logr" - "sigs.k8s.io/controller-runtime/pkg/client" -) - -const ( - componentName = "istioingress" - gatewayNameTemplate = "%s-%s-gateway" - gatewayNameTemplateWithScope = "%s-%s-%s-gateway" - virtualServiceTemplate = "%s-%s-virtualservice" - virtualServiceTemplateWithScope = "%s-%s-%s-virtualservice" -) - -// labelsForIstioIngress returns the labels for selecting the resources -// belonging to the given kafka CR name. -func labelsForIstioIngress(crName, eLName, istioRevision string) map[string]string { - return utils.MergeLabels(labelsForIstioIngressWithoutEListenerName(crName, istioRevision), map[string]string{util.ExternalListenerLabelNameKey: eLName}) -} - -func labelsForIstioIngressWithoutEListenerName(crName, istioRevision string) map[string]string { - labels := map[string]string{v1beta1.AppLabelKey: "istioingress", v1beta1.KafkaCRLabelKey: crName} - if istioRevision != "" { - labels["istio.io/rev"] = istioRevision - } - return labels -} - -// Reconciler implements the Component Reconciler -type Reconciler struct { - resources.Reconciler -} - -// New creates a new reconciler for IstioIngress -func New(client client.Client, cluster *v1beta1.KafkaCluster) *Reconciler { - return &Reconciler{ - Reconciler: resources.Reconciler{ - Client: client, - KafkaCluster: cluster, - }, - } -} - -// Reconcile implements the reconcile logic for IstioIngress -func (r *Reconciler) Reconcile(log logr.Logger) error { - log = log.WithValues("component", componentName) - log.V(1).Info("Reconciling") - - for _, eListener := range r.KafkaCluster.Spec.ListenersConfig.ExternalListeners { - if r.KafkaCluster.Spec.GetIngressController() == istioingress.IngressControllerName && eListener.GetAccessMethod() == corev1.ServiceTypeLoadBalancer { - if r.KafkaCluster.Spec.IstioControlPlane == nil { - log.Error(errors.NewPlain("reference to Istio Control Plane is missing"), "skip external listener reconciliation", "external listener", eListener.Name) - continue - } - - istioRevision := istioOperatorApi.NamespacedRevision( - strings.ReplaceAll(r.KafkaCluster.Spec.IstioControlPlane.Name, ".", "-"), - r.KafkaCluster.Spec.IstioControlPlane.Namespace) - ingressConfigs, defaultControllerName, err := util.GetIngressConfigs(r.KafkaCluster.Spec, eListener) - if err != nil { - return err - } - for name, ingressConfig := range ingressConfigs { - if !util.IsIngressConfigInUse(name, defaultControllerName, r.KafkaCluster, log) { - continue - } - for _, res := range []resources.ResourceWithLogAndExternalListenerSpecificInfosAndIstioRevision{ - r.meshgateway, - r.gateway, - r.virtualService, - } { - o := res(log, eListener, ingressConfig, name, defaultControllerName, istioRevision) - err := k8sutil.Reconcile(log, r.Client, o, r.KafkaCluster) - if err != nil { - return err - } - } - } - } else if r.KafkaCluster.Spec.RemoveUnusedIngressResources { - // Cleaning up unused istio resources when ingress controller is not istioingress or externalListener access method is not LoadBalancer - deletionCounter := 0 - ctx := context.Background() - istioResourcesGVK := []schema.GroupVersionKind{ - { - Version: istioOperatorApi.GroupVersion.Version, - Group: istioOperatorApi.GroupVersion.Group, - Kind: reflect.TypeOf(istioOperatorApi.IstioMeshGateway{}).Name(), - }, - { - Version: istioclientv1beta1.SchemeGroupVersion.Version, - Group: istioclientv1beta1.SchemeGroupVersion.Group, - Kind: reflect.TypeOf(istioclientv1beta1.Gateway{}).Name(), - }, - { - Version: istioclientv1beta1.SchemeGroupVersion.Version, - Group: istioclientv1beta1.SchemeGroupVersion.Group, - Kind: reflect.TypeOf(istioclientv1beta1.VirtualService{}).Name(), - }, - } - var istioResources unstructured.UnstructuredList - for _, gvk := range istioResourcesGVK { - istioResources.SetGroupVersionKind(gvk) - - if err := r.List(ctx, &istioResources, client.InNamespace(r.KafkaCluster.GetNamespace()), - client.MatchingLabels(labelsForIstioIngressWithoutEListenerName(r.KafkaCluster.Name, ""))); err != nil && !apimeta.IsNoMatchError(err) { - return errors.Wrap(err, "error when getting list of istio ingress resources for deletion") - } - - for _, removeObject := range istioResources.Items { - if !strings.Contains(removeObject.GetLabels()[util.ExternalListenerLabelNameKey], eListener.Name) || - util.ObjectManagedByClusterRegistry(&removeObject) || - !removeObject.GetDeletionTimestamp().IsZero() { - continue - } - if err := r.Delete(ctx, &removeObject); client.IgnoreNotFound(err) != nil { - return errors.Wrap(err, "error when removing istio ingress resources") - } - log.V(1).Info(fmt.Sprintf("Deleted istio ingress '%s' resource '%s' for externalListener '%s'", gvk.Kind, removeObject.GetName(), eListener.Name)) - deletionCounter++ - } - } - if deletionCounter > 0 { - log.Info(fmt.Sprintf("Removed '%d' resources for istio ingress", deletionCounter)) - } - } - } - - log.V(1).Info("Reconciled") - - return nil -} diff --git a/pkg/resources/istioingress/meshgateway.go b/pkg/resources/istioingress/meshgateway.go deleted file mode 100644 index 2f9507d9b..000000000 --- a/pkg/resources/istioingress/meshgateway.go +++ /dev/null @@ -1,143 +0,0 @@ -// Copyright © 2020 Cisco Systems, Inc. and/or its affiliates -// Copyright 2025 Adobe. All rights reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package istioingress - -import ( - "fmt" - "math" - - istioOperatorApi "github.com/banzaicloud/istio-operator/api/v2/v1alpha1" - "github.com/go-logr/logr" - "google.golang.org/protobuf/types/known/wrapperspb" - corev1 "k8s.io/api/core/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/util/intstr" - - "github.com/banzaicloud/koperator/api/v1beta1" - "github.com/banzaicloud/koperator/pkg/resources/templates" - "github.com/banzaicloud/koperator/pkg/util" - istioingressutils "github.com/banzaicloud/koperator/pkg/util/istioingress" - kafkautils "github.com/banzaicloud/koperator/pkg/util/kafka" -) - -func (r *Reconciler) meshgateway(log logr.Logger, externalListenerConfig v1beta1.ExternalListenerConfig, - ingressConfig v1beta1.IngressConfig, ingressConfigName, defaultIngressConfigName, istioRevision string) runtime.Object { - eListenerLabelName := util.ConstructEListenerLabelName(ingressConfigName, externalListenerConfig.Name) - - var meshgatewayName string - if ingressConfigName == util.IngressConfigGlobalName { - meshgatewayName = fmt.Sprintf(istioingressutils.MeshGatewayNameTemplate, externalListenerConfig.Name, r.KafkaCluster.GetName()) - } else { - meshgatewayName = fmt.Sprintf(istioingressutils.MeshGatewayNameTemplateWithScope, - externalListenerConfig.Name, ingressConfigName, r.KafkaCluster.GetName()) - } - - mgateway := &istioOperatorApi.IstioMeshGateway{ - ObjectMeta: templates.ObjectMeta( - meshgatewayName, - labelsForIstioIngress(r.KafkaCluster.Name, eListenerLabelName, istioRevision), r.KafkaCluster), - Spec: &istioOperatorApi.IstioMeshGatewaySpec{ - Deployment: &istioOperatorApi.BaseKubernetesResourceConfig{ - Metadata: &istioOperatorApi.K8SObjectMeta{ - Labels: labelsForIstioIngress(r.KafkaCluster.Name, eListenerLabelName, istioRevision), - Annotations: ingressConfig.IstioIngressConfig.GetAnnotations(), - }, - Env: ingressConfig.IstioIngressConfig.Envs, - Resources: istioOperatorApi.InitResourceRequirementsFromK8sRR(ingressConfig.IstioIngressConfig.GetResources()), - NodeSelector: ingressConfig.IstioIngressConfig.NodeSelector, - SecurityContext: &corev1.SecurityContext{ - RunAsNonRoot: util.BoolPointer(false), - }, - Tolerations: ingressConfig.IstioIngressConfig.Tolerations, - Replicas: &istioOperatorApi.Replicas{ - Count: wrapperspb.Int32(ingressConfig.IstioIngressConfig.GetReplicas()), - Min: wrapperspb.Int32(ingressConfig.IstioIngressConfig.GetReplicas()), - Max: wrapperspb.Int32(ingressConfig.IstioIngressConfig.GetReplicas()), - }, - }, - Service: &istioOperatorApi.Service{ - Metadata: &istioOperatorApi.K8SObjectMeta{ - Annotations: ingressConfig.GetServiceAnnotations(), - }, - Ports: generateExternalPorts(r.KafkaCluster, - util.GetBrokerIdsFromStatusAndSpec(r.KafkaCluster.Status.BrokersState, r.KafkaCluster.Spec.Brokers, log), - externalListenerConfig, log, ingressConfigName, defaultIngressConfigName), - Type: string(ingressConfig.GetServiceType()), - LoadBalancerSourceRanges: ingressConfig.IstioIngressConfig.GetLoadBalancerSourceRanges(), - }, - RunAsRoot: wrapperspb.Bool(true), - Type: istioOperatorApi.GatewayType_ingress, - IstioControlPlane: &istioOperatorApi.NamespacedName{ - Name: r.KafkaCluster.Spec.IstioControlPlane.Name, - Namespace: r.KafkaCluster.Spec.IstioControlPlane.Namespace, - }, - }, - } - - return mgateway -} - -func generateExternalPorts(kc *v1beta1.KafkaCluster, brokerIds []int, - externalListenerConfig v1beta1.ExternalListenerConfig, log logr.Logger, ingressConfigName, defaultIngressConfigName string) []*istioOperatorApi.ServicePort { - generatedPorts := make([]*istioOperatorApi.ServicePort, 0) - for _, brokerId := range brokerIds { - brokerConfig, err := kafkautils.GatherBrokerConfigIfAvailable(kc.Spec, brokerId) - if err != nil { - log.Error(err, "could not determine brokerConfig") - continue - } - if util.ShouldIncludeBroker(brokerConfig, kc.Status, brokerId, defaultIngressConfigName, ingressConfigName) { - generatedPorts = append(generatedPorts, &istioOperatorApi.ServicePort{ - Name: fmt.Sprintf("tcp-broker-%d", brokerId), - Protocol: string(corev1.ProtocolTCP), - Port: func() int32 { - // Broker IDs are always within valid range for int32 conversion - if brokerId < 0 || brokerId > math.MaxInt32 { - // This should never happen as broker IDs are small positive integers - log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in mesh gateway port") - return 0 - } - return externalListenerConfig.GetBrokerPort(int32(brokerId)) - }(), - TargetPort: func() *istioOperatorApi.IntOrString { - // Broker IDs are always within valid range for int32 conversion - if brokerId < 0 || brokerId > math.MaxInt32 { - // This should never happen as broker IDs are small positive integers - log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in mesh gateway target port") - return &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(0)} - } - brokerPort := externalListenerConfig.GetBrokerPort(int32(brokerId)) - // Port numbers are always within valid range for int conversion - if brokerPort < 0 || brokerPort > 65535 { - // This should never happen as GetBrokerPort returns valid port numbers - log.Error(fmt.Errorf("broker port %d out of valid range [0-65535] for broker %d", brokerPort, brokerId), "Invalid broker port detected in mesh gateway target port") - return &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(0)} - } - return &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(int(brokerPort))} - }(), - }) - } - } - - generatedPorts = append(generatedPorts, &istioOperatorApi.ServicePort{ - Name: fmt.Sprintf(kafkautils.AllBrokerServiceTemplate, "tcp"), - Protocol: string(corev1.ProtocolTCP), - Port: externalListenerConfig.GetAnyCastPort(), - TargetPort: &istioOperatorApi.IntOrString{IntOrString: intstr.FromInt(int(externalListenerConfig.GetIngressControllerTargetPort()))}, - }) - - return generatedPorts -} diff --git a/pkg/resources/istioingress/virtualservice.go b/pkg/resources/istioingress/virtualservice.go deleted file mode 100644 index ad62bdc74..000000000 --- a/pkg/resources/istioingress/virtualservice.go +++ /dev/null @@ -1,200 +0,0 @@ -// Copyright © 2020 Cisco Systems, Inc. and/or its affiliates -// Copyright 2025 Adobe. All rights reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package istioingress - -import ( - "fmt" - "math" - - istioclientv1beta1 "github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1" - - "github.com/go-logr/logr" - "k8s.io/apimachinery/pkg/runtime" - - "github.com/banzaicloud/koperator/api/v1beta1" - "github.com/banzaicloud/koperator/pkg/resources/templates" - "github.com/banzaicloud/koperator/pkg/util" - kafkautils "github.com/banzaicloud/koperator/pkg/util/kafka" -) - -func (r *Reconciler) virtualService(log logr.Logger, externalListenerConfig v1beta1.ExternalListenerConfig, - ingressConfig v1beta1.IngressConfig, ingressConfigName, defaultIngressConfigName, istioRevision string) runtime.Object { - eListenerLabelName := util.ConstructEListenerLabelName(ingressConfigName, externalListenerConfig.Name) - - var gatewayName, virtualSName string - if ingressConfigName == util.IngressConfigGlobalName { - gatewayName = fmt.Sprintf(gatewayNameTemplate, r.KafkaCluster.Name, externalListenerConfig.Name) - virtualSName = fmt.Sprintf(virtualServiceTemplate, r.KafkaCluster.Name, externalListenerConfig.Name) - } else { - gatewayName = fmt.Sprintf(gatewayNameTemplateWithScope, r.KafkaCluster.Name, externalListenerConfig.Name, ingressConfigName) - virtualSName = fmt.Sprintf(virtualServiceTemplateWithScope, r.KafkaCluster.Name, externalListenerConfig.Name, ingressConfigName) - } - - vServiceSpec := istioclientv1beta1.VirtualServiceSpec{ - Hosts: []string{"*"}, - Gateways: []string{gatewayName}, - } - - if ingressConfig.IstioIngressConfig.TLSOptions != nil && - ingressConfig.IstioIngressConfig.TLSOptions.Mode == istioclientv1beta1.TLSModePassThrough { - vServiceSpec.TLS = generateTlsRoutes(r.KafkaCluster, externalListenerConfig, log, ingressConfigName, defaultIngressConfigName) - } else { - vServiceSpec.TCP = generateTcpRoutes(r.KafkaCluster, externalListenerConfig, log, ingressConfigName, defaultIngressConfigName) - } - - return &istioclientv1beta1.VirtualService{ - ObjectMeta: templates.ObjectMetaWithAnnotations( - virtualSName, - labelsForIstioIngress(r.KafkaCluster.Name, eListenerLabelName, istioRevision), - ingressConfig.IstioIngressConfig.GetVirtualServiceAnnotations(), - r.KafkaCluster), - Spec: vServiceSpec, - } -} - -func generateTlsRoutes(kc *v1beta1.KafkaCluster, externalListenerConfig v1beta1.ExternalListenerConfig, log logr.Logger, - ingressConfigName, defaultIngressConfigName string) []istioclientv1beta1.TLSRoute { - tlsRoutes := make([]istioclientv1beta1.TLSRoute, 0) - - brokerIds := util.GetBrokerIdsFromStatusAndSpec(kc.Status.BrokersState, kc.Spec.Brokers, log) - - for _, brokerId := range brokerIds { - brokerConfig, err := kafkautils.GatherBrokerConfigIfAvailable(kc.Spec, brokerId) - if err != nil { - log.Error(err, "could not determine brokerConfig") - continue - } - if util.ShouldIncludeBroker(brokerConfig, kc.Status, brokerId, defaultIngressConfigName, ingressConfigName) { - tlsRoutes = append(tlsRoutes, istioclientv1beta1.TLSRoute{ - Match: []istioclientv1beta1.TLSMatchAttributes{ - { - Port: func() *int { - // Broker IDs are always within valid range for int32 conversion - if brokerId < 0 || brokerId > math.MaxInt32 { - // This should never happen as broker IDs are small positive integers - log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in TLS route port") - return util.IntPointer(0) - } - brokerPort := externalListenerConfig.GetBrokerPort(int32(brokerId)) - // Port numbers are always within valid range for int conversion - if brokerPort < 0 || brokerPort > 65535 { - // This should never happen as GetBrokerPort returns valid port numbers - log.Error(fmt.Errorf("broker port %d out of valid range [0-65535] for broker %d", brokerPort, brokerId), "Invalid broker port detected in TLS route") - return util.IntPointer(0) - } - return util.IntPointer(int(brokerPort)) - }(), - SniHosts: []string{"*"}, - }, - }, - Route: []*istioclientv1beta1.RouteDestination{ - { - Destination: &istioclientv1beta1.Destination{ - Host: fmt.Sprintf("%s-%d", kc.Name, brokerId), - Port: &istioclientv1beta1.PortSelector{Number: uint32(externalListenerConfig.ContainerPort)}, - }, - }, - }, - }) - } - } - if !kc.Spec.HeadlessServiceEnabled && len(kc.Spec.ListenersConfig.ExternalListeners) > 0 { - tlsRoutes = append(tlsRoutes, istioclientv1beta1.TLSRoute{ - Match: []istioclientv1beta1.TLSMatchAttributes{ - { - Port: util.IntPointer(int(externalListenerConfig.GetAnyCastPort())), - SniHosts: []string{"*"}, - }, - }, - Route: []*istioclientv1beta1.RouteDestination{ - { - Destination: &istioclientv1beta1.Destination{ - Host: fmt.Sprintf(kafkautils.AllBrokerServiceTemplate, kc.Name), - Port: &istioclientv1beta1.PortSelector{Number: uint32(externalListenerConfig.ContainerPort)}, - }, - }, - }, - }) - } - - return tlsRoutes -} - -func generateTcpRoutes(kc *v1beta1.KafkaCluster, externalListenerConfig v1beta1.ExternalListenerConfig, log logr.Logger, - ingressConfigName, defaultIngressConfigName string) []istioclientv1beta1.TCPRoute { - tcpRoutes := make([]istioclientv1beta1.TCPRoute, 0) - - brokerIds := util.GetBrokerIdsFromStatusAndSpec(kc.Status.BrokersState, kc.Spec.Brokers, log) - - for _, brokerId := range brokerIds { - brokerConfig, err := kafkautils.GatherBrokerConfigIfAvailable(kc.Spec, brokerId) - if err != nil { - log.Error(err, "could not determine brokerConfig") - continue - } - if util.ShouldIncludeBroker(brokerConfig, kc.Status, brokerId, defaultIngressConfigName, ingressConfigName) { - tcpRoutes = append(tcpRoutes, istioclientv1beta1.TCPRoute{ - Match: []istioclientv1beta1.L4MatchAttributes{ - { - Port: func() *int { - // Broker IDs are always within valid range for int32 conversion - if brokerId < 0 || brokerId > math.MaxInt32 { - // This should never happen as broker IDs are small positive integers - log.Error(fmt.Errorf("broker ID %d out of valid range for int32 conversion", brokerId), "Invalid broker ID detected in TCP route port") - return util.IntPointer(0) - } - brokerPort := externalListenerConfig.GetBrokerPort(int32(brokerId)) - // Port numbers are always within valid range for int conversion - if brokerPort < 0 || brokerPort > 65535 { - // This should never happen as GetBrokerPort returns valid port numbers - log.Error(fmt.Errorf("broker port %d out of valid range [0-65535] for broker %d", brokerPort, brokerId), "Invalid broker port detected in TCP route") - return util.IntPointer(0) - } - return util.IntPointer(int(brokerPort)) - }(), - }, - }, - Route: []*istioclientv1beta1.RouteDestination{ - { - Destination: &istioclientv1beta1.Destination{ - Host: fmt.Sprintf("%s-%d", kc.Name, brokerId), - Port: &istioclientv1beta1.PortSelector{Number: uint32(externalListenerConfig.ContainerPort)}, - }, - }, - }, - }) - } - } - if !kc.Spec.HeadlessServiceEnabled { - tcpRoutes = append(tcpRoutes, istioclientv1beta1.TCPRoute{ - Match: []istioclientv1beta1.L4MatchAttributes{ - { - Port: util.IntPointer(int(externalListenerConfig.GetAnyCastPort())), - }, - }, - Route: []*istioclientv1beta1.RouteDestination{ - { - Destination: &istioclientv1beta1.Destination{ - Host: fmt.Sprintf(kafkautils.AllBrokerServiceTemplate, kc.Name), - Port: &istioclientv1beta1.PortSelector{Number: uint32(externalListenerConfig.ContainerPort)}, - }, - }, - }, - }) - } - - return tcpRoutes -} diff --git a/pkg/resources/kafka/kafka.go b/pkg/resources/kafka/kafka.go index 72c907bcd..d59ad7556 100644 --- a/pkg/resources/kafka/kafka.go +++ b/pkg/resources/kafka/kafka.go @@ -55,7 +55,7 @@ import ( certutil "github.com/banzaicloud/koperator/pkg/util/cert" contourutils "github.com/banzaicloud/koperator/pkg/util/contour" envoyutils "github.com/banzaicloud/koperator/pkg/util/envoy" - istioingressutils "github.com/banzaicloud/koperator/pkg/util/istioingress" + envoygatewayutils "github.com/banzaicloud/koperator/pkg/util/envoygateway" "github.com/banzaicloud/koperator/pkg/util/kafka" pkicommon "github.com/banzaicloud/koperator/pkg/util/pki" ) @@ -1412,7 +1412,12 @@ func (r *Reconciler) getBrokerHost(log logr.Logger, defaultHost string, broker b // portNumber = eListener.ContainerPort case corev1.ServiceTypeLoadBalancer: if eListener.TLSEnabled() { - brokerHost = iConfig.EnvoyConfig.GetBrokerHostname(broker.Id) + // Check which ingress controller is being used + if iConfig.EnvoyConfig != nil { + brokerHost = iConfig.EnvoyConfig.GetBrokerHostname(broker.Id) + } else if iConfig.EnvoyGatewayConfig != nil { + brokerHost = iConfig.EnvoyGatewayConfig.GetBrokerHostname(broker.Id) + } if brokerHost == "" { return "", errors.New("brokerHostnameTemplate is not set in the ingress service settings") } @@ -1423,98 +1428,108 @@ func (r *Reconciler) getBrokerHost(log logr.Logger, defaultHost string, broker b return fmt.Sprintf("%s:%d", brokerHost, portNumber), nil } -func (r *Reconciler) createExternalListenerStatuses(log logr.Logger) (map[string]banzaiv1beta1.ListenerStatusList, error) { - extListenerStatuses := make(map[string]banzaiv1beta1.ListenerStatusList, len(r.KafkaCluster.Spec.ListenersConfig.ExternalListeners)) - for _, eListener := range r.KafkaCluster.Spec.ListenersConfig.ExternalListeners { - // in case if external listener uses loadbalancer type of service and istioControlPlane is not specified than we skip this listener from status update. In this way this external listener will not be in the configmap. - if eListener.GetAccessMethod() == corev1.ServiceTypeLoadBalancer && r.KafkaCluster.Spec.GetIngressController() == istioingressutils.IngressControllerName && r.KafkaCluster.Spec.IstioControlPlane == nil { +func (r *Reconciler) createStandardExternalListenerStatuses(log logr.Logger, eListener banzaiv1beta1.ExternalListenerConfig) (banzaiv1beta1.ListenerStatusList, error) { + var host string + var foundLBService *corev1.Service + var err error + ingressConfigs, defaultControllerName, err := util.GetIngressConfigs(r.KafkaCluster.Spec, eListener) + if err != nil { + return nil, err + } + listenerStatusList := make(banzaiv1beta1.ListenerStatusList, 0, len(r.KafkaCluster.Spec.Brokers)+1) + for iConfigName, iConfig := range ingressConfigs { + if !util.IsIngressConfigInUse(iConfigName, defaultControllerName, r.KafkaCluster, log) { continue } - var host string - var foundLBService *corev1.Service - var err error - ingressConfigs, defaultControllerName, err := util.GetIngressConfigs(r.KafkaCluster.Spec, eListener) - if err != nil { - return nil, err - } - listenerStatusList := make(banzaiv1beta1.ListenerStatusList, 0, len(r.KafkaCluster.Spec.Brokers)+1) - for iConfigName, iConfig := range ingressConfigs { - if !util.IsIngressConfigInUse(iConfigName, defaultControllerName, r.KafkaCluster, log) { - continue + if iConfig.HostnameOverride != "" { + host = iConfig.HostnameOverride + } else if eListener.GetAccessMethod() == corev1.ServiceTypeLoadBalancer && r.KafkaCluster.Spec.GetIngressController() != envoygatewayutils.IngressControllerName { + // For envoy and contour ingress controllers, get the LoadBalancer service + foundLBService, err = getServiceFromExternalListener(r.Client, r.KafkaCluster, eListener.Name, iConfigName) + if err != nil { + return nil, errors.WrapIfWithDetails(err, "could not get service corresponding to the external listener", "externalListenerName", eListener.Name) + } + lbIP, err := getLoadBalancerIP(foundLBService) + if err != nil { + return nil, errors.WrapIfWithDetails(err, "could not extract IP from LoadBalancer service", "externalListenerName", eListener.Name) } - if iConfig.HostnameOverride != "" { - host = iConfig.HostnameOverride - } else if eListener.GetAccessMethod() == corev1.ServiceTypeLoadBalancer { + host = lbIP + } + + // optionally add all brokers service to the top of the list + if eListener.GetAccessMethod() != corev1.ServiceTypeNodePort && r.KafkaCluster.Spec.GetIngressController() != envoygatewayutils.IngressControllerName { + if foundLBService == nil { foundLBService, err = getServiceFromExternalListener(r.Client, r.KafkaCluster, eListener.Name, iConfigName) if err != nil { return nil, errors.WrapIfWithDetails(err, "could not get service corresponding to the external listener", "externalListenerName", eListener.Name) } - lbIP, err := getLoadBalancerIP(foundLBService) - if err != nil { - return nil, errors.WrapIfWithDetails(err, "could not extract IP from LoadBalancer service", "externalListenerName", eListener.Name) + } + var allBrokerPort int32 = 0 + for _, port := range foundLBService.Spec.Ports { + if port.Name == "tcp-all-broker" { + allBrokerPort = port.Port + break } - host = lbIP } + if allBrokerPort == 0 { + return nil, errors.NewWithDetails("could not find port with name tcp-all-broker", "externalListenerName", eListener.Name) + } + var anyBrokerStatusName string + if iConfigName == util.IngressConfigGlobalName { + anyBrokerStatusName = "any-broker" + } else { + anyBrokerStatusName = fmt.Sprintf("any-broker-%s", iConfigName) + } + listenerStatus := banzaiv1beta1.ListenerStatus{ + Name: anyBrokerStatusName, + Address: fmt.Sprintf("%s:%d", host, allBrokerPort), + } + listenerStatusList = append(listenerStatusList, listenerStatus) + } - // optionally add all brokers service to the top of the list - if eListener.GetAccessMethod() != corev1.ServiceTypeNodePort { - if foundLBService == nil { - foundLBService, err = getServiceFromExternalListener(r.Client, r.KafkaCluster, eListener.Name, iConfigName) - if err != nil { - return nil, errors.WrapIfWithDetails(err, "could not get service corresponding to the external listener", "externalListenerName", eListener.Name) - } - } - var allBrokerPort int32 = 0 - for _, port := range foundLBService.Spec.Ports { - if port.Name == "tcp-all-broker" { - allBrokerPort = port.Port - break - } - } - if allBrokerPort == 0 { - return nil, errors.NewWithDetails("could not find port with name tcp-all-broker", "externalListenerName", eListener.Name) - } - var anyBrokerStatusName string - if iConfigName == util.IngressConfigGlobalName { - anyBrokerStatusName = "any-broker" - } else { - anyBrokerStatusName = fmt.Sprintf("any-broker-%s", iConfigName) - } + for _, broker := range r.KafkaCluster.Spec.Brokers { + brokerHostPort, err := r.getBrokerHost(log, host, broker, eListener, iConfig) + if err != nil { + return nil, errors.WrapIfWithDetails(err, "could not get brokerHost for external listener status", "brokerID", broker.Id) + } + + brokerConfig, err := broker.GetBrokerConfig(r.KafkaCluster.Spec) + if err != nil { + return nil, err + } + if util.ShouldIncludeBroker(brokerConfig, r.KafkaCluster.Status, int(broker.Id), defaultControllerName, iConfigName) { listenerStatus := banzaiv1beta1.ListenerStatus{ - Name: anyBrokerStatusName, - Address: fmt.Sprintf("%s:%d", host, allBrokerPort), + Name: fmt.Sprintf("broker-%d", broker.Id), + Address: brokerHostPort, } listenerStatusList = append(listenerStatusList, listenerStatus) } + } + } + // We have to sort the listener status list since the ingress config is a + // map and we are using that for the generation + sort.Sort(listenerStatusList) - for _, broker := range r.KafkaCluster.Spec.Brokers { - brokerHostPort, err := r.getBrokerHost(log, host, broker, eListener, iConfig) - if err != nil { - return nil, errors.WrapIfWithDetails(err, "could not get brokerHost for external listener status", "brokerID", broker.Id) - } + return listenerStatusList, nil +} - brokerConfig, err := broker.GetBrokerConfig(r.KafkaCluster.Spec) - if err != nil { - return nil, err - } - if util.ShouldIncludeBroker(brokerConfig, r.KafkaCluster.Status, int(broker.Id), defaultControllerName, iConfigName) { - listenerStatus := banzaiv1beta1.ListenerStatus{ - Name: fmt.Sprintf("broker-%d", broker.Id), - Address: brokerHostPort, - } - listenerStatusList = append(listenerStatusList, listenerStatus) - } - } +func (r *Reconciler) createExternalListenerStatuses(log logr.Logger) (map[string]banzaiv1beta1.ListenerStatusList, error) { + extListenerStatuses := make(map[string]banzaiv1beta1.ListenerStatusList, len(r.KafkaCluster.Spec.ListenersConfig.ExternalListeners)) + for _, eListener := range r.KafkaCluster.Spec.ListenersConfig.ExternalListeners { + listenerStatusList, err := r.createListenerStatuses(log, eListener) + if err != nil { + return nil, err } - // We have to sort the listener status list since the ingress config is a - // map and we are using that for the generation - sort.Sort(listenerStatusList) - extListenerStatuses[eListener.Name] = listenerStatusList } return extListenerStatuses, nil } +func (r *Reconciler) createListenerStatuses(log logr.Logger, eListener banzaiv1beta1.ExternalListenerConfig) (banzaiv1beta1.ListenerStatusList, error) { + // Handle standard external listeners + return r.createStandardExternalListenerStatuses(log, eListener) +} + func (r *Reconciler) getK8sAssignedNodeport(log logr.Logger, eListenerName string, brokerId int32) (int32, error) { log.Info("determining automatically assigned nodeport", banzaiv1beta1.BrokerIdLabelKey, brokerId, "listenerName", eListenerName) @@ -1626,14 +1641,6 @@ func getServiceFromExternalListener(client client.Client, cluster *banzaiv1beta1 foundLBService := &corev1.Service{} var iControllerServiceName string switch cluster.Spec.GetIngressController() { - case istioingressutils.IngressControllerName: - if ingressConfigName == util.IngressConfigGlobalName { - iControllerServiceName = fmt.Sprintf(istioingressutils.MeshGatewayNameTemplate, eListenerName, cluster.GetName()) - iControllerServiceName = strings.ReplaceAll(iControllerServiceName, "_", "-") - } else { - iControllerServiceName = fmt.Sprintf(istioingressutils.MeshGatewayNameTemplateWithScope, eListenerName, ingressConfigName, cluster.GetName()) - iControllerServiceName = strings.ReplaceAll(iControllerServiceName, "_", "-") - } case envoyutils.IngressControllerName: if ingressConfigName == util.IngressConfigGlobalName { iControllerServiceName = fmt.Sprintf(envoyutils.EnvoyServiceName, eListenerName, cluster.GetName()) @@ -1650,6 +1657,10 @@ func getServiceFromExternalListener(client client.Client, cluster *banzaiv1beta1 iControllerServiceName = fmt.Sprintf(contourutils.ContourServiceNameWithScope, eListenerName, ingressConfigName, cluster.GetName()) iControllerServiceName = strings.ReplaceAll(iControllerServiceName, "_", "-") } + case envoygatewayutils.IngressControllerName: + // EnvoyGateway uses Gateway API resources, not LoadBalancer services + // Return an error to indicate this is not supported for EnvoyGateway + return nil, errors.New("EnvoyGateway does not use LoadBalancer services; use Gateway API resources instead") } err := client.Get(context.TODO(), types.NamespacedName{Name: iControllerServiceName, Namespace: cluster.GetNamespace()}, foundLBService) diff --git a/pkg/resources/kafka/wait-for-envoy-sidecar.sh b/pkg/resources/kafka/wait-for-envoy-sidecar.sh index 5a8832f20..c2d20412e 100644 --- a/pkg/resources/kafka/wait-for-envoy-sidecar.sh +++ b/pkg/resources/kafka/wait-for-envoy-sidecar.sh @@ -34,7 +34,7 @@ if [[ -n "${CLUSTER_ID}" ]]; then # If the storage is already formatted (e.g. broker restarts), the kafka-storage.sh will skip formatting for that storage # thus we can safely run the storage format command regardless if the storage has been formatted or not echo "Formatting KRaft storage with cluster ID ${CLUSTER_ID}" - /opt/kafka/bin/kafka-storage.sh format --cluster-id "${CLUSTER_ID}" -c /config/broker-config + /opt/kafka/bin/kafka-storage.sh format --cluster-id="${CLUSTER_ID}" -c /config/broker-config # Adding or removing controller nodes to the Kafka cluster would trigger cluster rolling upgrade so all the nodes in the cluster are aware of the newly added/removed controllers. # When this happens, Kafka's local quorum state file would be outdated since it is static and the Kafka server can't be started with conflicting controllers info (compared to info stored in ConfigMap), diff --git a/pkg/resources/nodeportexternalaccess/nodeportExternalAccess_test.go b/pkg/resources/nodeportexternalaccess/nodeportExternalAccess_test.go new file mode 100644 index 000000000..2f30e2b4d --- /dev/null +++ b/pkg/resources/nodeportexternalaccess/nodeportExternalAccess_test.go @@ -0,0 +1,233 @@ +// Copyright 2025 Adobe. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package nodeportexternalaccess + +import ( + "context" + "testing" + + "github.com/go-logr/logr" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" + "k8s.io/apimachinery/pkg/api/meta" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/types" + "sigs.k8s.io/controller-runtime/pkg/client" + + "github.com/banzaicloud/koperator/api/v1beta1" +) + +// MockClient is a mock implementation of client.Client +type MockClient struct { + mock.Mock +} + +func (m *MockClient) Get(ctx context.Context, key types.NamespacedName, obj client.Object, opts ...client.GetOption) error { + args := m.Called(ctx, key, obj, opts) + return args.Error(0) +} + +func (m *MockClient) List(ctx context.Context, list client.ObjectList, opts ...client.ListOption) error { + args := m.Called(ctx, list, opts) + return args.Error(0) +} + +func (m *MockClient) Create(ctx context.Context, obj client.Object, opts ...client.CreateOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Delete(ctx context.Context, obj client.Object, opts ...client.DeleteOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Update(ctx context.Context, obj client.Object, opts ...client.UpdateOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Patch(ctx context.Context, obj client.Object, patch client.Patch, opts ...client.PatchOption) error { + args := m.Called(ctx, obj, patch, opts) + return args.Error(0) +} + +func (m *MockClient) DeleteAllOf(ctx context.Context, obj client.Object, opts ...client.DeleteAllOfOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) Status() client.StatusWriter { + args := m.Called() + return args.Get(0).(client.StatusWriter) +} + +func (m *MockClient) Scheme() *runtime.Scheme { + args := m.Called() + return args.Get(0).(*runtime.Scheme) +} + +func (m *MockClient) RESTMapper() meta.RESTMapper { + args := m.Called() + return args.Get(0).(meta.RESTMapper) +} + +func (m *MockClient) GroupVersionKindFor(obj runtime.Object) (schema.GroupVersionKind, error) { + args := m.Called(obj) + return args.Get(0).(schema.GroupVersionKind), args.Error(1) +} + +func (m *MockClient) IsObjectNamespaced(obj runtime.Object) (bool, error) { + args := m.Called(obj) + return args.Bool(0), args.Error(1) +} + +func (m *MockClient) Apply(ctx context.Context, obj runtime.ApplyConfiguration, opts ...client.ApplyOption) error { + args := m.Called(ctx, obj, opts) + return args.Error(0) +} + +func (m *MockClient) SubResource(subResource string) client.SubResourceClient { + args := m.Called(subResource) + return args.Get(0).(client.SubResourceClient) +} + +func TestNew(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + } + + reconciler := New(mockClient, cluster) + + assert.NotNil(t, reconciler) + assert.Equal(t, mockClient, reconciler.Client) + assert.Equal(t, cluster, reconciler.KafkaCluster) +} + +func TestReconcile_WithNodePortAccessMethod(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + ListenersConfig: v1beta1.ListenersConfig{ + ExternalListeners: nil, // No external listeners to avoid service function call + }, + }, + } + + reconciler := New(mockClient, cluster) + + log := logr.Discard() + err := reconciler.Reconcile(log) + assert.NoError(t, err) +} + +func TestReconcile_WithRemoveUnusedIngressResources(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + ListenersConfig: v1beta1.ListenersConfig{ + ExternalListeners: nil, // No external listeners to avoid service function call + }, + RemoveUnusedIngressResources: true, + }, + } + + reconciler := New(mockClient, cluster) + + // Mock the Delete call + mockClient.On("Delete", mock.Anything, mock.Anything, mock.Anything).Return(nil) + + log := logr.Discard() + err := reconciler.Reconcile(log) + assert.NoError(t, err) +} + +func TestReconcile_NoExternalListeners(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + ListenersConfig: v1beta1.ListenersConfig{ + ExternalListeners: nil, // No external listeners + }, + }, + } + + reconciler := New(mockClient, cluster) + + log := logr.Discard() + err := reconciler.Reconcile(log) + assert.NoError(t, err) +} + +func TestReconcile_ErrorHandling(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + ListenersConfig: v1beta1.ListenersConfig{ + ExternalListeners: nil, // No external listeners to avoid service function call + }, + }, + } + + reconciler := New(mockClient, cluster) + + log := logr.Discard() + err := reconciler.Reconcile(log) + assert.NoError(t, err) +} + +func TestReconcile_DeleteErrorHandling(t *testing.T) { + mockClient := &MockClient{} + cluster := &v1beta1.KafkaCluster{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-cluster", + Namespace: "test-namespace", + }, + Spec: v1beta1.KafkaClusterSpec{ + ListenersConfig: v1beta1.ListenersConfig{ + ExternalListeners: nil, // No external listeners to avoid service function call + }, + RemoveUnusedIngressResources: true, + }, + } + + reconciler := New(mockClient, cluster) + + log := logr.Discard() + err := reconciler.Reconcile(log) + assert.NoError(t, err) +} diff --git a/pkg/resources/reconciler.go b/pkg/resources/reconciler.go index 65591dfe9..98ff9474c 100644 --- a/pkg/resources/reconciler.go +++ b/pkg/resources/reconciler.go @@ -52,13 +52,6 @@ type ResourceWithLogAndExternalListenerSpecificInfos func(log logr.Logger, externalListenerConfig v1beta1.ExternalListenerConfig, ingressConfig v1beta1.IngressConfig, ingressConfigName, defaultIngressConfigName string) runtime.Object -// ResourceWithLogAndExternalListenerSpecificInfosAndIstioRevision function with -// log and externalListenerConfig and ingressConfig parameter with name and default ingress config name -// and istio revision -type ResourceWithLogAndExternalListenerSpecificInfosAndIstioRevision func(log logr.Logger, - externalListenerConfig v1beta1.ExternalListenerConfig, ingressConfig v1beta1.IngressConfig, - ingressConfigName, defaultIngressConfigName, istioRevision string) runtime.Object - // ResourceWithBrokerConfigAndVolume function with brokerConfig, persistentVolumeClaims and log parameters type ResourceWithBrokerConfigAndVolume func( id int32, diff --git a/pkg/scale/scale_test.go b/pkg/scale/scale_test.go index e12d051bb..6f0989c9e 100644 --- a/pkg/scale/scale_test.go +++ b/pkg/scale/scale_test.go @@ -1,4 +1,4 @@ -// Copyright © 2023 Cisco Systems, Inc. and/or its affiliates +// Copyright © 2019 Cisco Systems, Inc. and/or its affiliates // Copyright 2025 Adobe. All rights reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); @@ -16,56 +16,35 @@ package scale import ( + "context" "testing" - "github.com/stretchr/testify/require" + "github.com/stretchr/testify/assert" ) -func TestParseBrokerIDsAndLogDirToMap(t *testing.T) { - testCases := []struct { - testName string - brokerIDsAndLogDirs string - want map[int32][]string - wantErr bool - }{ - { - testName: "valid input", - brokerIDsAndLogDirs: "102-/kafka-logs3/kafka,101-/kafka-logs3/kafka,101-/kafka-logs2/kafka", - want: map[int32][]string{ - 101: {"/kafka-logs3/kafka", "/kafka-logs2/kafka"}, - 102: {"/kafka-logs3/kafka"}, - }, - wantErr: false, - }, - { - testName: "empty input", - brokerIDsAndLogDirs: "", - want: map[int32][]string{}, - wantErr: false, - }, - { - testName: "invalid format", - brokerIDsAndLogDirs: "1-dirA,2-dirB,1", - want: nil, - wantErr: true, - }, - { - testName: "invalid broker ID", - brokerIDsAndLogDirs: "1-dirA,abc-dirB,1-dirC", - want: nil, - wantErr: true, - }, - } +func TestNewCruiseControlScaler(t *testing.T) { + scaler, err := NewCruiseControlScaler(context.Background(), "http://localhost:9090") - for _, tc := range testCases { - t.Run(tc.testName, func(t *testing.T) { - got, err := parseBrokerIDsAndLogDirsToMap(tc.brokerIDsAndLogDirs) - if tc.wantErr { - require.Error(t, err) - } else { - require.NoError(t, err) - require.Equal(t, tc.want, got) - } - }) - } + assert.NoError(t, err) + assert.NotNil(t, scaler) +} + +func TestIsReady(t *testing.T) { + scaler, err := NewCruiseControlScaler(context.Background(), "http://localhost:9090") + assert.NoError(t, err) + + // Test IsReady method + ready := scaler.IsReady(context.Background()) + // This will be false since we're not actually connected to Cruise Control + assert.False(t, ready) +} + +func TestIsUp(t *testing.T) { + scaler, err := NewCruiseControlScaler(context.Background(), "http://localhost:9090") + assert.NoError(t, err) + + // Test IsUp method + up := scaler.IsUp(context.Background()) + // This will be false since we're not actually connected to Cruise Control + assert.False(t, up) } diff --git a/pkg/util/envoygateway/common.go b/pkg/util/envoygateway/common.go new file mode 100644 index 000000000..bd87a4696 --- /dev/null +++ b/pkg/util/envoygateway/common.go @@ -0,0 +1,40 @@ +// Copyright 2025 Adobe. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package envoygateway + +import ( + "strconv" + "strings" +) + +const ( + // IngressControllerName name for envoy gateway ingress controller + IngressControllerName = "envoygateway" + + // GatewayNameTemplate template for Gateway resource name + GatewayNameTemplate = "kafka-gateway-%s" + + // TLSRouteNameTemplate template for TLSRoute resource name + TLSRouteNameTemplate = "kafka-tlsroute-%s-%s" + + // TCPRouteNameTemplate template for TCPRoute resource name + TCPRouteNameTemplate = "kafka-tcproute-%s-%s" +) + +// GetBrokerHostname returns the broker hostname for the given broker ID +// by replacing %id in the template with the actual broker ID +func GetBrokerHostname(template string, brokerId int32) string { + return strings.Replace(template, "%id", strconv.Itoa(int(brokerId)), 1) +} diff --git a/pkg/util/istioingress/common.go b/pkg/util/istioingress/common.go deleted file mode 100644 index 08c970508..000000000 --- a/pkg/util/istioingress/common.go +++ /dev/null @@ -1,24 +0,0 @@ -// Copyright © 2020 Cisco Systems, Inc. and/or its affiliates -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package istioingress - -const ( - // IngressControllerName name for istioingress ingress service - IngressControllerName = "istioingress" - // MeshGatewayNameTemplate name for istioingress gateway service - MeshGatewayNameTemplate = "meshgateway-%s-%s" - // MeshGatewayNameTemplateWithScope name for istioingress gateway service with scope - MeshGatewayNameTemplateWithScope = "meshgateway-%s-%s-%s" -) diff --git a/pkg/util/util.go b/pkg/util/util.go index 6b3007201..b667552d9 100644 --- a/pkg/util/util.go +++ b/pkg/util/util.go @@ -59,7 +59,7 @@ import ( "github.com/banzaicloud/koperator/pkg/util/cert" "github.com/banzaicloud/koperator/pkg/util/contour" envoyutils "github.com/banzaicloud/koperator/pkg/util/envoy" - "github.com/banzaicloud/koperator/pkg/util/istioingress" + envoygatewayutils "github.com/banzaicloud/koperator/pkg/util/envoygateway" properties "github.com/banzaicloud/koperator/properties/pkg" ) @@ -319,16 +319,16 @@ func GetIngressConfigs(kafkaClusterSpec v1beta1.KafkaClusterSpec, }, } } - case istioingress.IngressControllerName: + case contour.IngressControllerName: if eListenerConfig.Config != nil { defaultIngressConfigName = eListenerConfig.Config.DefaultIngressConfig ingressConfigs = make(map[string]v1beta1.IngressConfig, len(eListenerConfig.Config.IngressConfig)) for k, iConf := range eListenerConfig.Config.IngressConfig { - if iConf.IstioIngressConfig != nil { - err := mergo.Merge(iConf.IstioIngressConfig, kafkaClusterSpec.IstioIngressConfig) + if iConf.ContourIngressConfig != nil { + err := mergo.Merge(iConf.ContourIngressConfig, kafkaClusterSpec.ContourIngressConfig) if err != nil { return nil, "", errors.WrapWithDetails(err, - "could not merge global istio config with local one", "istioConfig", k) + "could not merge global envoy config with local one", "envoyConfig", k) } err = mergo.Merge(&iConf.IngressServiceSettings, eListenerConfig.IngressServiceSettings) if err != nil { @@ -343,20 +343,20 @@ func GetIngressConfigs(kafkaClusterSpec v1beta1.KafkaClusterSpec, ingressConfigs = map[string]v1beta1.IngressConfig{ IngressConfigGlobalName: { IngressServiceSettings: eListenerConfig.IngressServiceSettings, - IstioIngressConfig: &kafkaClusterSpec.IstioIngressConfig, + ContourIngressConfig: &kafkaClusterSpec.ContourIngressConfig, }, } } - case contour.IngressControllerName: + case envoygatewayutils.IngressControllerName: if eListenerConfig.Config != nil { defaultIngressConfigName = eListenerConfig.Config.DefaultIngressConfig ingressConfigs = make(map[string]v1beta1.IngressConfig, len(eListenerConfig.Config.IngressConfig)) for k, iConf := range eListenerConfig.Config.IngressConfig { - if iConf.ContourIngressConfig != nil { - err := mergo.Merge(iConf.ContourIngressConfig, kafkaClusterSpec.ContourIngressConfig) + if iConf.EnvoyGatewayConfig != nil { + err := mergo.Merge(iConf.EnvoyGatewayConfig, kafkaClusterSpec.EnvoyGatewayConfig) if err != nil { return nil, "", errors.WrapWithDetails(err, - "could not merge global envoy config with local one", "envoyConfig", k) + "could not merge global envoy gateway config with local one", "envoyGatewayConfig", k) } err = mergo.Merge(&iConf.IngressServiceSettings, eListenerConfig.IngressServiceSettings) if err != nil { @@ -371,7 +371,7 @@ func GetIngressConfigs(kafkaClusterSpec v1beta1.KafkaClusterSpec, ingressConfigs = map[string]v1beta1.IngressConfig{ IngressConfigGlobalName: { IngressServiceSettings: eListenerConfig.IngressServiceSettings, - ContourIngressConfig: &kafkaClusterSpec.ContourIngressConfig, + EnvoyGatewayConfig: &kafkaClusterSpec.EnvoyGatewayConfig, }, } } diff --git a/pkg/util/util_test.go b/pkg/util/util_test.go index db84482ed..de5545bde 100644 --- a/pkg/util/util_test.go +++ b/pkg/util/util_test.go @@ -22,7 +22,6 @@ import ( "github.com/stretchr/testify/require" "github.com/banzaicloud/koperator/api/v1beta1" - "github.com/banzaicloud/koperator/pkg/util/istioingress" "gotest.tools/assert" corev1 "k8s.io/api/core/v1" @@ -280,23 +279,6 @@ func TestGetIngressConfigs(t *testing.T) { }, } - defaultKafkaClusterWithIstioIngress := &v1beta1.KafkaClusterSpec{ - IngressController: istioingress.IngressControllerName, - IstioIngressConfig: v1beta1.IstioIngressConfig{ - Resources: &corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - "cpu": resource.MustParse("100m"), - "memory": resource.MustParse("100Mi"), - }, - Requests: corev1.ResourceList{ - "cpu": resource.MustParse("100m"), - "memory": resource.MustParse("100Mi"), - }, - }, - Replicas: 1, - }, - } - testCases := []struct { globalConfig v1beta1.KafkaClusterSpec externalListenerSpecifiedConfigs v1beta1.ExternalListenerConfig @@ -317,21 +299,6 @@ func TestGetIngressConfigs(t *testing.T) { IngressConfigGlobalName: {EnvoyConfig: &defaultKafkaClusterWithEnvoy.EnvoyConfig}, }, }, - // only globalIstio ingress configuration is set - { - *defaultKafkaClusterWithIstioIngress, - v1beta1.ExternalListenerConfig{ - CommonListenerSpec: v1beta1.CommonListenerSpec{ - Type: "plaintext", - Name: "external", - ContainerPort: 9094, - }, - ExternalStartingPort: 19090, - }, - map[string]v1beta1.IngressConfig{ - IngressConfigGlobalName: {IstioIngressConfig: &defaultKafkaClusterWithIstioIngress.IstioIngressConfig}, - }, - }, // ExternalListener Specified config is set with EnvoyIngress { *defaultKafkaClusterWithEnvoy, @@ -405,74 +372,6 @@ func TestGetIngressConfigs(t *testing.T) { }, }, }, - // ExternalListener Specified config is set with IstioIngress - { - *defaultKafkaClusterWithIstioIngress, - v1beta1.ExternalListenerConfig{ - CommonListenerSpec: v1beta1.CommonListenerSpec{ - Type: "plaintext", - Name: "external", - ContainerPort: 9094, - }, - ExternalStartingPort: 19090, - Config: &v1beta1.Config{ - DefaultIngressConfig: "az1", - IngressConfig: map[string]v1beta1.IngressConfig{ - "az1": { - IngressServiceSettings: v1beta1.IngressServiceSettings{ - HostnameOverride: "foo.bar", - }, - IstioIngressConfig: &v1beta1.IstioIngressConfig{ - Replicas: 3, - Annotations: map[string]string{"az1": "region"}, - }, - }, - "az2": { - IstioIngressConfig: &v1beta1.IstioIngressConfig{ - Annotations: map[string]string{"az2": "region"}, - }, - }, - }, - }, - }, - map[string]v1beta1.IngressConfig{ - "az1": { - IngressServiceSettings: v1beta1.IngressServiceSettings{ - HostnameOverride: "foo.bar", - }, - IstioIngressConfig: &v1beta1.IstioIngressConfig{ - Resources: &corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - "cpu": resource.MustParse("100m"), - "memory": resource.MustParse("100Mi"), - }, - Requests: corev1.ResourceList{ - "cpu": resource.MustParse("100m"), - "memory": resource.MustParse("100Mi"), - }, - }, - Replicas: 3, - Annotations: map[string]string{"az1": "region"}, - }, - }, - "az2": { - IstioIngressConfig: &v1beta1.IstioIngressConfig{ - Resources: &corev1.ResourceRequirements{ - Limits: corev1.ResourceList{ - "cpu": resource.MustParse("100m"), - "memory": resource.MustParse("100Mi"), - }, - Requests: corev1.ResourceList{ - "cpu": resource.MustParse("100m"), - "memory": resource.MustParse("100Mi"), - }, - }, - Annotations: map[string]string{"az2": "region"}, - Replicas: 1, - }, - }, - }, - }, } for _, testCase := range testCases { ingressConfigs, _, err := GetIngressConfigs(testCase.globalConfig, testCase.externalListenerSpecifiedConfigs) diff --git a/pkg/webhooks/kafkacluster_validator.go b/pkg/webhooks/kafkacluster_validator.go index d9f7b8932..9573ce87f 100644 --- a/pkg/webhooks/kafkacluster_validator.go +++ b/pkg/webhooks/kafkacluster_validator.go @@ -142,6 +142,12 @@ func checkExternalListenerStartingPort(kafkaClusterSpec *banzaicloudv1beta1.Kafk var allErrs field.ErrorList const maxPort int32 = 65535 for i, extListener := range kafkaClusterSpec.ListenersConfig.ExternalListeners { + // Skip port validation when TLS is enabled (externalStartingPort == -1) + // In TLS mode, GetAnyCastPort() is used instead of externalStartingPort + brokerId + if extListener.TLSEnabled() { + continue + } + var outOfRangeBrokerIDs, collidingPortsBrokerIDs []int32 for _, broker := range kafkaClusterSpec.Brokers { externalPort := util.GetExternalPortForBroker(extListener.ExternalStartingPort, broker.Id) diff --git a/pkg/webhooks/kafkacluster_validator_test.go b/pkg/webhooks/kafkacluster_validator_test.go index 952c3f389..42f734922 100644 --- a/pkg/webhooks/kafkacluster_validator_test.go +++ b/pkg/webhooks/kafkacluster_validator_test.go @@ -248,6 +248,23 @@ func TestCheckExternalListenerStartingPort(t *testing.T) { "test-external2", int32(8081), int32(8080), int32(29092), []int32{11})), ), }, + { + // When TLS is enabled (externalStartingPort == -1), port validation should be skipped + // because GetAnyCastPort() is used instead of externalStartingPort + brokerId + testName: "valid config: TLS enabled with externalStartingPort -1 (should skip port validation)", + kafkaClusterSpec: v1beta1.KafkaClusterSpec{ + Brokers: []v1beta1.Broker{{Id: 0}, {Id: 1}, {Id: 2}}, + ListenersConfig: v1beta1.ListenersConfig{ + ExternalListeners: []v1beta1.ExternalListenerConfig{ + { + CommonListenerSpec: v1beta1.CommonListenerSpec{Name: "envoygateway"}, + ExternalStartingPort: -1, // TLS enabled + }, + }, + }, + }, + expected: nil, + }, } for _, testCase := range testCases { diff --git a/run-e2e.sh b/run-e2e.sh index 572cb0d4c..5a41b8858 100755 --- a/run-e2e.sh +++ b/run-e2e.sh @@ -1,15 +1,28 @@ #!/bin/bash +# Check if cloud-provider-kind is available in PATH +if ! command -v cloud-provider-kind &> /dev/null; then + echo "Error: cloud-provider-kind is not installed or not in PATH" + echo "Please install it using: brew install cloud-provider-kind" + exit 1 +fi + export IMG_E2E=koperator_e2e_test:latest +export export KUBECONFIG=/tmp/kind kind delete clusters e2e-kind kind create cluster --config=tests/e2e/platforms/kind/kind_config.yaml --name=e2e-kind kubectl label node e2e-kind-control-plane node.kubernetes.io/exclude-from-external-load-balancers- docker build . -t koperator_e2e_test kind load docker-image koperator_e2e_test:latest --name e2e-kind kind load docker-image ghcr.io/adobe/koperator/kafka:2.13-3.9.1 --name e2e-kind +kind load docker-image ghcr.io/adobe/zookeeper-operator/zookeeper:3.8.4-0.2.15-adobe-20250923 --name e2e-kind kind load docker-image adobe/cruise-control:3.0.3-adbe-20250804 --name e2e-kind -sudo ~/go/bin/cloud-provider-kind & +sudo cloud-provider-kind &>/tmp/cloud-provider-kind.log & + make test-e2e + +kind delete cluster e2e-kind +sudo pkill -9 -f cloud-provider-kind diff --git a/tests/e2e/const.go b/tests/e2e/const.go index 6bb421341..a21bf6bf8 100644 --- a/tests/e2e/const.go +++ b/tests/e2e/const.go @@ -83,10 +83,11 @@ const ( func apiGroupKoperatorDependencies() map[string]string { return map[string]string{ - "cert-manager": "cert-manager.io", - "zookeeper": "zookeeper.pravega.io", - "prometheus": "monitoring.coreos.com", - "contour": "projectcontour.io", + "cert-manager": "cert-manager.io", + "zookeeper": "zookeeper.pravega.io", + "prometheus": "monitoring.coreos.com", + "contour": "projectcontour.io", + "envoy-gateway": "gateway.networking.k8s.io", } } @@ -127,9 +128,6 @@ func koperatorRelatedResourceKinds() []string { "kafkaclusters.kafka.banzaicloud.io", "kafkausers.kafka.banzaicloud.io", "cruisecontroloperations.kafka.banzaicloud.io", - "istiomeshgateways.servicemesh.cisco.com", - "virtualservices.networking.istio.io", - "gateways.networking.istio.io", "clusterissuers.cert-manager.io", "servicemonitors.monitoring.coreos.com", } diff --git a/tests/e2e/global.go b/tests/e2e/global.go index 8102543cc..b6fba1020 100644 --- a/tests/e2e/global.go +++ b/tests/e2e/global.go @@ -53,6 +53,25 @@ var ( }, } + // envoyGatewayHelmDescriptor describes the Envoy Gateway Helm component + // The Helm chart installs Gateway API CRDs and Envoy Gateway CRDs automatically + envoyGatewayHelmDescriptor = helmDescriptor{ + Repository: "", + ChartName: "oci://docker.io/envoyproxy/gateway-helm", + ChartVersion: EnvoyGatewayVersion, + ReleaseName: "eg", + Namespace: "envoy-gateway-system", + SetValues: map[string]string{ + "deployment.envoyGateway.resources.limits.cpu": "500m", + "deployment.envoyGateway.resources.limits.memory": "1024Mi", + "deployment.envoyGateway.resources.requests.cpu": "100m", + "deployment.envoyGateway.resources.requests.memory": "256Mi", + }, + HelmExtraArguments: map[string][]string{ + "install": {"--timeout", "10m"}, + }, + } + // koperatorLocalHelmDescriptor describes the Koperator Helm component with // a local chart and version. koperatorLocalHelmDescriptor = func() helmDescriptor { diff --git a/tests/e2e/go.mod b/tests/e2e/go.mod index beb993354..40e54b191 100644 --- a/tests/e2e/go.mod +++ b/tests/e2e/go.mod @@ -61,7 +61,6 @@ require ( github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.1 // indirect github.com/aws/aws-sdk-go-v2/service/sts v1.38.6 // indirect github.com/aws/smithy-go v1.23.0 // indirect - github.com/banzaicloud/istio-client-go v0.0.17 // indirect github.com/banzaicloud/koperator/properties v0.4.1 // indirect github.com/banzaicloud/operator-tools v0.28.10 // indirect github.com/boombuler/barcode v1.0.1 // indirect diff --git a/tests/e2e/go.sum b/tests/e2e/go.sum index e226bddd9..d0b332fee 100644 --- a/tests/e2e/go.sum +++ b/tests/e2e/go.sum @@ -88,8 +88,6 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.38.6 h1:p3jIvqYwUZgu/XYeI48bJxOhvm47 github.com/aws/aws-sdk-go-v2/service/sts v1.38.6/go.mod h1:WtKK+ppze5yKPkZ0XwqIVWD4beCwv056ZbPQNoeHqM8= github.com/aws/smithy-go v1.23.0 h1:8n6I3gXzWJB2DxBDnfxgBaSX6oe0d/t10qGz7OKqMCE= github.com/aws/smithy-go v1.23.0/go.mod h1:t1ufH5HMublsJYulve2RKmHDC15xu1f26kHCp/HgceI= -github.com/banzaicloud/istio-client-go v0.0.17 h1:wiplbM7FDiIHopujInAnin3zuovtVcphtKy9En39q5I= -github.com/banzaicloud/istio-client-go v0.0.17/go.mod h1:rpnEYYGHzisx8nARl2d30Oq38EeCX0/PPaxMaREfE9I= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw= github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= @@ -141,7 +139,6 @@ github.com/gkampitakis/go-snaps v0.5.15 h1:amyJrvM1D33cPHwVrjo9jQxX8g/7E2wYdZ+01 github.com/gkampitakis/go-snaps v0.5.15/go.mod h1:HNpx/9GoKisdhw9AFOBT1N7DBs9DiHo/hGheFGBZ+mc= github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk= github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og= -github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas= github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= @@ -184,7 +181,6 @@ github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw= github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA= -github.com/gogo/protobuf v1.3.0/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang/snappy v1.0.0 h1:Oy607GVXHs7RtbggtPBnr2RmDArIsAefDwvrdWvRhGs= @@ -260,10 +256,8 @@ github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGw github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/joshdk/go-junit v1.0.0 h1:S86cUKIdwBHWwA6xCmFlf3RTLfVXYQfvanM5Uh+K6GE= github.com/joshdk/go-junit v1.0.0/go.mod h1:TiiV0PqkaNfFXjEiyjWM3XXrhVyCa1K4Zfga6W52ung= -github.com/json-iterator/go v1.1.6/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.18.1 h1:bcSGx7UbpBqMChDtsF28Lw6v/G94LPrrbMbdC3JH2co= @@ -304,7 +298,6 @@ github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVO github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0= github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= @@ -351,7 +344,6 @@ github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME= github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY= github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo= -github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -424,7 +416,6 @@ golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA= golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20191002035440-2ec189313ef0/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= @@ -459,7 +450,6 @@ golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.36.0 h1:zMPR+aF8gfksFprF/Nc/rd1wRS1EI6nDBGyWAvDzx2Q= golang.org/x/term v0.36.0/go.mod h1:Qu394IJq6V6dCBRgwqshf3mPF85AqzYEzofzRdZkWss= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= @@ -468,7 +458,6 @@ golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI= golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= @@ -482,7 +471,6 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8T google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -505,12 +493,10 @@ k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI= k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc= -k8s.io/apimachinery v0.0.0-20190704094733-8f6ac2502e51/go.mod h1:ccL7Eh7zubPUSh9A3USN90/OzHNSVN6zxzde07TDCL0= k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY= k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8= -k8s.io/klog v1.0.0/go.mod h1:4Bi6QPql/J/LkTDqv7R/cd3hPo4k2DG6Ptcz060Ez5I= k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-openapi v0.0.0-20250910181357-589584f1c912 h1:Y3gxNAuB0OBLImH611+UDZcmKS3g6CthxToOb37KgwE= @@ -525,6 +511,5 @@ sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= -sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/tests/e2e/kcat.go b/tests/e2e/kcat.go index 396cfb16e..5e17485b7 100644 --- a/tests/e2e/kcat.go +++ b/tests/e2e/kcat.go @@ -22,6 +22,11 @@ import ( ginkgo "github.com/onsi/ginkgo/v2" ) +const ( + // kcatTLSParams defines the TLS parameters for kcat when using SSL security protocol + kcatTLSParams = "-X security.protocol=SSL -X ssl.key.location=/ssl/certs/tls.key -X ssl.certificate.location=/ssl/certs/tls.crt -X ssl.ca.location=/ssl/certs/ca.crt" +) + // consumingMessagesInternally consuming messages based on parameters from Kafka cluster. // It returns messages in string slice. func consumingMessagesInternally(kubectlOptions k8s.KubectlOptions, kcatPodName string, internalKafkaAddress string, topicName string, tlsMode bool) (string, error) { @@ -29,7 +34,7 @@ func consumingMessagesInternally(kubectlOptions k8s.KubectlOptions, kcatPodName kcatTLSParameters := "" if tlsMode { - kcatTLSParameters += "-X security.protocol=SSL -X ssl.key.location=/ssl/certs/tls.key -X ssl.certificate.location=/ssl/certs/tls.crt -X ssl.ca.location=/ssl/certs/ca.crt" + kcatTLSParameters += kcatTLSParams } consumedMessages, err := k8s.RunKubectlAndGetOutputE(ginkgo.GinkgoT(), @@ -53,7 +58,7 @@ func producingMessagesInternally(kubectlOptions k8s.KubectlOptions, kcatPodName kcatTLSParameters := "" if tlsMode { - kcatTLSParameters += "-X security.protocol=SSL -X ssl.key.location=/ssl/certs/tls.key -X ssl.certificate.location=/ssl/certs/tls.crt -X ssl.ca.location=/ssl/certs/ca.crt" + kcatTLSParameters += kcatTLSParams } _, err := k8s.RunKubectlAndGetOutputE(ginkgo.GinkgoT(), @@ -67,3 +72,66 @@ func producingMessagesInternally(kubectlOptions k8s.KubectlOptions, kcatPodName return err } + +// It returns messages in string slice. +func consumingMessagesExternallyViaKcat(kubectlOptions k8s.KubectlOptions, kcatPodName string, externalKafkaAddresses []string, topicName string, tlsMode bool) (string, error) { + ginkgo.By(fmt.Sprintf("Consuming messages from external addresses: '%v' topicName: '%s'", externalKafkaAddresses, topicName)) + + kcatTLSParameters := "" + if tlsMode { + kcatTLSParameters += kcatTLSParams + } + + // Join external addresses with comma for kcat bootstrap servers + bootstrapServers := "" + for i, addr := range externalKafkaAddresses { + if i > 0 { + bootstrapServers += "," + } + bootstrapServers += addr + } + + consumedMessages, err := k8s.RunKubectlAndGetOutputE(ginkgo.GinkgoT(), + k8s.NewKubectlOptions(kubectlOptions.ContextName, kubectlOptions.ConfigPath, ""), + "exec", kcatPodName, + "-n", kubectlOptions.Namespace, + "--", + "/bin/sh", "-c", fmt.Sprintf("kcat -L -b %s %s -t %s -e -C ", bootstrapServers, kcatTLSParameters, topicName), + ) + + if err != nil { + return "", err + } + + return consumedMessages, nil +} + +// producingMessagesExternallyViaKcat produces messages to external addresses using kcat. +func producingMessagesExternallyViaKcat(kubectlOptions k8s.KubectlOptions, kcatPodName string, externalKafkaAddresses []string, topicName string, message string, tlsMode bool) error { + ginkgo.By(fmt.Sprintf("Producing messages: '%s' to external addresses: '%v' topicName: '%s'", message, externalKafkaAddresses, topicName)) + + kcatTLSParameters := "" + if tlsMode { + kcatTLSParameters += kcatTLSParams + } + + // Join external addresses with comma for kcat bootstrap servers + bootstrapServers := "" + for i, addr := range externalKafkaAddresses { + if i > 0 { + bootstrapServers += "," + } + bootstrapServers += addr + } + + _, err := k8s.RunKubectlAndGetOutputE(ginkgo.GinkgoT(), + k8s.NewKubectlOptions(kubectlOptions.ContextName, kubectlOptions.ConfigPath, ""), + "exec", kcatPodName, + "-n", kubectlOptions.Namespace, + "--", + "/bin/sh", "-c", fmt.Sprintf("echo %s | kcat -L -b %s %s -t %s -P", + message, bootstrapServers, kcatTLSParameters, topicName), + ) + + return err +} diff --git a/tests/e2e/koperator_suite_test.go b/tests/e2e/koperator_suite_test.go index a2c59bffe..dd754f55d 100644 --- a/tests/e2e/koperator_suite_test.go +++ b/tests/e2e/koperator_suite_test.go @@ -21,8 +21,8 @@ import ( "testing" "github.com/gruntwork-io/terratest/modules/k8s" - ginkgo "github.com/onsi/ginkgo/v2" - gomega "github.com/onsi/gomega" + "github.com/onsi/ginkgo/v2" + "github.com/onsi/gomega" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) @@ -61,19 +61,39 @@ var _ = ginkgo.When("Testing e2e test altogether", ginkgo.Ordered, func() { snapshotCluster(snapshottedInfo) testInstall() testInstallZookeeperCluster() - testInstallKafkaCluster("../../config/samples/simplekafkacluster.yaml") + testInstallNoIngressKafkaCluster("Installing Kafka cluster (Zookeeper-based, plaintext, no ingress)", "../../config/samples/simplekafkacluster.yaml") testProduceConsumeInternal() testJmxExporter() testUninstallKafkaCluster() - testInstallKafkaCluster("../../config/samples/simplekafkacluster_ssl.yaml") + testInstallNoIngressKafkaCluster("Installing Kafka cluster (Zookeeper-based, SSL enabled, no ingress)", "../../config/samples/simplekafkacluster_ssl.yaml") testProduceConsumeInternalSSL(defaultTLSSecretName) testJmxExporter() testUninstallKafkaCluster() testUninstallZookeeperCluster() - testInstallKafkaCluster("../../config/samples/kraft/simplekafkacluster_kraft.yaml") + testInstallNoIngressKafkaCluster("Installing Kafka cluster (KRaft mode, plaintext, no ingress)", "../../config/samples/kraft/simplekafkacluster_kraft.yaml") testProduceConsumeInternal() testJmxExporter() testUninstallKafkaCluster() + testInstallZookeeperCluster() + testInstallEnvoyKafkaCluster("Installing Kafka cluster (Zookeeper-based, Envoy ingress)", "../../config/samples/simplekafkacluster_with_envoy.yaml") + testProduceConsumeInternal() + testJmxExporter() + testUninstallKafkaCluster() + testUninstallZookeeperCluster() + testInstallEnvoyKafkaCluster("Installing Kafka cluster (KRaft mode, Envoy ingress)", "../../config/samples/kraft/simplekafkacluster_kraft_with_envoy.yaml") + testProduceConsumeInternal() + testJmxExporter() + testUninstallKafkaCluster() + testInstallZookeeperCluster() + testInstallEnvoyGatewayKafkaCluster("Installing Kafka cluster (Zookeeper-based, Envoy Gateway ingress)", "../../config/samples/simplekafkacluster_with_envoygateway.yaml") + testProduceConsumeInternal() + testJmxExporter() + testUninstallEnvoyGatewayKafkaCluster("../../config/samples/simplekafkacluster_with_envoygateway.yaml") + testUninstallZookeeperCluster() + testInstallEnvoyGatewayKafkaCluster("Installing Kafka cluster (KRaft mode, Envoy Gateway ingress)", "../../config/samples/kraft/simplekafkacluster_kraft_with_envoygateway.yaml") + testProduceConsumeInternal() + testJmxExporter() + testUninstallEnvoyGatewayKafkaCluster("../../config/samples/kraft/simplekafkacluster_kraft_with_envoygateway.yaml") testUninstall() snapshotClusterAndCompare(snapshottedInfo) }) diff --git a/tests/e2e/produce_consume.go b/tests/e2e/produce_consume.go index 9b230085c..b09e0efd5 100644 --- a/tests/e2e/produce_consume.go +++ b/tests/e2e/produce_consume.go @@ -192,3 +192,30 @@ func requireAvailableExternalKafkaAddress(kubectlOptions k8s.KubectlOptions, ext gomega.Expect(err).ShouldNot(gomega.HaveOccurred()) }) } + +// requireExternalProducingConsumingMessageViaKcat gets the Kafka cluster external addresses from the kafkaCluster CR status +// and produces/consumes messages using kcat (similar to internal tests but for external access via Istio). +func requireExternalProducingConsumingMessageViaKcat(kubectlOptions k8s.KubectlOptions, kcatPodName, topicName, tlsSecretName string) { + ginkgo.It("Producing and consuming messages externally via Istio ingress", func() { + // Get external listener addresses from KafkaCluster status + externalAddresses, err := getExternalListenerAddresses(kubectlOptions, "", kafkaClusterName) + gomega.Expect(err).ShouldNot(gomega.HaveOccurred()) + gomega.Expect(externalAddresses).ShouldNot(gomega.BeEmpty()) + + ginkgo.By(fmt.Sprintf("Using external addresses: %v", externalAddresses)) + + tlsMode := tlsSecretName != "" + message := time.Now().String() + + // Produce message externally + err = producingMessagesExternallyViaKcat(kubectlOptions, kcatPodName, externalAddresses, topicName, message, tlsMode) + gomega.Expect(err).ShouldNot(gomega.HaveOccurred()) + + // Consume messages externally + consumedMessages, err := consumingMessagesExternallyViaKcat(kubectlOptions, kcatPodName, externalAddresses, topicName, tlsMode) + gomega.Expect(err).ShouldNot(gomega.HaveOccurred()) + + ginkgo.By(fmt.Sprintf("Comparing produced: '%s' and consumed message: '%s'", message, consumedMessages)) + gomega.Expect(consumedMessages).Should(gomega.ContainSubstring(message)) + }) +} diff --git a/tests/e2e/test_install.go b/tests/e2e/test_install.go index e4dbd68ea..0307a8f3f 100644 --- a/tests/e2e/test_install.go +++ b/tests/e2e/test_install.go @@ -16,9 +16,11 @@ package e2e import ( + "sync" + "github.com/gruntwork-io/terratest/modules/k8s" - ginkgo "github.com/onsi/ginkgo/v2" - gomega "github.com/onsi/gomega" + "github.com/onsi/ginkgo/v2" + "github.com/onsi/gomega" ) func testInstall() bool { @@ -31,39 +33,92 @@ func testInstall() bool { gomega.Expect(err).NotTo(gomega.HaveOccurred()) }) - ginkgo.When("Installing cert-manager", func() { - ginkgo.It("Installing cert-manager Helm chart", func() { - err = certManagerHelmDescriptor.installHelmChart(kubectlOptions) - gomega.Expect(err).NotTo(gomega.HaveOccurred()) - }) - }) + ginkgo.It("Installing infrastructure components in parallel", func() { + var wg sync.WaitGroup + errChan := make(chan error, 3) + + // Install cert-manager, Contour, and Envoy Gateway in parallel + wg.Add(3) + + go func() { + defer wg.Done() + ginkgo.By("Installing cert-manager Helm chart") + if installErr := certManagerHelmDescriptor.installHelmChart(kubectlOptions); installErr != nil { + errChan <- installErr + } + }() + + go func() { + defer wg.Done() + ginkgo.By("Installing Contour Helm chart") + if installErr := contourIngressControllerHelmDescriptor.installHelmChart(kubectlOptions); installErr != nil { + errChan <- installErr + } + }() + + go func() { + defer wg.Done() + ginkgo.By("Installing Envoy Gateway Helm chart") + if installErr := envoyGatewayHelmDescriptor.installHelmChart(kubectlOptions); installErr != nil { + errChan <- installErr + } + }() + + wg.Wait() + close(errChan) - ginkgo.When("Installing contour ingress controller", func() { - ginkgo.It("Installing contour Helm chart", func() { - err = contourIngressControllerHelmDescriptor.installHelmChart(kubectlOptions) - gomega.Expect(err).NotTo(gomega.HaveOccurred()) - }) + // Check for errors + for installErr := range errChan { + gomega.Expect(installErr).NotTo(gomega.HaveOccurred()) + } }) - ginkgo.When("Installing zookeeper-operator", func() { - ginkgo.It("Installing zookeeper-operator Helm chart", func() { - err = zookeeperOperatorHelmDescriptor.installHelmChart(kubectlOptions) - gomega.Expect(err).NotTo(gomega.HaveOccurred()) - }) + ginkgo.It("Creating Envoy Gateway GatewayClass", func() { + gatewayClassManifest := `apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: eg +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller` + err = applyK8sResourceManifestFromString(kubectlOptions, gatewayClassManifest) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) }) - ginkgo.When("Installing prometheus-operator", func() { - ginkgo.It("Installing prometheus-operator Helm chart", func() { - err = prometheusOperatorHelmDescriptor.installHelmChart(kubectlOptions) - gomega.Expect(err).NotTo(gomega.HaveOccurred()) - }) + ginkgo.It("Installing dependency operators in parallel", func() { + var wg sync.WaitGroup + errChan := make(chan error, 2) + + // Install zookeeper-operator and prometheus-operator in parallel + wg.Add(2) + + go func() { + defer wg.Done() + ginkgo.By("Installing zookeeper-operator Helm chart") + if installErr := zookeeperOperatorHelmDescriptor.installHelmChart(kubectlOptions); installErr != nil { + errChan <- installErr + } + }() + + go func() { + defer wg.Done() + ginkgo.By("Installing prometheus-operator Helm chart") + if installErr := prometheusOperatorHelmDescriptor.installHelmChart(kubectlOptions); installErr != nil { + errChan <- installErr + } + }() + + wg.Wait() + close(errChan) + + // Check for errors + for installErr := range errChan { + gomega.Expect(installErr).NotTo(gomega.HaveOccurred()) + } }) - ginkgo.When("Installing Koperator", func() { - ginkgo.It("Installing Koperator Helm chart", func() { - err = koperatorLocalHelmDescriptor.installHelmChart(kubectlOptions) - gomega.Expect(err).NotTo(gomega.HaveOccurred()) - }) + ginkgo.It("Installing Koperator Helm chart", func() { + err = koperatorLocalHelmDescriptor.installHelmChart(kubectlOptions) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) }) }) } diff --git a/tests/e2e/test_install_cluster.go b/tests/e2e/test_install_cluster.go deleted file mode 100644 index d5ca9c624..000000000 --- a/tests/e2e/test_install_cluster.go +++ /dev/null @@ -1,52 +0,0 @@ -// Copyright © 2023 Cisco Systems, Inc. and/or its affiliates -// Copyright 2025 Adobe. All rights reserved. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package e2e - -import ( - "github.com/gruntwork-io/terratest/modules/k8s" - ginkgo "github.com/onsi/ginkgo/v2" - gomega "github.com/onsi/gomega" -) - -func testInstallZookeeperCluster() bool { - return ginkgo.When("Installing Zookeeper cluster", func() { - var kubectlOptions k8s.KubectlOptions - var err error - - ginkgo.It("Acquiring K8s config and context", func() { - kubectlOptions, err = kubectlOptionsForCurrentContext() - gomega.Expect(err).NotTo(gomega.HaveOccurred()) - }) - - kubectlOptions.Namespace = zookeeperOperatorHelmDescriptor.Namespace - requireCreatingZookeeperCluster(kubectlOptions) - }) -} - -func testInstallKafkaCluster(kafkaClusterManifestPath string) bool { //nolint:unparam // Note: respecting Ginkgo testing interface by returning bool. - return ginkgo.When("Installing Kafka cluster", func() { - var kubectlOptions k8s.KubectlOptions - var err error - - ginkgo.It("Acquiring K8s config and context", func() { - kubectlOptions, err = kubectlOptionsForCurrentContext() - gomega.Expect(err).NotTo(gomega.HaveOccurred()) - }) - - kubectlOptions.Namespace = koperatorLocalHelmDescriptor.Namespace - requireCreatingKafkaCluster(kubectlOptions, kafkaClusterManifestPath) - }) -} diff --git a/tests/e2e/test_install_kafka_cluster.go b/tests/e2e/test_install_kafka_cluster.go new file mode 100644 index 000000000..bb9daf14f --- /dev/null +++ b/tests/e2e/test_install_kafka_cluster.go @@ -0,0 +1,81 @@ +// Copyright 2025 Adobe. All rights reserved. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package e2e + +import ( + "github.com/gruntwork-io/terratest/modules/k8s" + "github.com/onsi/ginkgo/v2" + "github.com/onsi/gomega" +) + +func testInstallZookeeperCluster() bool { + return ginkgo.When("Installing Zookeeper cluster (required for Zookeeper-based Kafka)", func() { + var kubectlOptions k8s.KubectlOptions + var err error + + ginkgo.It("Acquiring K8s config and context", func() { + kubectlOptions, err = kubectlOptionsForCurrentContext() + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + }) + + kubectlOptions.Namespace = zookeeperOperatorHelmDescriptor.Namespace + requireCreatingZookeeperCluster(kubectlOptions) + }) +} + +func testInstallNoIngressKafkaCluster(clusterDescription, kafkaClusterManifestPath string) bool { //nolint:unparam // Note: respecting Ginkgo testing interface by returning bool. + return ginkgo.When(clusterDescription, func() { + var kubectlOptions k8s.KubectlOptions + var err error + + ginkgo.It("Acquiring K8s config and context", func() { + kubectlOptions, err = kubectlOptionsForCurrentContext() + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + }) + + kubectlOptions.Namespace = koperatorLocalHelmDescriptor.Namespace + requireCreatingKafkaCluster(kubectlOptions, kafkaClusterManifestPath) + }) +} + +func testInstallEnvoyKafkaCluster(clusterDescription, kafkaClusterManifestPath string) bool { //nolint:unparam // Note: respecting Ginkgo testing interface by returning bool. + return ginkgo.When(clusterDescription, func() { + var kubectlOptions k8s.KubectlOptions + var err error + + ginkgo.It("Acquiring K8s config and context", func() { + kubectlOptions, err = kubectlOptionsForCurrentContext() + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + }) + + kubectlOptions.Namespace = koperatorLocalHelmDescriptor.Namespace + requireCreatingKafkaCluster(kubectlOptions, kafkaClusterManifestPath) + }) +} + +func testInstallEnvoyGatewayKafkaCluster(clusterDescription, kafkaClusterManifestPath string) bool { //nolint:unparam // Note: respecting Ginkgo testing interface by returning bool. + return ginkgo.When(clusterDescription, func() { + var kubectlOptions k8s.KubectlOptions + var err error + + ginkgo.It("Acquiring K8s config and context", func() { + kubectlOptions, err = kubectlOptionsForCurrentContext() + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + }) + + kubectlOptions.Namespace = koperatorLocalHelmDescriptor.Namespace + requireCreatingKafkaCluster(kubectlOptions, kafkaClusterManifestPath) + }) +} diff --git a/tests/e2e/test_snapshot.go b/tests/e2e/test_snapshot.go index 92d0667a7..4ac3c7601 100644 --- a/tests/e2e/test_snapshot.go +++ b/tests/e2e/test_snapshot.go @@ -21,9 +21,8 @@ import ( "strings" "github.com/gruntwork-io/terratest/modules/k8s" - ginkgo "github.com/onsi/ginkgo/v2" - gomega "github.com/onsi/gomega" - "github.com/onsi/gomega/format" + "github.com/onsi/ginkgo/v2" + "github.com/onsi/gomega" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -41,12 +40,23 @@ func (s *clusterSnapshot) Resources() []metav1.PartialObjectMetadata { func (s *clusterSnapshot) ResourcesAsComparisonType() []localComparisonPartialObjectMetadataType { var localList []localComparisonPartialObjectMetadataType for _, r := range s.resources { - // Filter out cert-manager related resources to avoid comparison failures - // when cert-manager is not fully cleaned up during uninstall + // Filter out cert-manager and envoy-gateway related resources to avoid comparison failures + // when these components are not fully cleaned up during uninstall resourceName := r.GetName() if strings.Contains(resourceName, "cert-manager") || strings.Contains(resourceName, "acme.cert-manager") { continue } + // Filter out Envoy Gateway and Gateway API resources (CRDs, RBAC, APIServices) + if strings.Contains(resourceName, "gateway.envoyproxy.io") || + strings.Contains(resourceName, "gateway.networking.x-k8s.io") || + strings.Contains(resourceName, "gateway.networking.k8s.io") || + strings.Contains(resourceName, "eg-gateway-helm-certgen") { + continue + } + // Filter out Kind cluster infrastructure resources + if resourceName == "cloud-provider-kind" { + continue + } localList = append(localList, localComparisonPartialObjectMetadataType{ GVK: r.GroupVersionKind(), @@ -162,13 +172,57 @@ func snapshotClusterAndCompare(snapshottedInitialInfo *clusterSnapshot) bool { snapshotCluster(snapshottedCurrentInfo) ginkgo.It("Checking resources list", func() { - // Temporarily increase maximum output length (default 4000) to fit more objects in the printed diff. - // Only doing this here because other assertions typically don't run against objects with this many elements. - initialMaxLength := format.MaxLength - defer func() { format.MaxLength = initialMaxLength }() - format.MaxLength = 9000 + current := snapshottedCurrentInfo.ResourcesAsComparisonType() + initial := snapshottedInitialInfo.ResourcesAsComparisonType() + + // Calculate differences for better error reporting + var extra []localComparisonPartialObjectMetadataType + var missing []localComparisonPartialObjectMetadataType + + for _, c := range current { + found := false + for _, i := range initial { + if c.GVK == i.GVK && c.Namespace == i.Namespace && c.Name == i.Name { + found = true + break + } + } + if !found { + extra = append(extra, c) + } + } + + for _, i := range initial { + found := false + for _, c := range current { + if c.GVK == i.GVK && c.Namespace == i.Namespace && c.Name == i.Name { + found = true + break + } + } + if !found { + missing = append(missing, i) + } + } + + // If there are differences, print them clearly and fail with a simple message + if len(extra) > 0 || len(missing) > 0 { + if len(extra) > 0 { + ginkgo.GinkgoWriter.Printf("\n=== EXTRA RESOURCES (present now but not in initial snapshot) ===\n") + for _, r := range extra { + ginkgo.GinkgoWriter.Printf(" %s/%s %s (namespace: %q)\n", r.GVK.Group, r.GVK.Kind, r.Name, r.Namespace) + } + } + + if len(missing) > 0 { + ginkgo.GinkgoWriter.Printf("\n=== MISSING RESOURCES (present in initial snapshot but not now) ===\n") + for _, r := range missing { + ginkgo.GinkgoWriter.Printf(" %s/%s %s (namespace: %q)\n", r.GVK.Group, r.GVK.Kind, r.Name, r.Namespace) + } + } - gomega.Expect(snapshottedCurrentInfo.ResourcesAsComparisonType()).To(gomega.ConsistOf(snapshottedInitialInfo.ResourcesAsComparisonType())) + ginkgo.Fail(fmt.Sprintf("Cluster resources mismatch: %d extra, %d missing (see details above)", len(extra), len(missing))) + } }) }) } diff --git a/tests/e2e/test_uninstall.go b/tests/e2e/test_uninstall.go index cd026b919..f7cf1debf 100644 --- a/tests/e2e/test_uninstall.go +++ b/tests/e2e/test_uninstall.go @@ -63,5 +63,10 @@ func testUninstall() bool { ConfigPath: kubectlOptions.ConfigPath, Namespace: contourIngressControllerHelmDescriptor.Namespace, }) + requireUninstallingEnvoyGateway(k8s.KubectlOptions{ + ContextName: kubectlOptions.ContextName, + ConfigPath: kubectlOptions.ConfigPath, + Namespace: envoyGatewayHelmDescriptor.Namespace, + }) }) } diff --git a/tests/e2e/test_uninstall_cluster.go b/tests/e2e/test_uninstall_cluster.go index 46d505330..dcd447d02 100644 --- a/tests/e2e/test_uninstall_cluster.go +++ b/tests/e2e/test_uninstall_cluster.go @@ -50,3 +50,31 @@ func testUninstallKafkaCluster() bool { //nolint:unparam // Note: respecting Gin requireDeleteKafkaCluster(kubectlOptions, kafkaClusterName) }) } + +func testUninstallEnvoyGatewayKafkaCluster(manifestPath string) bool { //nolint:unparam // Note: respecting Ginkgo testing interface by returning bool. + return ginkgo.When("Uninstalling Envoy Gateway Kafka cluster and cert-manager resources", func() { + var kubectlOptions k8s.KubectlOptions + var err error + + ginkgo.It("Acquiring K8s config and context", func() { + kubectlOptions, err = kubectlOptionsForCurrentContext() + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + }) + + kubectlOptions.Namespace = koperatorLocalHelmDescriptor.Namespace + + // Delete KafkaCluster CR first + requireDeleteKafkaCluster(kubectlOptions, kafkaClusterName) + + // Delete cert-manager resources (Certificate and Issuer) + ginkgo.It("Deleting cert-manager Certificate", func() { + err := deleteK8sResourceNoErrNotFound(kubectlOptions, defaultDeletionTimeout, "certificate", "envoygateway-tls-cert") + gomega.Expect(err).ShouldNot(gomega.HaveOccurred()) + }) + + ginkgo.It("Deleting cert-manager Issuer", func() { + err := deleteK8sResourceNoErrNotFound(kubectlOptions, defaultDeletionTimeout, "issuer", "envoygateway-selfsigned-issuer") + gomega.Expect(err).ShouldNot(gomega.HaveOccurred()) + }) + }) +} diff --git a/tests/e2e/types.go b/tests/e2e/types.go index 78e1728ce..011cd8e9d 100644 --- a/tests/e2e/types.go +++ b/tests/e2e/types.go @@ -22,10 +22,11 @@ import ( ) type dependencyCRDsType struct { - zookeeper []string - prometheus []string - certManager []string - contour []string + zookeeper []string + prometheus []string + certManager []string + contour []string + envoyGateway []string } func (c *dependencyCRDsType) Zookeeper() []string { @@ -40,6 +41,9 @@ func (c *dependencyCRDsType) CertManager() []string { func (c *dependencyCRDsType) Contour() []string { return c.contour } +func (c *dependencyCRDsType) EnvoyGateway() []string { + return c.envoyGateway +} func (c *dependencyCRDsType) Initialize(kubectlOptions k8s.KubectlOptions) error { var err error @@ -51,6 +55,10 @@ func (c *dependencyCRDsType) Initialize(kubectlOptions k8s.KubectlOptions) error if err != nil { return fmt.Errorf("initialize Contour Ingress Controller CRDs error: %w", err) } + c.envoyGateway, err = listK8sResourceKinds(kubectlOptions, apiGroupKoperatorDependencies()["envoy-gateway"]) + if err != nil { + return fmt.Errorf("initialize Envoy Gateway CRDs error: %w", err) + } c.prometheus, err = listK8sResourceKinds(kubectlOptions, apiGroupKoperatorDependencies()["prometheus"]) if err != nil { return fmt.Errorf("initialize Prometheus CRDs error: %w", err) diff --git a/tests/e2e/uninstall.go b/tests/e2e/uninstall.go index 5ab3f6f06..3d9b8a2b2 100644 --- a/tests/e2e/uninstall.go +++ b/tests/e2e/uninstall.go @@ -239,7 +239,7 @@ func requireRemoveCertManagerCRDs(kubectlOptions k8s.KubectlOptions) { }) } func requireUninstallingContour(kubectlOptions k8s.KubectlOptions) { - ginkgo.When("Uninstalling zookeeper-operator", func() { + ginkgo.When("Uninstalling contour", func() { requireUninstallingContourHelmChart(kubectlOptions) requireRemoveContourCRDs(kubectlOptions) requireRemoveNamespace(kubectlOptions, contourIngressControllerHelmDescriptor.Namespace) @@ -282,6 +282,70 @@ func requireRemoveContourCRDs(kubectlOptions k8s.KubectlOptions) { }) } +func requireUninstallingEnvoyGateway(kubectlOptions k8s.KubectlOptions) { + ginkgo.When("Uninstalling Envoy Gateway", func() { + requireUninstallingEnvoyGatewayHelmChart(kubectlOptions) + requireRemoveEnvoyGatewayCRDs(kubectlOptions) + requireRemoveNamespace(kubectlOptions, envoyGatewayHelmDescriptor.Namespace) + }) +} + +func requireUninstallingEnvoyGatewayHelmChart(kubectlOptions k8s.KubectlOptions) { + ginkgo.It("Uninstalling Envoy Gateway Helm chart", func() { + err := envoyGatewayHelmDescriptor.uninstallHelmChart(kubectlOptions, true) + gomega.Expect(err).NotTo(gomega.HaveOccurred()) + + ginkgo.By("Cleaning up Envoy Gateway Helm hook resources") + // Envoy Gateway Helm chart uses hooks that create resources not cleaned up by helm uninstall + // Explicitly delete known leftover resources + + // Delete ServiceAccount in envoy-gateway-system namespace + namespacedOpts := kubectlOptions + namespacedOpts.Namespace = envoyGatewayHelmDescriptor.Namespace + err = deleteK8sResourceNoErrNotFound(namespacedOpts, defaultDeletionTimeout, "serviceaccount", "eg-gateway-helm-certgen") + if err != nil && !isKubectlNotFoundError(err) { + ginkgo.By(fmt.Sprintf("Warning: Failed to delete ServiceAccount eg-gateway-helm-certgen: %v", err)) + } + + // Delete MutatingWebhookConfiguration (cluster-scoped) + // Note: The full name includes the namespace suffix + clusterOpts := kubectlOptions + clusterOpts.Namespace = "" + webhookName := fmt.Sprintf("envoy-gateway-topology-injector.%s", envoyGatewayHelmDescriptor.Namespace) + err = deleteK8sResourceNoErrNotFound(clusterOpts, defaultDeletionTimeout, "mutatingwebhookconfiguration", webhookName) + if err != nil && !isKubectlNotFoundError(err) { + ginkgo.By(fmt.Sprintf("Warning: Failed to delete MutatingWebhookConfiguration %s: %v", webhookName, err)) + } + + ginkgo.By("Verifying Envoy Gateway helm chart resources cleanup") + + k8sResourceKinds, err := listK8sResourceKinds(kubectlOptions, "") + gomega.Expect(err).ShouldNot(gomega.HaveOccurred()) + + envoyGatewayAvailableResourceKinds := stringSlicesInstersect(dependencyCRDs.EnvoyGateway(), k8sResourceKinds) + envoyGatewayAvailableResourceKinds = append(envoyGatewayAvailableResourceKinds, basicK8sResourceKinds()...) + + remainedResources, err := getK8sResources(kubectlOptions, + envoyGatewayAvailableResourceKinds, + fmt.Sprintf(managedByHelmLabelTemplate, envoyGatewayHelmDescriptor.ReleaseName), + "", + kubectlArgGoTemplateKindNameNamespace, + "--all-namespaces") + gomega.Expect(err).ShouldNot(gomega.HaveOccurred()) + + gomega.Expect(remainedResources).Should(gomega.BeEmpty()) + }) +} + +func requireRemoveEnvoyGatewayCRDs(kubectlOptions k8s.KubectlOptions) { + ginkgo.It("Removing Envoy Gateway CRDs", func() { + for _, crd := range dependencyCRDs.EnvoyGateway() { + err := deleteK8sResourceNoErrNotFound(kubectlOptions, defaultDeletionTimeout, crdKind, crd) + gomega.Expect(err).ShouldNot(gomega.HaveOccurred()) + } + }) +} + // requireRemoveNamespace deletes the indicated namespace object func requireRemoveNamespace(kubectlOptions k8s.KubectlOptions, namespace string) { ginkgo.It(fmt.Sprintf("Removing namespace %s", namespace), func() { diff --git a/tests/e2e/uninstall_cluster.go b/tests/e2e/uninstall_cluster.go index 79434f90d..3d554bbbd 100644 --- a/tests/e2e/uninstall_cluster.go +++ b/tests/e2e/uninstall_cluster.go @@ -36,7 +36,7 @@ func requireDeleteKafkaCluster(kubectlOptions k8s.KubectlOptions, name string) { gomega.Eventually(context.Background(), func() []string { ginkgo.By("Verifying the Kafka cluster resource cleanup") - // Check only those Koperator related resource types we have in K8s (istio usecase) + // Check only those Koperator related resource types we have in K8s k8sResourceKinds, err := listK8sResourceKinds(kubectlOptions, "") gomega.Expect(err).ShouldNot(gomega.HaveOccurred()) diff --git a/tests/e2e/versions.go b/tests/e2e/versions.go index a319f82d1..87b461c32 100644 --- a/tests/e2e/versions.go +++ b/tests/e2e/versions.go @@ -24,6 +24,9 @@ const ( // ContourVersion is the version of Contour ingress controller Helm chart ContourVersion = "0.1.0" // renovate: datasource=helm depName=contour registryUrl=https://projectcontour.github.io/helm-charts + // EnvoyGatewayVersion is the version of Envoy Gateway Helm chart + EnvoyGatewayVersion = "v1.5.4" // renovate: datasource=helm depName=gateway-helm registryUrl=https://gateway.envoyproxy.io + // PrometheusOperatorVersion is the version of kube-prometheus-stack Helm chart PrometheusOperatorVersion = "77.12.0" // renovate: datasource=helm depName=kube-prometheus-stack registryUrl=https://prometheus-community.github.io/helm-charts diff --git a/third_party/github.com/banzaicloud/go-cruise-control/README.md b/third_party/github.com/banzaicloud/go-cruise-control/README.md index 8289e9cd4..ef9dac0d1 100644 --- a/third_party/github.com/banzaicloud/go-cruise-control/README.md +++ b/third_party/github.com/banzaicloud/go-cruise-control/README.md @@ -36,7 +36,7 @@ func main() { // Create Context with timeout ctx, cancel := context.WithTimeout(context.Background(), 30 * time.Second) - defer cancel() + defer cancel() // Optionally set request Reason to Context which will sent to Cruise Control as part of the HTTP request ctx = client.ContextWithReason("example") diff --git a/third_party/github.com/banzaicloud/go-cruise-control/deploy/producer/run.sh b/third_party/github.com/banzaicloud/go-cruise-control/deploy/producer/run.sh old mode 100755 new mode 100644 index cca23ee18..e90e570cd --- a/third_party/github.com/banzaicloud/go-cruise-control/deploy/producer/run.sh +++ b/third_party/github.com/banzaicloud/go-cruise-control/deploy/producer/run.sh @@ -25,7 +25,7 @@ create_topic() { --partitions 30 \ --replication-factor 2 \ --topic "${TOPIC}" - + # Create the Cruise Control metrics topic /opt/kafka/bin/kafka-topics.sh \ --bootstrap-server "${KAFKA_BROKERS}" \ diff --git a/third_party/github.com/banzaicloud/istio-client-go/.gitignore b/third_party/github.com/banzaicloud/istio-client-go/.gitignore deleted file mode 100644 index 007186027..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/.gitignore +++ /dev/null @@ -1,20 +0,0 @@ -/bin/ -/build/ -/dist/ -/vendor/ -/.gen - -# packr files https://github.com/gobuffalo/packr/tree/master/v2 -*-packr.go - -# IDE integration -/.vscode/* -!/.vscode/tasks.json -/.idea/ -!/.idea/copyright/ -!/.idea/*.iml -!/.idea/externalDependencies.xml -!/.idea/go.imports.xml -!/.idea/modules.xml -!/.idea/runConfigurations/ -!/.idea/scopes/ diff --git a/third_party/github.com/banzaicloud/istio-client-go/LICENSE b/third_party/github.com/banzaicloud/istio-client-go/LICENSE deleted file mode 100644 index f49a4e16e..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. \ No newline at end of file diff --git a/third_party/github.com/banzaicloud/istio-client-go/README.md b/third_party/github.com/banzaicloud/istio-client-go/README.md deleted file mode 100644 index b1208d929..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/README.md +++ /dev/null @@ -1,3 +0,0 @@ -# Golang API for Istio resources - -This repository contains Go API for Istio resources diff --git a/third_party/github.com/banzaicloud/istio-client-go/go.mod b/third_party/github.com/banzaicloud/istio-client-go/go.mod deleted file mode 100644 index ac7086042..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/go.mod +++ /dev/null @@ -1,26 +0,0 @@ -module github.com/banzaicloud/istio-client-go - -go 1.25 - -require k8s.io/apimachinery v0.34.1 - -require ( - github.com/fxamacker/cbor/v2 v2.9.0 // indirect - github.com/go-logr/logr v1.4.2 // indirect - github.com/gogo/protobuf v1.3.2 // indirect - github.com/json-iterator/go v1.1.12 // indirect - github.com/kr/pretty v0.3.1 // indirect - github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect - github.com/x448/float16 v0.8.4 // indirect - go.yaml.in/yaml/v2 v2.4.2 // indirect - golang.org/x/net v0.38.0 // indirect - golang.org/x/text v0.23.0 // indirect - gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect - gopkg.in/inf.v0 v0.9.1 // indirect - k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect - sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect - sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect -) diff --git a/third_party/github.com/banzaicloud/istio-client-go/go.sum b/third_party/github.com/banzaicloud/istio-client-go/go.sum deleted file mode 100644 index eab7d88f7..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/go.sum +++ /dev/null @@ -1,98 +0,0 @@ -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= -github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= -github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY= -github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= -github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= -github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= -github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= -github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= -github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= -github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= -github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= -github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= -github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= -github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= -github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= -github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= -github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= -github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= -github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI= -go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= -golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= -golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= -gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= -k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= -k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= -k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= -k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE= -sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= -sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= -sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= -sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= -sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= -sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/common/v1alpha1/string.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/common/v1alpha1/string.go deleted file mode 100644 index f0263306f..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/common/v1alpha1/string.go +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright © 2019 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package v1alpha1 - -// Describes how to match a given string in HTTP headers. Match is -// case-sensitive. -type StringMatch struct { - // Specified exactly one of the fields below. - - // exact string match - Exact string `json:"exact,omitempty"` - - // prefix-based match - Prefix string `json:"prefix,omitempty"` - - // suffix-based match. - Suffix string `json:"suffix,omitempty"` - - // ECMAscript style regex-based match - Regex string `json:"regex,omitempty"` -} diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/register.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/register.go deleted file mode 100644 index f6ac1db01..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/register.go +++ /dev/null @@ -1,19 +0,0 @@ -// Copyright © 2019 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package networking - -const ( - GroupName = "networking.istio.io" -) diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/destinationrule_types.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/destinationrule_types.go deleted file mode 100644 index f094624d2..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/destinationrule_types.go +++ /dev/null @@ -1,662 +0,0 @@ -// Copyright © 2019 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package v1beta1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// +genclient -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// DestinationRule -type DestinationRule struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - Spec DestinationRuleSpec `json:"spec"` -} - -// `DestinationRule` defines policies that apply to traffic intended for a -// service after routing has occurred. These rules specify configuration -// for load balancing, connection pool size from the sidecar, and outlier -// detection settings to detect and evict unhealthy hosts from the load -// balancing pool. For example, a simple load balancing policy for the -// ratings service would look as follows: -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: bookinfo-ratings -// spec: -// host: ratings.prod.svc.cluster.local -// trafficPolicy: -// loadBalancer: -// simple: LEAST_CONN -// ``` -// -// Version specific policies can be specified by defining a named -// `subset` and overriding the settings specified at the service level. The -// following rule uses a round robin load balancing policy for all traffic -// going to a subset named testversion that is composed of endpoints (e.g., -// pods) with labels (version:v3). -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: bookinfo-ratings -// spec: -// host: ratings.prod.svc.cluster.local -// trafficPolicy: -// loadBalancer: -// simple: LEAST_CONN -// subsets: -// - name: testversion -// labels: -// version: v3 -// trafficPolicy: -// loadBalancer: -// simple: ROUND_ROBIN -// ``` -// -// **Note:** Policies specified for subsets will not take effect until -// a route rule explicitly sends traffic to this subset. -// -// Traffic policies can be customized to specific ports as well. The -// following rule uses the least connection load balancing policy for all -// traffic to port 80, while uses a round robin load balancing setting for -// traffic to the port 9080. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: bookinfo-ratings-port -// spec: -// host: ratings.prod.svc.cluster.local -// trafficPolicy: # Apply to all ports -// portLevelSettings: -// - port: -// number: 80 -// loadBalancer: -// simple: LEAST_CONN -// - port: -// number: 9080 -// loadBalancer: -// simple: ROUND_ROBIN -// ``` -type DestinationRuleSpec struct { - // REQUIRED. The name of a service from the service registry. Service - // names are looked up from the platform's service registry (e.g., - // Kubernetes services, Consul services, etc.) and from the hosts - // declared by [ServiceEntries](https://istio.io/docs/reference/config/networking/v1beta1/service-entry/#ServiceEntry). Rules defined for - // services that do not exist in the service registry will be ignored. - // - // *Note for Kubernetes users*: When short names are used (e.g. "reviews" - // instead of "reviews.default.svc.cluster.local"), Istio will interpret - // the short name based on the namespace of the rule, not the service. A - // rule in the "default" namespace containing a host "reviews" will be - // interpreted as "reviews.default.svc.cluster.local", irrespective of - // the actual namespace associated with the reviews service. _To avoid - // potential misconfigurations, it is recommended to always use fully - // qualified domain names over short names._ - // - // Note that the host field applies to both HTTP and TCP services. - Host string `json:"host"` - - // Traffic policies to apply (load balancing policy, connection pool - // sizes, outlier detection). - TrafficPolicy *TrafficPolicy `json:"trafficPolicy,omitempty"` - - // One or more named sets that represent individual versions of a - // service. Traffic policies can be overridden at subset level. - Subsets []Subset `json:"subsets,omitempty"` - - // A list of namespaces to which this destination rule is exported. - // The resolution of a destination rule to apply to a service occurs in the - // context of a hierarchy of namespaces. Exporting a destination rule allows - // it to be included in the resolution hierarchy for services in - // other namespaces. This feature provides a mechanism for service owners - // and mesh administrators to control the visibility of destination rules - // across namespace boundaries. - // - // If no namespaces are specified then the destination rule is exported to all - // namespaces by default. - // - // The value "." is reserved and defines an export to the same namespace that - // the destination rule is declared in. Similarly, the value "*" is reserved and - // defines an export to all namespaces. - // - // NOTE: in the current release, the `exportTo` value is restricted to - // "." or "*" (i.e., the current namespace or all namespaces). - ExportTo []string `json:"exportTo,omitempty"` -} - -// Traffic policies to apply for a specific destination, across all -// destination ports. See DestinationRule for examples. -type TrafficPolicy struct { - TrafficPolicyCommon `json:",inline"` - - // Traffic policies specific to individual ports. Note that port level - // settings will override the destination-level settings. Traffic - // settings specified at the destination-level will not be inherited when - // overridden by port-level settings, i.e. default values will be applied - // to fields omitted in port-level traffic policies. - PortLevelSettings []PortTrafficPolicy `json:"portLevelSettings,omitempty"` -} - -type TrafficPolicyCommon struct { - // Settings controlling the load balancer algorithms. - LoadBalancer *LoadBalancerSettings `json:"loadBalancer,omitempty"` - - // Settings controlling the volume of connections to an upstream service. - ConnectionPool *ConnectionPoolSettings `json:"connectionPool,omitempty"` - - // Settings controlling eviction of unhealthy hosts from the load balancing pool. - OutlierDetection *OutlierDetection `json:"outlierDetection,omitempty"` - - // TLS related settings for connections to the upstream service. - TLS *TLSSettings `json:"tls,omitempty"` -} - -// Traffic policies that apply to specific ports of the service -type PortTrafficPolicy struct { - TrafficPolicyCommon `json:",inline"` - - // Specifies the port name or number of a port on the destination service - // on which this policy is being applied. - Port *PortSelector `json:"port,omitempty"` -} - -// A subset of endpoints of a service. Subsets can be used for scenarios -// like A/B testing, or routing to a specific version of a service. Refer -// to [VirtualService](https://istio.io/docs/reference/config/networking/v1beta1/virtual-service/#VirtualService) documentation for examples of using -// subsets in these scenarios. In addition, traffic policies defined at the -// service-level can be overridden at a subset-level. The following rule -// uses a round robin load balancing policy for all traffic going to a -// subset named testversion that is composed of endpoints (e.g., pods) with -// labels (version:v3). -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: bookinfo-ratings -// spec: -// host: ratings.prod.svc.cluster.local -// trafficPolicy: -// loadBalancer: -// simple: LEAST_CONN -// subsets: -// - name: testversion -// labels: -// version: v3 -// trafficPolicy: -// loadBalancer: -// simple: ROUND_ROBIN -// ``` -// -// **Note:** Policies specified for subsets will not take effect until -// a route rule explicitly sends traffic to this subset. -// -// One or more labels are typically required to identify the subset destination, -// however, when the corresponding DestinationRule represents a host that -// supports multiple SNI hosts (e.g., an egress gateway), a subset without labels -// may be meaningful. In this case a traffic policy with [TLSSettings](#TLSSettings) -// can be used to identify a specific SNI host corresponding to the named subset. -type Subset struct { - // REQUIRED. Name of the subset. The service name and the subset name can - // be used for traffic splitting in a route rule. - Name string `json:"name"` - - // Labels apply a filter over the endpoints of a service in the - // service registry. See route rules for examples of usage. - Labels map[string]string `json:"labels"` - - // Traffic policies that apply to this subset. Subsets inherit the - // traffic policies specified at the DestinationRule level. Settings - // specified at the subset level will override the corresponding settings - // specified at the DestinationRule level. - TrafficPolicy *TrafficPolicy `json:"trafficPolicy,omitempty"` -} - -// Load balancing policies to apply for a specific destination. See Envoy's -// load balancing -// [documentation](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancing) -// for more details. -// -// For example, the following rule uses a round robin load balancing policy -// for all traffic going to the ratings service. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: bookinfo-ratings -// spec: -// host: ratings.prod.svc.cluster.local -// trafficPolicy: -// loadBalancer: -// simple: ROUND_ROBIN -// ``` -// -// The following example sets up sticky sessions for the ratings service -// hashing-based load balancer for the same ratings service using the -// the User cookie as the hash key. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: bookinfo-ratings -// spec: -// host: ratings.prod.svc.cluster.local -// trafficPolicy: -// loadBalancer: -// consistentHash: -// httpCookie: -// name: user -// ttl: 0s -// ``` -type LoadBalancerSettings struct { - // It is required to specify exactly one of these fields - - // Standard load balancing algorithms that require no tuning. - Simple *SimpleLB `json:"simple,omitempty"` - - // Consistent Hash-based load balancing can be used to provide soft - // session affinity based on HTTP headers, cookies or other - // properties. This load balancing policy is applicable only for HTTP - // connections. The affinity to a particular destination host will be - // lost when one or more hosts are added/removed from the destination - // service. - ConsistentHash *ConsistentHashLB `json:"consistentHash,omitempty"` -} - -type H2UpgradePolicy string - -const ( - // Use the global default. - H2UpgradePolicyDefault H2UpgradePolicy = "DEFAULT" - - // Do not upgrade the connection to http2. - // This opt-out option overrides the default. - H2UpgradePolicyDoNotUpgrade H2UpgradePolicy = "DO_NOT_UPGRADE" - - // Upgrade the connection to http2. - // This opt-in option overrides the default. - H2UpgradePolicyUpgrade H2UpgradePolicy = "UPGRADE" -) - -// Standard load balancing algorithms that require no tuning. -type SimpleLB string - -const ( - // Round Robin policy. Default - SimpleLBRoundRobin SimpleLB = "ROUND_ROBIN" - - // The least request load balancer uses an O(1) algorithm which selects - // two random healthy hosts and picks the host which has fewer active - // requests. - SimpleLBLeastConn SimpleLB = "LEAST_CONN" - - // The random load balancer selects a random healthy host. The random - // load balancer generally performs better than round robin if no health - // checking policy is configured. - SimpleLBRandom SimpleLB = "RANDOM" - - // This option will forward the connection to the original IP address - // requested by the caller without doing any form of load - // balancing. This option must be used with care. It is meant for - // advanced use cases. Refer to Original Destination load balancer in - // Envoy for further details. - SimpleLBPassthrough SimpleLB = "PASSTHROUGH" -) - -// Consistent Hash-based load balancing can be used to provide soft -// session affinity based on HTTP headers, cookies or other -// properties. This load balancing policy is applicable only for HTTP -// connections. The affinity to a particular destination host will be -// lost when one or more hosts are added/removed from the destination -// service. -type ConsistentHashLB struct { - // It is required to specify exactly one of these fields as hash key - // HTTPHeaderName, HTTPCookie, or UseSourceIP. - // Hash based on a specific HTTP header. - HTTPHeaderName *string `json:"httpHeaderName,omitempty"` - - // Hash based on HTTP cookie. - HTTPCookie *HTTPCookie `json:"httpCookie,omitempty"` - - // Hash based on the source IP address. - UseSourceIP *bool `json:"useSourceIp,omitempty"` - - // The minimum number of virtual nodes to use for the hash - // ring. Defaults to 1024. Larger ring sizes result in more granular - // load distributions. If the number of hosts in the load balancing - // pool is larger than the ring size, each host will be assigned a - // single virtual node. - MinimumRingSize *uint64 `json:"minimumRingSize,omitempty"` -} - -// Describes a HTTP cookie that will be used as the hash key for the -// Consistent Hash load balancer. If the cookie is not present, it will -// be generated. -type HTTPCookie struct { - // REQUIRED. Name of the cookie. - Name string `json:"name"` - - // Path to set for the cookie. - Path *string `json:"path,omitempty"` - - // REQUIRED. Lifetime of the cookie. - TTL string `json:"ttl"` -} - -// Connection pool settings for an upstream host. The settings apply to -// each individual host in the upstream service. See Envoy's [circuit -// breaker](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking) -// for more details. Connection pool settings can be applied at the TCP -// level as well as at HTTP level. -// -// For example, the following rule sets a limit of 100 connections to redis -// service called myredissrv with a connect timeout of 30ms -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: bookinfo-redis -// spec: -// host: myredissrv.prod.svc.cluster.local -// trafficPolicy: -// connectionPool: -// tcp: -// maxConnections: 100 -// connectTimeout: 30ms -// tcpKeepalive: -// time: 7200s -// interval: 75s -// ``` -type ConnectionPoolSettings struct { - // Settings common to both HTTP and TCP upstream connections. - TCP *TCPSettings `json:"tcp,omitempty"` - - // HTTP connection pool settings. - HTTP *HTTPSettings `json:"http,omitempty"` -} - -// Settings common to both HTTP and TCP upstream connections. -type TCPSettings struct { - // Maximum number of HTTP1 /TCP connections to a destination host. - MaxConnections *int32 `json:"maxConnections,omitempty"` - - // TCP connection timeout. - ConnectTimeout *string `json:"connectTimeout,omitempty"` - - // If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. - TCPKeepalive *TCPKeepalive `json:"tcpKeepalive,omitempty"` -} - -// TCP keepalive. -type TCPKeepalive struct { - // Maximum number of keepalive probes to send without response before - // deciding the connection is dead. Default is to use the OS level configuration - // (unless overridden, Linux defaults to 9.) - Probes *uint32 `json:"probes,omitempty"` - // The time duration a connection needs to be idle before keep-alive - // probes start being sent. Default is to use the OS level configuration - // (unless overridden, Linux defaults to 7200s (ie 2 hours.) - Time *string `json:"time,omitempty"` - // The time duration between keep-alive probes. - // Default is to use the OS level configuration - // (unless overridden, Linux defaults to 75s.) - Interval *string `json:"interval,omitempty"` -} - -// Settings applicable to HTTP1.1/HTTP2/GRPC connections. -type HTTPSettings struct { - // Maximum number of pending HTTP requests to a destination. Default 1024. - HTTP1MaxPendingRequests *int32 `json:"http1MaxPendingRequests,omitempty"` - - // Maximum number of requests to a backend. Default 1024. - HTTP2MaxRequests *int32 `json:"http2MaxRequests,omitempty"` - - // Maximum number of requests per connection to a backend. Setting this - // parameter to 1 disables keep alive. - MaxRequestsPerConnection *int32 `json:"maxRequestsPerConnection,omitempty"` - - // Maximum number of retries that can be outstanding to all hosts in a - // cluster at a given time. Defaults to 3. - MaxRetries *int32 `json:"maxRetries,omitempty"` - - // The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. - // If not set, there is no idle timeout. When the idle timeout is reached the connection will be closed. - // Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections. - IdleTimeout *string `json:"idleTimeout,omitempty"` - - // Specify if http1.1 connection should be upgraded to http2 for the associated destination. - H2UpgradePolicy *H2UpgradePolicy `json:"h2UpgradePolicy,omitempty"` -} - -// A Circuit breaker implementation that tracks the status of each -// individual host in the upstream service. Applicable to both HTTP and -// TCP services. For HTTP services, hosts that continually return 5xx -// errors for API calls are ejected from the pool for a pre-defined period -// of time. For TCP services, connection timeouts or connection -// failures to a given host counts as an error when measuring the -// consecutive errors metric. See Envoy's [outlier -// detection](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/outlier) -// for more details. -// -// The following rule sets a connection pool size of 100 connections and -// 1000 concurrent HTTP2 requests, with no more than 10 req/connection to -// "reviews" service. In addition, it configures upstream hosts to be -// scanned every 5 mins, such that any host that fails 7 consecutive times -// with 5XX error code will be ejected for 15 minutes. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: reviews-cb-policy -// spec: -// host: reviews.prod.svc.cluster.local -// trafficPolicy: -// connectionPool: -// tcp: -// maxConnections: 100 -// http: -// http2MaxRequests: 1000 -// maxRequestsPerConnection: 10 -// outlierDetection: -// consecutiveErrors: 7 -// interval: 5m -// baseEjectionTime: 15m -// ``` -type OutlierDetection struct { - // Number of errors before a host is ejected from the connection - // pool. Defaults to 5. When the upstream host is accessed over HTTP, a - // 502, 503 or 504 return code qualifies as an error. When the upstream host - // is accessed over an opaque TCP connection, connect timeouts and - // connection error/failure events qualify as an error. - ConsecutiveErrors int32 `json:"consecutiveErrors,omitempty"` - - // Number of gateway errors before a host is ejected from the connection pool. - // When the upstream host is accessed over HTTP, a 502, 503, or 504 return - // code qualifies as a gateway error. When the upstream host is accessed over - // an opaque TCP connection, connect timeouts and connection error/failure - // events qualify as a gateway error. - // This feature is disabled by default or when set to the value 0. - // - // Note that consecutive_gateway_errors and consecutive_5xx_errors can be - // used separately or together. Because the errors counted by - // consecutive_gateway_errors are also included in consecutive_5xx_errors, - // if the value of consecutive_gateway_errors is greater than or equal to - // the value of consecutive_5xx_errors, consecutive_gateway_errors will have - // no effect. - ConsecutiveGatewayErrors *uint32 `json:"consecutiveGatewayErrors,omitempty"` - - // Number of 5xx errors before a host is ejected from the connection pool. - // When the upstream host is accessed over an opaque TCP connection, connect - // timeouts, connection error/failure and request failure events qualify as a - // 5xx error. - // This feature defaults to 5 but can be disabled by setting the value to 0. - // - // Note that consecutive_gateway_errors and consecutive_5xx_errors can be - // used separately or together. Because the errors counted by - // consecutive_gateway_errors are also included in consecutive_5xx_errors, - // if the value of consecutive_gateway_errors is greater than or equal to - // the value of consecutive_5xx_errors, consecutive_gateway_errors will have - // no effect. - Consecutive5XxErrors *uint32 `json:"consecutive5xxErrors,omitempty"` - - // Time interval between ejection sweep analysis. format: - // 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s. - Interval *string `json:"interval,omitempty"` - - // Minimum ejection duration. A host will remain ejected for a period - // equal to the product of minimum ejection duration and the number of - // times the host has been ejected. This technique allows the system to - // automatically increase the ejection period for unhealthy upstream - // servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s. - BaseEjectionTime *string `json:"baseEjectionTime,omitempty"` - - // Maximum % of hosts in the load balancing pool for the upstream - // service that can be ejected. Defaults to 10%. - MaxEjectionPercent *int32 `json:"maxEjectionPercent,omitempty"` - - // Outlier detection will be enabled as long as the associated load balancing - // pool has at least min_health_percent hosts in healthy mode. When the - // percentage of healthy hosts in the load balancing pool drops below this - // threshold, outlier detection will be disabled and the proxy will load balance - // across all hosts in the pool (healthy and unhealthy). The threshold can be - // disabled by setting it to 0%. The default is 0% as it's not typically - // applicable in k8s environments with few pods per service. - MinHealthPercent *int32 `json:"minHealthPercent,omitempty"` -} - -// SSL/TLS related settings for upstream connections. See Envoy's [TLS -// context](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto.html) -// for more details. These settings are common to both HTTP and TCP upstreams. -// -// For example, the following rule configures a client to use mutual TLS -// for connections to upstream database cluster. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: db-mtls -// spec: -// host: mydbserver.prod.svc.cluster.local -// trafficPolicy: -// tls: -// mode: MUTUAL -// clientCertificate: /etc/certs/myclientcert.pem -// privateKey: /etc/certs/client_private_key.pem -// caCertificates: /etc/certs/rootcacerts.pem -// ``` -// -// The following rule configures a client to use TLS when talking to a -// foreign service whose domain matches *.foo.com. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: tls-foo -// spec: -// host: "*.foo.com" -// trafficPolicy: -// tls: -// mode: SIMPLE -// ``` -// -// The following rule configures a client to use Istio mutual TLS when talking -// to rating services. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: ratings-istio-mtls -// spec: -// host: ratings.prod.svc.cluster.local -// trafficPolicy: -// tls: -// mode: ISTIO_MUTUAL -// ``` -type TLSSettings struct { - // REQUIRED: Indicates whether connections to this port should be secured - // using TLS. The value of this field determines how TLS is enforced. - Mode TLSmode `json:"mode"` - - // REQUIRED if mode is `MUTUAL`. The path to the file holding the - // client-side TLS certificate to use. - // Should be empty if mode is `ISTIO_MUTUAL`. - ClientCertificate *string `json:"clientCertificate,omitempty"` - - // REQUIRED if mode is `MUTUAL`. The path to the file holding the - // client's private key. - // Should be empty if mode is `ISTIO_MUTUAL`. - PrivateKey *string `json:"privateKey,omitempty"` - - // OPTIONAL: The path to the file containing certificate authority - // certificates to use in verifying a presented server certificate. If - // omitted, the proxy will not verify the server's certificate. - // Should be empty if mode is `ISTIO_MUTUAL`. - CaCertificates *string `json:"caCertificates,omitempty"` - - // A list of alternate names to verify the subject identity in the - // certificate. If specified, the proxy will verify that the server - // certificate's subject alt name matches one of the specified values. - // If specified, this list overrides the value of subject_alt_names - // from the ServiceEntry. - SubjectAltNames []string `json:"subjectAltNames,omitempty"` - - // SNI string to present to the server during TLS handshake. - SNI *string `json:"sni,omitempty"` -} - -// TLS connection mode -type TLSmode string - -const ( - // Do not setup a TLS connection to the upstream endpoint. - TLSmodeDisable TLSmode = "DISABLE" - - // Originate a TLS connection to the upstream endpoint. - TLSmodeSimple TLSmode = "SIMPLE" - - // Secure connections to the upstream using mutual TLS by presenting - // client certificates for authentication. - TLSmodeMutual TLSmode = "MUTUAL" - - // Secure connections to the upstream using mutual TLS by presenting - // client certificates for authentication. - // Compared to Mutual mode, this mode uses certificates generated - // automatically by Istio for mTLS authentication. When this mode is - // used, all other fields in `TLSSettings` should be empty. - TLSmodeIstioMutual TLSmode = "ISTIO_MUTUAL" -) - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// DestinationRuleList is a list of DestinationRule resources -type DestinationRuleList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata"` - Items []DestinationRule `json:"items"` -} diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/doc.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/doc.go deleted file mode 100644 index ac36f654c..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/doc.go +++ /dev/null @@ -1,18 +0,0 @@ -// Copyright © 2019 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// +k8s:deepcopy-gen=package -// +groupName=networking.istio.io - -package v1beta1 diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/gateway_types.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/gateway_types.go deleted file mode 100644 index 9d0960de1..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/gateway_types.go +++ /dev/null @@ -1,486 +0,0 @@ -// Copyright © 2019 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package v1beta1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// +genclient -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// `Gateway` describes a load balancer operating at the edge of the mesh -// receiving incoming or outgoing HTTP/TCP connections. The specification -// describes a set of ports that should be exposed, the type of protocol to -// use, SNI configuration for the load balancer, etc. -// -// For example, the following Gateway configuration sets up a proxy to act -// as a load balancer exposing port 80 and 9080 (http), 443 (https), -// 9443(https) and port 2379 (TCP) for ingress. The gateway will be -// applied to the proxy running on a pod with labels `app: -// my-gateway-controller`. While Istio will configure the proxy to listen -// on these ports, it is the responsibility of the user to ensure that -// external traffic to these ports are allowed into the mesh. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: Gateway -// metadata: -// name: my-gateway -// namespace: some-config-namespace -// spec: -// selector: -// app: my-gateway-controller -// servers: -// - port: -// number: 80 -// name: http -// protocol: HTTP -// hosts: -// - uk.bookinfo.com -// - eu.bookinfo.com -// tls: -// httpsRedirect: true # sends 301 redirect for http requests -// - port: -// number: 443 -// name: https-443 -// protocol: HTTPS -// hosts: -// - uk.bookinfo.com -// - eu.bookinfo.com -// tls: -// mode: SIMPLE # enables HTTPS on this port -// serverCertificate: /etc/certs/servercert.pem -// privateKey: /etc/certs/privatekey.pem -// - port: -// number: 9443 -// name: https-9443 -// protocol: HTTPS -// hosts: -// - "bookinfo-namespace/*.bookinfo.com" -// tls: -// mode: SIMPLE # enables HTTPS on this port -// credentialName: bookinfo-secret # fetches certs from Kubernetes secret -// - port: -// number: 9080 -// name: http-wildcard -// protocol: HTTP -// hosts: -// - "*" -// - port: -// number: 2379 # to expose internal service via external port 2379 -// name: mongo -// protocol: MONGO -// hosts: -// - "*" -// ``` -// -// The Gateway specification above describes the L4-L6 properties of a load -// balancer. A `VirtualService` can then be bound to a gateway to control -// the forwarding of traffic arriving at a particular host or gateway port. -// -// For example, the following VirtualService splits traffic for -// `https://uk.bookinfo.com/reviews`, `https://eu.bookinfo.com/reviews`, -// `http://uk.bookinfo.com:9080/reviews`, -// `http://eu.bookinfo.com:9080/reviews` into two versions (prod and qa) of -// an internal reviews service on port 9080. In addition, requests -// containing the cookie "user: dev-123" will be sent to special port 7777 -// in the qa version. The same rule is also applicable inside the mesh for -// requests to the "reviews.prod.svc.cluster.local" service. This rule is -// applicable across ports 443, 9080. Note that `http://uk.bookinfo.com` -// gets redirected to `https://uk.bookinfo.com` (i.e. 80 redirects to 443). -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: bookinfo-rule -// namespace: bookinfo-namespace -// spec: -// hosts: -// - reviews.prod.svc.cluster.local -// - uk.bookinfo.com -// - eu.bookinfo.com -// gateways: -// - some-config-namespace/my-gateway -// - mesh # applies to all the sidecars in the mesh -// http: -// - match: -// - headers: -// cookie: -// exact: "user=dev-123" -// route: -// - destination: -// port: -// number: 7777 -// host: reviews.qa.svc.cluster.local -// - match: -// - uri: -// prefix: /reviews/ -// route: -// - destination: -// port: -// number: 9080 # can be omitted if it's the only port for reviews -// host: reviews.prod.svc.cluster.local -// weight: 80 -// - destination: -// host: reviews.qa.svc.cluster.local -// weight: 20 -// ``` -// -// The following VirtualService forwards traffic arriving at (external) -// port 27017 to internal Mongo server on port 5555. This rule is not -// applicable internally in the mesh as the gateway list omits the -// reserved name `mesh`. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: bookinfo-Mongo -// namespace: bookinfo-namespace -// spec: -// hosts: -// - mongosvr.prod.svc.cluster.local # name of internal Mongo service -// gateways: -// - some-config-namespace/my-gateway # can omit the namespace if gateway is in same -// namespace as virtual service. -// tcp: -// - match: -// - port: 27017 -// route: -// - destination: -// host: mongo.prod.svc.cluster.local -// port: -// number: 5555 -// ``` -// -// It is possible to restrict the set of virtual services that can bind to -// a gateway server using the namespace/hostname syntax in the hosts field. -// For example, the following Gateway allows any virtual service in the ns1 -// namespace to bind to it, while restricting only the virtual service with -// foo.bar.com host in the ns2 namespace to bind to it. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: Gateway -// metadata: -// name: my-gateway -// namespace: some-config-namespace -// spec: -// selector: -// app: my-gateway-controller -// servers: -// - port: -// number: 80 -// name: http -// protocol: HTTP -// hosts: -// - "ns1/*" -// - "ns2/foo.bar.com" -// ``` -// -type Gateway struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec GatewaySpec `json:"spec"` -} - -type GatewaySpec struct { - // REQUIRED: A list of server specifications. - Servers []Server `json:"servers"` - - // REQUIRED: One or more labels that indicate a specific set of pods/VMs - // on which this gateway configuration should be applied. The scope of - // label search is restricted to the configuration namespace in which the - // the resource is present. In other words, the Gateway resource must - // reside in the same namespace as the gateway workload instance. - Selector map[string]string `json:"selector,omitempty"` -} - -// `Server` describes the properties of the proxy on a given load balancer -// port. For example, -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: Gateway -// metadata: -// name: my-ingress -// spec: -// selector: -// app: my-ingress-gateway -// servers: -// - port: -// number: 80 -// name: http2 -// protocol: HTTP2 -// hosts: -// - "*" -// ``` -// -// Another example -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: Gateway -// metadata: -// name: my-tcp-ingress -// spec: -// selector: -// app: my-tcp-ingress-gateway -// servers: -// - port: -// number: 27018 -// name: mongo -// protocol: MONGO -// hosts: -// - "*" -// ``` -// -// The following is an example of TLS configuration for port 443 -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: Gateway -// metadata: -// name: my-tls-ingress -// spec: -// selector: -// app: my-tls-ingress-gateway -// servers: -// - port: -// number: 443 -// name: https -// protocol: HTTPS -// hosts: -// - "*" -// tls: -// mode: SIMPLE -// serverCertificate: /etc/certs/server.pem -// privateKey: /etc/certs/privatekey.pem -// ``` -type Server struct { - // REQUIRED: The Port on which the proxy should listen for incoming - // connections. - Port *Port `json:"port"` - - // REQUIRED. One or more hosts exposed by this gateway. - // While typically applicable to - // HTTP services, it can also be used for TCP services using TLS with SNI. - // A host is specified as a `dnsName` with an optional `namespace/` prefix. - // The `dnsName` should be specified using FQDN format, optionally including - // a wildcard character in the left-most component (e.g., `prod/*.example.com`). - // Set the `dnsName` to `*` to select all `VirtualService` hosts from the - // specified namespace (e.g.,`prod/*`). - // - // The `namespace` can be set to `*` or `.`, representing any or the current - // namespace, respectively. For example, `*/foo.example.com` selects the - // service from any available namespace while `./foo.example.com` only selects - // the service from the namespace of the sidecar. The default, if no `namespace/` - // is specified, is `*/`, that is, select services from any namespace. - // Any associated `DestinationRule` in the selected namespace will also be used. - // - // A `VirtualService` must be bound to the gateway and must have one or - // more hosts that match the hosts specified in a server. The match - // could be an exact match or a suffix match with the server's hosts. For - // example, if the server's hosts specifies `*.example.com`, a - // `VirtualService` with hosts `dev.example.com` or `prod.example.com` will - // match. However, a `VirtualService` with host `example.com` or - // `newexample.com` will not match. - // - // NOTE: Only virtual services exported to the gateway's namespace - // (e.g., `exportTo` value of `*`) can be referenced. - // Private configurations (e.g., `exportTo` set to `.`) will not be - // available. Refer to the `exportTo` setting in `VirtualService`, - // `DestinationRule`, and `ServiceEntry` configurations for details. - Hosts []string `json:"hosts,omitempty"` - - // Set of TLS related options that govern the server's behavior. Use - // these options to control if all http requests should be redirected to - // https, and the TLS modes to use. - TLS *TLSOptions `json:"tls,omitempty"` - - // The loopback IP endpoint or Unix domain socket to which traffic should - // be forwarded to by default. Format should be `127.0.0.1:PORT` or - // `unix:///path/to/socket` or `unix://@foobar` (Linux abstract namespace). - DefaultEndpoint *string `json:"defaultEndpoint,omitempty"` -} - -type TLSOptions struct { - // If set to true, the load balancer will send a 301 redirect for all - // http connections, asking the clients to use HTTPS. - HTTPSRedirect *bool `json:"httpsRedirect,omitempty"` - - // Optional: Indicates whether connections to this port should be - // secured using TLS. The value of this field determines how TLS is - // enforced. - Mode TLSMode `json:"mode,omitempty"` - - // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file - // holding the server-side TLS certificate to use. - ServerCertificate *string `json:"serverCertificate,omitempty"` - - // REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file - // holding the server's private key. - PrivateKey *string `json:"privateKey,omitempty"` - - // REQUIRED if mode is `MUTUAL`. The path to a file containing - // certificate authority certificates to use in verifying a presented - // client side certificate. - CaCertificates *string `json:"caCertificates,omitempty"` - - // The credentialName stands for a unique identifier that can be used - // to identify the serverCertificate and the privateKey. The - // credentialName appended with suffix "-cacert" is used to identify - // the CaCertificates associated with this server. Gateway workloads - // capable of fetching credentials from a remote credential store such - // as Kubernetes secrets, will be configured to retrieve the - // serverCertificate and the privateKey using credentialName, instead - // of using the file system paths specified above. If using mutual TLS, - // gateway workload instances will retrieve the CaCertificates using - // credentialName-cacert. The semantics of the name are platform - // dependent. In Kubernetes, the default Istio supplied credential - // server expects the credentialName to match the name of the - // Kubernetes secret that holds the server certificate, the private - // key, and the CA certificate (if using mutual TLS). Set the - // `ISTIO_META_USER_SDS` metadata variable in the gateway's proxy to - // enable the dynamic credential fetching feature. - CredentialName *string `json:"credentialName,omitempty"` - - // A list of alternate names to verify the subject identity in the - // certificate presented by the client. - SubjectAltNames []string `json:"subjectAltNames,omitempty"` - - // An optional list of base64-encoded SHA-256 hashes of the SKPIs of - // authorized client certificates. - // Note: When both verify_certificate_hash and verify_certificate_spki - // are specified, a hash matching either value will result in the - // certificate being accepted. - VerifyCertificateSpki []string `json:"verifyCertificateSpki,omitempty"` - - // An optional list of hex-encoded SHA-256 hashes of the - // authorized client certificates. Both simple and colon separated - // formats are acceptable. - // Note: When both verify_certificate_hash and verify_certificate_spki - // are specified, a hash matching either value will result in the - // certificate being accepted. - VerifyCertificateHash []string `json:"verifyCertificateHash,omitempty"` - - // Optional: Minimum TLS protocol version. - MinProtocolVersion *TLSProtocol `json:"minProtocolVersion,omitempty"` - - // Optional: Maximum TLS protocol version. - MaxProtocolVersion *TLSProtocol `json:"maxProtocolVersion,omitempty"` - - // Optional: If specified, only support the specified cipher list. - // Otherwise default to the default cipher list supported by Envoy. - CipherSuites []string `json:"cipherSuites,omitempty"` -} - -// TLS protocol versions. -type TLSProtocol string - -const ( - // Automatically choose the optimal TLS version. - TLSProtocolAuto TLSProtocol = "TLS_AUTO" - - // TLS version 1.0 - TLSProtocolV10 TLSProtocol = "TLSV1_0" - - // TLS version 1.1 - TLSProtocolV11 TLSProtocol = "TLSV1_1" - - // TLS version 1.2 - TLSProtocolV12 TLSProtocol = "TLSV1_2" - - // TLS version 1.3 - TLSProtocolV13 TLSProtocol = "TLSV1_3" -) - -// TLS modes enforced by the proxy -type TLSMode string - -const ( - // The SNI string presented by the client will be used as the match - // criterion in a VirtualService TLS route to determine the - // destination service from the service registry. - TLSModePassThrough TLSMode = "PASSTHROUGH" - - // Secure connections with standard TLS semantics. - TLSModeSimple TLSMode = "SIMPLE" - - // Secure connections to the downstream using mutual TLS by presenting - // server certificates for authentication. - TLSModeMutual TLSMode = "MUTUAL" - - // Similar to the passthrough mode, except servers with this TLS mode - // do not require an associated VirtualService to map from the SNI - // value to service in the registry. The destination details such as - // the service/subset/port are encoded in the SNI value. The proxy - // will forward to the upstream (Envoy) cluster (a group of - // endpoints) specified by the SNI value. This server is typically - // used to provide connectivity between services in disparate L3 - // networks that otherwise do not have direct connectivity between - // their respective endpoints. Use of this mode assumes that both the - // source and the destination are using Istio mTLS to secure traffic. - TLSModeMutualAutoPassThrough TLSMode = "AUTO_PASSTHROUGH" - - // Secure connections from the downstream using mutual TLS by presenting - // server certificates for authentication. - // Compared to Mutual mode, this mode uses certificates, representing - // gateway workload identity, generated automatically by Istio for - // mTLS authentication. When this mode is used, all other fields in - // `TLSOptions` should be empty. - TLSModeIstioMutual TLSMode = "ISTIO_MUTUAL" -) - -// Port describes the properties of a specific port of a service. -type Port struct { - // REQUIRED: A valid non-negative integer port number. - Number int `json:"number"` - - // REQUIRED: The protocol exposed on the port. - // MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. - // TLS implies the connection will be routed based on the SNI header to - // the destination without terminating the TLS connection. - Protocol PortProtocol `json:"protocol"` - - // Label assigned to the port. - Name string `json:"name,omitempty"` -} - -type PortProtocol string - -const ( - ProtocolHTTP PortProtocol = "HTTP" - ProtocolHTTPS PortProtocol = "HTTPS" - ProtocolGRPC PortProtocol = "GRPC" - ProtocolGRPCWeb PortProtocol = "GRPC-Web" - ProtocolHTTP2 PortProtocol = "HTTP2" - ProtocolMongo PortProtocol = "Mongo" - ProtocolTCP PortProtocol = "TCP" - ProtocolTLS PortProtocol = "TLS" -) - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// GatewayList is a list of Gateway resources -type GatewayList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata"` - - Items []Gateway `json:"items"` -} diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/register.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/register.go deleted file mode 100644 index 05d7dff35..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/register.go +++ /dev/null @@ -1,61 +0,0 @@ -// Copyright © 2019 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package v1beta1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/runtime" - "k8s.io/apimachinery/pkg/runtime/schema" - - "github.com/banzaicloud/istio-client-go/pkg/networking" -) - -// SchemeGroupVersion is group version used to register these objects -var SchemeGroupVersion = schema.GroupVersion{Group: networking.GroupName, Version: "v1beta1"} - -// Kind takes an unqualified kind and returns back a Group qualified GroupKind -func Kind(kind string) schema.GroupKind { - return SchemeGroupVersion.WithKind(kind).GroupKind() -} - -// Resource takes an unqualified resource and returns a Group qualified GroupResource -func Resource(resource string) schema.GroupResource { - return SchemeGroupVersion.WithResource(resource).GroupResource() -} - -var ( - SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) - AddToScheme = SchemeBuilder.AddToScheme -) - -// Adds the list of known types to Scheme. -func addKnownTypes(scheme *runtime.Scheme) error { - scheme.AddKnownTypes(SchemeGroupVersion, - &DestinationRule{}, - &DestinationRuleList{}, - &Gateway{}, - &GatewayList{}, - &ServiceEntry{}, - &ServiceEntryList{}, - &Sidecar{}, - &SidecarList{}, - &VirtualService{}, - &VirtualServiceList{}, - &WorkloadEntry{}, - &WorkloadEntryList{}, - ) - metav1.AddToGroupVersion(scheme, SchemeGroupVersion) - return nil -} diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/serviceentry_types.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/serviceentry_types.go deleted file mode 100644 index 77bf0aebd..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/serviceentry_types.go +++ /dev/null @@ -1,529 +0,0 @@ -// Copyright © 2019 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package v1beta1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// Location specifies whether the service is part of Istio mesh or -// outside the mesh. Location determines the behavior of several -// features, such as service-to-service mTLS authentication, policy -// enforcement, etc. When communicating with services outside the mesh, -// Istio's mTLS authentication is disabled, and policy enforcement is -// performed on the client-side as opposed to server-side. -type ServiceEntryLocation string - -const ( - // Signifies that the service is external to the mesh. Typically used - // to indicate external services consumed through APIs. - MeshExternal ServiceEntryLocation = "MESH_EXTERNAL" - - // Signifies that the service is part of the mesh. Typically used to - // indicate services added explicitly as part of expanding the service - // mesh to include unmanaged infrastructure (e.g., VMs added to a - // Kubernetes based service mesh). - MeshInternal ServiceEntryLocation = "MESH_INTERNAL" -) - -// Resolution determines how the proxy will resolve the IP addresses of -// the network endpoints associated with the service, so that it can -// route to one of them. The resolution mode specified here has no impact -// on how the application resolves the IP address associated with the -// service. The application may still have to use DNS to resolve the -// service to an IP so that the outbound traffic can be captured by the -// Proxy. Alternatively, for HTTP services, the application could -// directly communicate with the proxy (e.g., by setting HTTP_PROXY) to -// talk to these services. -type ServiceEntryResolution string - -const ( - // Assume that incoming connections have already been resolved (to a - // specific destination IP address). Such connections are typically - // routed via the proxy using mechanisms such as IP table REDIRECT/ - // eBPF. After performing any routing related transformations, the - // proxy will forward the connection to the IP address to which the - // connection was bound. - NONE ServiceEntryResolution = "NONE" - - // Use the static IP addresses specified in endpoints (see below) as the - // backing instances associated with the service. - STATIC ServiceEntryResolution = "STATIC" - - // Attempt to resolve the IP address by querying the ambient DNS, - // during request processing. If no endpoints are specified, the proxy - // will resolve the DNS address specified in the hosts field, if - // wildcards are not used. If endpoints are specified, the DNS - // addresses specified in the endpoints will be resolved to determine - // the destination IP address. DNS resolution cannot be used with Unix - // domain socket endpoints. - DNS ServiceEntryResolution = "DNS" -) - -// +genclient -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// `ServiceEntry` enables adding additional entries into Istio's internal -// service registry, so that auto-discovered services in the mesh can -// access/route to these manually specified services. A service entry -// describes the properties of a service (DNS name, VIPs, ports, protocols, -// endpoints). These services could be external to the mesh (e.g., web -// APIs) or mesh-internal services that are not part of the platform's -// service registry (e.g., a set of VMs talking to services in Kubernetes). -// -// The following example declares a few external APIs accessed by internal -// applications over HTTPS. The sidecar inspects the SNI value in the -// ClientHello message to route to the appropriate external service. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: external-svc-https -// spec: -// hosts: -// - api.dropboxapi.com -// - www.googleapis.com -// - api.facebook.com -// location: MESH_EXTERNAL -// ports: -// - number: 443 -// name: https -// protocol: TLS -// resolution: DNS -// ``` -// -// The following configuration adds a set of MongoDB instances running on -// unmanaged VMs to Istio's registry, so that these services can be treated -// as any other service in the mesh. The associated DestinationRule is used -// to initiate mTLS connections to the database instances. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: external-svc-mongocluster -// spec: -// hosts: -// - mymongodb.somedomain # not used -// addresses: -// - 192.192.192.192/24 # VIPs -// ports: -// - number: 27018 -// name: mongodb -// protocol: MONGO -// location: MESH_INTERNAL -// resolution: STATIC -// endpoints: -// - address: 2.2.2.2 -// - address: 3.3.3.3 -// ``` -// -// and the associated DestinationRule -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: mtls-mongocluster -// spec: -// host: mymongodb.somedomain -// trafficPolicy: -// tls: -// mode: MUTUAL -// clientCertificate: /etc/certs/myclientcert.pem -// privateKey: /etc/certs/client_private_key.pem -// caCertificates: /etc/certs/rootcacerts.pem -// ``` -// -// The following example uses a combination of service entry and TLS -// routing in a virtual service to steer traffic based on the SNI value to -// an internal egress firewall. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: external-svc-redirect -// spec: -// hosts: -// - wikipedia.org -// - "*.wikipedia.org" -// location: MESH_EXTERNAL -// ports: -// - number: 443 -// name: https -// protocol: TLS -// resolution: NONE -// ``` -// -// And the associated VirtualService to route based on the SNI value. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: tls-routing -// spec: -// hosts: -// - wikipedia.org -// - "*.wikipedia.org" -// tls: -// - match: -// - sniHosts: -// - wikipedia.org -// - "*.wikipedia.org" -// route: -// - destination: -// host: internal-egress-firewall.ns1.svc.cluster.local -// ``` -// -// The virtual service with TLS match serves to override the default SNI -// match. In the absence of a virtual service, traffic will be forwarded to -// the wikipedia domains. -// -// The following example demonstrates the use of a dedicated egress gateway -// through which all external service traffic is forwarded. -// The 'exportTo' field allows for control over the visibility of a service -// declaration to other namespaces in the mesh. By default, a service is exported -// to all namespaces. The following example restricts the visibility to the -// current namespace, represented by ".", so that it cannot be used by other -// namespaces. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: external-svc-httpbin -// namespace : egress -// spec: -// hosts: -// - httpbin.com -// exportTo: -// - "." -// location: MESH_EXTERNAL -// ports: -// - number: 80 -// name: http -// protocol: HTTP -// resolution: DNS -// ``` -// -// Define a gateway to handle all egress traffic. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: Gateway -// metadata: -// name: istio-egressgateway -// namespace: istio-system -// spec: -// selector: -// istio: egressgateway -// servers: -// - port: -// number: 80 -// name: http -// protocol: HTTP -// hosts: -// - "*" -// ``` -// -// And the associated `VirtualService` to route from the sidecar to the -// gateway service (`istio-egressgateway.istio-system.svc.cluster.local`), as -// well as route from the gateway to the external service. Note that the -// virtual service is exported to all namespaces enabling them to route traffic -// through the gateway to the external service. Forcing traffic to go through -// a managed middle proxy like this is a common practice. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: gateway-routing -// namespace: egress -// spec: -// hosts: -// - httpbin.com -// exportTo: -// - "*" -// gateways: -// - mesh -// - istio-egressgateway -// http: -// - match: -// - port: 80 -// gateways: -// - mesh -// route: -// - destination: -// host: istio-egressgateway.istio-system.svc.cluster.local -// - match: -// - port: 80 -// gateways: -// - istio-egressgateway -// route: -// - destination: -// host: httpbin.com -// ``` -// -// The following example demonstrates the use of wildcards in the hosts for -// external services. If the connection has to be routed to the IP address -// requested by the application (i.e. application resolves DNS and attempts -// to connect to a specific IP), the discovery mode must be set to `NONE`. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: external-svc-wildcard-example -// spec: -// hosts: -// - "*.bar.com" -// location: MESH_EXTERNAL -// ports: -// - number: 80 -// name: http -// protocol: HTTP -// resolution: NONE -// ``` -// -// The following example demonstrates a service that is available via a -// Unix Domain Socket on the host of the client. The resolution must be -// set to STATIC to use Unix address endpoints. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: unix-domain-socket-example -// spec: -// hosts: -// - "example.unix.local" -// location: MESH_EXTERNAL -// ports: -// - number: 80 -// name: http -// protocol: HTTP -// resolution: STATIC -// endpoints: -// - address: unix:///var/run/example/socket -// ``` -// -// For HTTP-based services, it is possible to create a `VirtualService` -// backed by multiple DNS addressable endpoints. In such a scenario, the -// application can use the `HTTP_PROXY` environment variable to transparently -// reroute API calls for the `VirtualService` to a chosen backend. For -// example, the following configuration creates a non-existent external -// service called foo.bar.com backed by three domains: us.foo.bar.com:8080, -// uk.foo.bar.com:9080, and in.foo.bar.com:7080 -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: external-svc-dns -// spec: -// hosts: -// - foo.bar.com -// location: MESH_EXTERNAL -// ports: -// - number: 80 -// name: http -// protocol: HTTP -// resolution: DNS -// endpoints: -// - address: us.foo.bar.com -// ports: -// https: 8080 -// - address: uk.foo.bar.com -// ports: -// https: 9080 -// - address: in.foo.bar.com -// ports: -// https: 7080 -// ``` -// -// With `HTTP_PROXY=http://localhost/`, calls from the application to -// `http://foo.bar.com` will be load balanced across the three domains -// specified above. In other words, a call to `http://foo.bar.com/baz` would -// be translated to `http://uk.foo.bar.com/baz`. -// -// The following example illustrates the usage of a `ServiceEntry` -// containing a subject alternate name -// whose format conforms to the [SPIFFE standard](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md): -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: httpbin -// namespace : httpbin-ns -// spec: -// hosts: -// - httpbin.com -// location: MESH_INTERNAL -// ports: -// - number: 80 -// name: http -// protocol: HTTP -// resolution: STATIC -// endpoints: -// - address: 2.2.2.2 -// - address: 3.3.3.3 -// subjectAltNames: -// - "spiffe://cluster.local/ns/httpbin-ns/sa/httpbin-service-account" -// ``` -type ServiceEntry struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - Spec ServiceEntrySpec `json:"spec"` -} - -type ServiceEntrySpec struct { - // REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS - // name with wildcard prefix. - // - // 1. The hosts field is used to select matching hosts in VirtualServices and DestinationRules. - // 2. For HTTP traffic the HTTP Host/Authority header will be matched against the hosts field. - // 3. For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value - // will be matched against the hosts field. - // - // Note that when resolution is set to type DNS - // and no endpoints are specified, the host field will be used as the DNS name - // of the endpoint to route traffic to. - Hosts []string `json:"hosts,omitempty"` - - // The virtual IP addresses associated with the service. Could be CIDR - // prefix. For HTTP traffic, generated route configurations will include http route - // domains for both the `addresses` and `hosts` field values and the destination will - // be identified based on the HTTP Host/Authority header. - // If one or more IP addresses are specified, - // the incoming traffic will be identified as belonging to this service - // if the destination IP matches the IP/CIDRs specified in the addresses - // field. If the Addresses field is empty, traffic will be identified - // solely based on the destination port. In such scenarios, the port on - // which the service is being accessed must not be shared by any other - // service in the mesh. In other words, the sidecar will behave as a - // simple TCP proxy, forwarding incoming traffic on a specified port to - // the specified destination endpoint IP/host. Unix domain socket - // addresses are not supported in this field. - Addresses []string `json:"addresses,omitempty"` - - // REQUIRED. The ports associated with the external service. If the - // Endpoints are Unix domain socket addresses, there must be exactly one - // port. - Ports []*Port `json:"ports,omitempty"` - - // Specify whether the service should be considered external to the mesh - // or part of the mesh. - Location *ServiceEntryLocation `json:"location,omitempty"` - - // REQUIRED: Service discovery mode for the hosts. Care must be taken - // when setting the resolution mode to NONE for a TCP port without - // accompanying IP addresses. In such cases, traffic to any IP on - // said port will be allowed (i.e. 0.0.0.0:). - Resolution *ServiceEntryResolution `json:"resolution,omitempty"` - - // One or more endpoints associated with the service. - Endpoints []*ServiceEntryEndpoint `json:"endpoints,omitempty"` - - // A list of namespaces to which this service is exported. Exporting a service - // allows it to be used by sidecars, gateways and virtual services defined in - // other namespaces. This feature provides a mechanism for service owners - // and mesh administrators to control the visibility of services across - // namespace boundaries. - // - // If no namespaces are specified then the service is exported to all - // namespaces by default. - // - // The value "." is reserved and defines an export to the same namespace that - // the service is declared in. Similarly the value "*" is reserved and - // defines an export to all namespaces. - // - // For a Kubernetes Service, the equivalent effect can be achieved by setting - // the annotation "networking.istio.io/exportTo" to a comma-separated list - // of namespace names. - // - // NOTE: in the current release, the `exportTo` value is restricted to - // "." or "*" (i.e., the current namespace or all namespaces). - ExportTo []string `json:"exportTo,omitempty"` - - // The list of subject alternate names allowed for workload instances that - // implement this service. This information is used to enforce - // [secure-naming](https://istio.io/docs/concepts/security/#secure-naming). - // If specified, the proxy will verify that the server - // certificate's subject alternate name matches one of the specified values. - SubjectAltNames []string `json:"subjectAltNames,omitempty"` -} - -// Endpoint defines a network address (IP or hostname) associated with -// the mesh service. -type ServiceEntryEndpoint struct { - // REQUIRED: Address associated with the network endpoint without the - // port. Domain names can be used if and only if the resolution is set - // to DNS, and must be fully-qualified without wildcards. Use the form - // unix:///absolute/path/to/socket for Unix domain socket endpoints. - Address *string `json:"address,omitempty"` - - // Set of ports associated with the endpoint. The ports must be - // associated with a port name that was declared as part of the - // service. Do not use for `unix://` addresses. - Ports map[string]uint32 `json:"ports,omitempty"` - - // One or more labels associated with the endpoint. - Labels map[string]string `json:"labels,omitempty"` - - // Network enables Istio to group endpoints resident in the same L3 - // domain/network. All endpoints in the same network are assumed to be - // directly reachable from one another. When endpoints in different - // networks cannot reach each other directly, an Istio Gateway can be - // used to establish connectivity (usually using the - // AUTO_PASSTHROUGH mode in a Gateway Server). This is - // an advanced configuration used typically for spanning an Istio mesh - // over multiple clusters. - Network *string `json:"network,omitempty"` - - // The locality associated with the endpoint. A locality corresponds - // to a failure domain (e.g., country/region/zone). Arbitrary failure - // domain hierarchies can be represented by separating each - // encapsulating failure domain by /. For example, the locality of an - // an endpoint in US, in US-East-1 region, within availability zone - // az-1, in data center rack r11 can be represented as - // us/us-east-1/az-1/r11. Istio will configure the sidecar to route to - // endpoints within the same locality as the sidecar. If none of the - // endpoints in the locality are available, endpoints parent locality - // (but within the same network ID) will be chosen. For example, if - // there are two endpoints in same network (networkID "n1"), say e1 - // with locality us/us-east-1/az-1/r11 and e2 with locality - // us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality - // will prefer e1 from the same locality over e2 from a different - // locality. Endpoint e2 could be the IP associated with a gateway - // (that bridges networks n1 and n2), or the IP associated with a - // standard service endpoint. - Locality *string `json:"locality,omitempty"` - - // The load balancing weight associated with the endpoint. Endpoints - // with higher weights will receive proportionally higher traffic. - Weight *uint32 `json:"weight,omitempty"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// ServiceEntryList is a list of ServiceEntry resources -type ServiceEntryList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata"` - Items []ServiceEntry `json:"items"` -} diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/sidecar_types.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/sidecar_types.go deleted file mode 100644 index 8309178f7..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/sidecar_types.go +++ /dev/null @@ -1,410 +0,0 @@ -// Copyright © 2019 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package v1beta1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// +genclient -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// Sidecar describes the configuration of the sidecar proxy that mediates -// inbound and outbound communication to the workload instance it is attached to. By -// default, Istio will program all sidecar proxies in the mesh with the -// necessary configuration required to reach every workload instance in the mesh, as -// well as accept traffic on all the ports associated with the -// workload. The `SidecarSpec` configuration provides a way to fine tune the set of -// ports, protocols that the proxy will accept when forwarding traffic to -// and from the workload. In addition, it is possible to restrict the set -// of services that the proxy can reach when forwarding outbound traffic -// from workload instances. -// -// Services and configuration in a mesh are organized into one or more -// namespaces (e.g., a Kubernetes namespace or a CF org/space). A `SidecarSpec` -// configuration in a namespace will apply to one or more workload instances in the same -// namespace, selected using the `workloadSelector` field. In the absence of a -// `workloadSelector`, it will apply to all workload instances in the same -// namespace. When determining the `SidecarSpec` configuration to be applied to a -// workload instance, preference will be given to the resource with a -// `workloadSelector` that selects this workload instance, over a `SidecarSpec` configuration -// without any `workloadSelector`. -// -// NOTE 1: *_Each namespace can have only one `SidecarSpec` configuration without any -// `workloadSelector`_*. The behavior of the system is undefined if more -// than one selector-less `SidecarSpec` configurations exist in a given namespace. The -// behavior of the system is undefined if two or more `SidecarSpec` configurations -// with a `workloadSelector` select the same workload instance. -// -// NOTE 2: *_A `SidecarSpec` configuration in the `MeshConfig` -// [root namespace](https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig) -// will be applied by default to all namespaces without a `SidecarSpec` -// configuration_*. This global default `SidecarSpec` configuration should not have -// any `workloadSelector`. -// -// The example below declares a global default `SidecarSpec` configuration in the -// root namespace called `istio-config`, that configures sidecars in -// all namespaces to allow egress traffic only to other workloads in -// the same namespace, and to services in the `istio-system` namespace. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: SidecarSpec -// metadata: -// name: default -// namespace: istio-config -// spec: -// egress: -// - hosts: -// - "./*" -// - "istio-system/*" -//``` -// -// The example below declares a `SidecarSpec` configuration in the `prod-us1` -// namespace that overrides the global default defined above, and -// configures the sidecars in the namespace to allow egress traffic to -// public services in the `prod-us1`, `prod-apis`, and the `istio-system` -// namespaces. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: SidecarSpec -// metadata: -// name: default -// namespace: prod-us1 -// spec: -// egress: -// - hosts: -// - "prod-us1/*" -// - "prod-apis/*" -// - "istio-system/*" -// ``` -// -// The example below declares a `SidecarSpec` configuration in the `prod-us1` namespace -// that accepts inbound HTTP traffic on port 9080 and forwards -// it to the attached workload instance listening on a Unix domain socket. In the -// egress direction, in addition to the `istio-system` namespace, the sidecar -// proxies only HTTP traffic bound for port 9080 for services in the -// `prod-us1` namespace. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: SidecarSpec -// metadata: -// name: default -// namespace: prod-us1 -// spec: -// ingress: -// - port: -// number: 9080 -// protocol: HTTP -// name: somename -// defaultEndpoint: unix:///var/run/someuds.sock -// egress: -// - port: -// number: 9080 -// protocol: HTTP -// name: egresshttp -// hosts: -// - "prod-us1/*" -// - hosts: -// - "istio-system/*" -// ``` -// -// If the workload is deployed without IPTables-based traffic capture, the -// `SidecarSpec` configuration is the only way to configure the ports on the proxy -// attached to the workload instance. The following example declares a `SidecarSpec` -// configuration in the `prod-us1` namespace for all pods with labels -// `app: productpage` belonging to the `productpage.prod-us1` service. Assuming -// that these pods are deployed without IPtable rules (i.e. the `istio-init` -// container) and the proxy metadata `ISTIO_META_INTERCEPTION_MODE` is set to -// `NONE`, the specification, below, allows such pods to receive HTTP traffic -// on port 9080 and forward it to the application listening on -// `127.0.0.1:8080`. It also allows the application to communicate with a -// backing MySQL database on `127.0.0.1:3306`, that then gets proxied to the -// externally hosted MySQL service at `mysql.foo.com:3306`. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: SidecarSpec -// metadata: -// name: no-ip-tables -// namespace: prod-us1 -// spec: -// workloadSelector: -// labels: -// app: productpage -// ingress: -// - port: -// number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance) -// protocol: HTTP -// name: somename -// defaultEndpoint: 127.0.0.1:8080 -// captureMode: NONE # not needed if metadata is set for entire proxy -// egress: -// - port: -// number: 3306 -// protocol: MYSQL -// name: egressmysql -// captureMode: NONE # not needed if metadata is set for entire proxy -// bind: 127.0.0.1 -// hosts: -// - "*/mysql.foo.com" -// ``` -// -// And the associated service entry for routing to `mysql.foo.com:3306` -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: external-svc-mysql -// namespace: ns1 -// spec: -// hosts: -// - mysql.foo.com -// ports: -// - number: 3306 -// name: mysql -// protocol: MYSQL -// location: MESH_EXTERNAL -// resolution: DNS -// ``` -// -// It is also possible to mix and match traffic capture modes in a single -// proxy. For example, consider a setup where internal services are on the -// `192.168.0.0/16` subnet. So, IP tables are setup on the VM to capture all -// outbound traffic on `192.168.0.0/16` subnet. Assume that the VM has an -// additional network interface on `172.16.0.0/16` subnet for inbound -// traffic. The following `SidecarSpec` configuration allows the VM to expose a -// listener on `172.16.1.32:80` (the VM's IP) for traffic arriving from the -// `172.16.0.0/16` subnet. Note that in this scenario, the -// `ISTIO_META_INTERCEPTION_MODE` metadata on the proxy in the VM should -// contain `REDIRECT` or `TPROXY` as its value, implying that IP tables -// based traffic capture is active. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: SidecarSpec -// metadata: -// name: partial-ip-tables -// namespace: prod-us1 -// spec: -// workloadSelector: -// labels: -// app: productpage -// ingress: -// - bind: 172.16.1.32 -// port: -// number: 80 # binds to 172.16.1.32:80 -// protocol: HTTP -// name: somename -// defaultEndpoint: 127.0.0.1:8080 -// captureMode: NONE -// egress: -// # use the system detected defaults -// # sets up configuration to handle outbound traffic to services -// # in 192.168.0.0/16 subnet, based on information provided by the -// # service registry -// - captureMode: IPTABLES -// hosts: -// - "*/*" -// ``` -type Sidecar struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec SidecarSpec `json:"spec"` -} - -// SidecarSpec describes the configuration of the sidecar proxy that mediates -// inbound and outbound communication of the workload instance to which it is -// attached. -type SidecarSpec struct { - // Criteria used to select the specific set of pods/VMs on which this - // `SidecarSpec` configuration should be applied. If omitted, the `SidecarSpec` - // configuration will be applied to all workload instances in the same namespace. - WorkloadSelector *WorkloadSelector `json:"workloadSelector,omitempty"` - // Ingress specifies the configuration of the sidecar for processing - // inbound traffic to the attached workload instance. If omitted, Istio will - // automatically configure the sidecar based on the information about the workload - // obtained from the orchestration platform (e.g., exposed ports, services, - // etc.). If specified, inbound ports are configured if and only if the - // workload instance is associated with a service. - Ingress []*IstioIngressListener `json:"ingress,omitempty"` - // Egress specifies the configuration of the sidecar for processing - // outbound traffic from the attached workload instance to other services in the - // mesh. - Egress []*IstioEgressListener `json:"egress"` - // This allows to configure the outbound traffic policy. - // If your application uses one or more external - // services that are not known apriori, setting the policy to `ALLOW_ANY` - // will cause the sidecars to route any unknown traffic originating from - // the application to its requested destination. - OutboundTrafficPolicy *OutboundTrafficPolicy `json:"outboundTrafficPolicy,omitempty"` -} - -// `OutboundTrafficPolicy` sets the default behavior of the sidecar for -// handling outbound traffic from the application. -// If your application uses one or more external -// services that are not known apriori, setting the policy to `ALLOW_ANY` -// will cause the sidecars to route any unknown traffic originating from -// the application to its requested destination. Users are strongly -// encouraged to use `ServiceEntry` configurations to explicitly declare any external -// dependencies, instead of using `ALLOW_ANY`, so that traffic to these -// services can be monitored. -type OutboundTrafficPolicy struct { - Mode *OutboundTrafficPolicyMode `json:"mode,omitempty"` -} - -type OutboundTrafficPolicyMode string - -const ( - // Outbound traffic will be restricted to services defined in the - // service registry as well as those defined through `ServiceEntry` configurations. - OutboundTrafficPolicyRegistryOnly OutboundTrafficPolicyMode = "REGISTRY_ONLY" - // Outbound traffic to unknown destinations will be allowed, in case - // there are no services or `ServiceEntry` configurations for the destination port. - OutboundTrafficPolicyAllowAny OutboundTrafficPolicyMode = "ALLOW_ANY" -) - -// IstioIngressListener specifies the properties of an inbound -// traffic listener on the sidecar proxy attached to a workload instance. -type IstioIngressListener struct { - // The port associated with the listener. - Port *Port `json:"port"` - // The IP to which the listener should be bound. Must be in the - // format `x.x.x.x`. Unix domain socket addresses are not allowed in - // the bind field for ingress listeners. If omitted, Istio will - // automatically configure the defaults based on imported services - // and the workload instances to which this configuration is applied - // to. - Bind string `json:"bind,omitempty"` - // The captureMode option dictates how traffic to the listener is - // expected to be captured (or not). - CaptureMode CaptureMode `json:"captureMode,omitempty"` - // The loopback IP endpoint or Unix domain socket to which - // traffic should be forwarded to. This configuration can be used to - // redirect traffic arriving at the bind `IP:Port` on the sidecar to a `localhost:port` - // or Unix domain socket where the application workload instance is listening for - // connections. Format should be `127.0.0.1:PORT` or `unix:///path/to/socket` - DefaultEndpoint string `json:"defaultEndpoint"` -} - -// IstioEgressListener specifies the properties of an outbound traffic -// listener on the sidecar proxy attached to a workload instance. -type IstioEgressListener struct { - // The port associated with the listener. If using Unix domain socket, - // use 0 as the port number, with a valid protocol. The port if - // specified, will be used as the default destination port associated - // with the imported hosts. If the port is omitted, Istio will infer the - // listener ports based on the imported hosts. Note that when multiple - // egress listeners are specified, where one or more listeners have - // specific ports while others have no port, the hosts exposed on a - // listener port will be based on the listener with the most specific - // port. - Port *Port `json:"port,omitempty"` - // The IP or the Unix domain socket to which the listener should be bound - // to. Port MUST be specified if bind is not empty. Format: `x.x.x.x` or - // `unix:///path/to/uds` or `unix://@foobar` (Linux abstract namespace). If - // omitted, Istio will automatically configure the defaults based on imported - // services, the workload instances to which this configuration is applied to and - // the captureMode. If captureMode is `NONE`, bind will default to - // 127.0.0.1. - Bind string `json:"bind,omitempty"` - // When the bind address is an IP, the captureMode option dictates - // how traffic to the listener is expected to be captured (or not). - // captureMode must be DEFAULT or `NONE` for Unix domain socket binds. - CaptureMode CaptureMode `json:"captureMode,omitempty"` - // One or more service hosts exposed by the listener - // in `namespace/dnsName` format. Services in the specified namespace - // matching `dnsName` will be exposed. - // The corresponding service can be a service in the service registry - // (e.g., a Kubernetes or cloud foundry service) or a service specified - // using a `ServiceEntry` or `VirtualService` configuration. Any - // associated `DestinationRule` in the same namespace will also be used. - // - // The `dnsName` should be specified using FQDN format, optionally including - // a wildcard character in the left-most component (e.g., `prod/*.example.com`). - // Set the `dnsName` to `*` to select all services from the specified namespace - // (e.g., `prod/*`). - // - // The `namespace` can be set to `*`, `.`, or `~`, representing any, the current, - // or no namespace, respectively. For example, `*/foo.example.com` selects the - // service from any available namespace while `./foo.example.com` only selects - // the service from the namespace of the sidecar. If a host is set to `*/*`, - // Istio will configure the sidecar to be able to reach every service in the - // mesh that is exported to the sidecar's namespace. The value `~/*` can be used - // to completely trim the configuration for sidecars that simply receive traffic - // and respond, but make no outbound connections of their own. - // - // NOTE: Only services and configuration artifacts exported to the sidecar's - // namespace (e.g., `exportTo` value of `*`) can be referenced. - // Private configurations (e.g., `exportTo` set to `.`) will - // not be available. Refer to the `exportTo` setting in `VirtualService`, - // `DestinationRule`, and `ServiceEntry` configurations for details. - // - // **WARNING:** The list of egress hosts in a `SidecarSpec` must also include - // the Mixer control plane services if they are enabled. Envoy will not - // be able to reach them otherwise. For example, add host - // `istio-system/istio-telemetry.istio-system.svc.cluster.local` if telemetry - // is enabled, `istio-system/istio-policy.istio-system.svc.cluster.local` if - // policy is enabled, or add `istio-system/*` to allow all services in the - // `istio-system` namespace. This requirement is temporary and will be removed - // in a future Istio release. - Hosts []string `json:"hosts"` -} - -// WorkloadSelector specifies the criteria used to determine if the `Gateway`, -// `SidecarSpec`, or `EnvoyFilter` configuration can be applied to a proxy. The matching criteria -// includes the metadata associated with a proxy, workload instance info such as -// labels attached to the pod/VM, or any other info that the proxy provides -// to Istio during the initial handshake. If multiple conditions are -// specified, all conditions need to match in order for the workload instance to be -// selected. Currently, only label based selection mechanism is supported. -type WorkloadSelector struct { - // One or more labels that indicate a specific set of pods/VMs - // on which this `SidecarSpec` configuration should be applied. The scope of - // label search is restricted to the configuration namespace in which the - // the resource is present. - Labels map[string]string `json:"labels"` -} - -// CaptureMode describes how traffic to a listener is expected to be -// captured. Applicable only when the listener is bound to an IP. -type CaptureMode string - -const ( - // The default capture mode defined by the environment. - CaptureModeDefault CaptureMode = "DEFAULT" - // Capture traffic using IPtables redirection. - CaptureModeIPTables CaptureMode = "IPTABLES" - // No traffic capture. When used in an egress listener, the application is - // expected to explicitly communicate with the listener port or Unix - // domain socket. When used in an ingress listener, care needs to be taken - // to ensure that the listener port is not in use by other processes on - // the host. - CaptureModeNone CaptureMode = "NONE" -) - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// SidecarList is a list of Sidecar resources -type SidecarList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata"` - - Items []Sidecar `json:"items"` -} diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/virtualservice_types.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/virtualservice_types.go deleted file mode 100644 index b0c306bef..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/virtualservice_types.go +++ /dev/null @@ -1,1120 +0,0 @@ -// Copyright © 2019 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package v1beta1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "github.com/banzaicloud/istio-client-go/pkg/common/v1alpha1" -) - -// +genclient -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// Configuration affecting traffic routing. Here are a few terms useful to define -// in the context of traffic routing. -// -// `Service` a unit of application behavior bound to a unique name in a -// service registry. Services consist of multiple network *endpoints* -// implemented by workload instances running on pods, containers, VMs etc. -// -// `Service versions (a.k.a. subsets)` - In a continuous deployment -// scenario, for a given service, there can be distinct subsets of -// instances running different variants of the application binary. These -// variants are not necessarily different API versions. They could be -// iterative changes to the same service, deployed in different -// environments (prod, staging, dev, etc.). Common scenarios where this -// occurs include A/B testing, canary rollouts, etc. The choice of a -// particular version can be decided based on various criterion (headers, -// url, etc.) and/or by weights assigned to each version. Each service has -// a default version consisting of all its instances. -// -// `Source` - A downstream client calling a service. -// -// `Host` - The address used by a client when attempting to connect to a -// service. -// -// `Access model` - Applications address only the destination service -// (Host) without knowledge of individual service versions (subsets). The -// actual choice of the version is determined by the proxy/sidecar, enabling the -// application code to decouple itself from the evolution of dependent -// services. -// -// A `VirtualService` defines a set of traffic routing rules to apply when a host is -// addressed. Each routing rule defines matching criteria for traffic of a specific -// protocol. If the traffic is matched, then it is sent to a named destination service -// (or subset/version of it) defined in the registry. -// -// The source of traffic can also be matched in a routing rule. This allows routing -// to be customized for specific client contexts. -// -// The following example on Kubernetes, routes all HTTP traffic by default to -// pods of the reviews service with label "version: v1". In addition, -// HTTP requests with path starting with /wpcatalog/ or /consumercatalog/ will -// be rewritten to /newcatalog and sent to pods with label "version: v2". -// -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: reviews-route -// spec: -// hosts: -// - reviews.prod.svc.cluster.local -// http: -// - name: "reviews-v2-routes" -// match: -// - uri: -// prefix: "/wpcatalog" -// - uri: -// prefix: "/consumercatalog" -// rewrite: -// uri: "/newcatalog" -// route: -// - destination: -// host: reviews.prod.svc.cluster.local -// subset: v2 -// - name: "reviews-v1-route" -// route: -// - destination: -// host: reviews.prod.svc.cluster.local -// subset: v1 -// ``` -// -// A subset/version of a route destination is identified with a reference -// to a named service subset which must be declared in a corresponding -// `DestinationRule`. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: reviews-destination -// spec: -// host: reviews.prod.svc.cluster.local -// subsets: -// - name: v1 -// labels: -// version: v1 -// - name: v2 -// labels: -// version: v2 -// ``` -type VirtualService struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec VirtualServiceSpec `json:"spec"` -} - -// Configuration affecting traffic routing. -type VirtualServiceSpec struct { - // REQUIRED. The destination hosts to which traffic is being sent. Could - // be a DNS name with wildcard prefix or an IP address. Depending on the - // platform, short-names can also be used instead of a FQDN (i.e. has no - // dots in the name). In such a scenario, the FQDN of the host would be - // derived based on the underlying platform. - // - // A single VirtualService can be used to describe all the traffic - // properties of the corresponding hosts, including those for multiple - // HTTP and TCP ports. Alternatively, the traffic properties of a host - // can be defined using more than one VirtualService, with certain - // caveats. Refer to the - // [Operations Guide](https://istio.io/docs/ops/traffic-management/deploy-guidelines/#multiple-virtual-services-and-destination-rules-for-the-same-host) - // for details. - // - // *Note for Kubernetes users*: When short names are used (e.g. "reviews" - // instead of "reviews.default.svc.cluster.local"), Istio will interpret - // the short name based on the namespace of the rule, not the service. A - // rule in the "default" namespace containing a host "reviews" will be - // interpreted as "reviews.default.svc.cluster.local", irrespective of - // the actual namespace associated with the reviews service. _To avoid - // potential misconfigurations, it is recommended to always use fully - // qualified domain names over short names._ - // - // The hosts field applies to both HTTP and TCP services. Service inside - // the mesh, i.e., those found in the service registry, must always be - // referred to using their alphanumeric names. IP addresses are allowed - // only for services defined via the Gateway. - Hosts []string `json:"hosts"` - - // The names of gateways and sidecars that should apply these routes. A - // single VirtualService is used for sidecars inside the mesh as well as - // for one or more gateways. The selection condition imposed by this - // field can be overridden using the source field in the match conditions - // of protocol-specific routes. The reserved word `mesh` is used to imply - // all the sidecars in the mesh. When this field is omitted, the default - // gateway (`mesh`) will be used, which would apply the rule to all - // sidecars in the mesh. If a list of gateway names is provided, the - // rules will apply only to the gateways. To apply the rules to both - // gateways and sidecars, specify `mesh` as one of the gateway names. - Gateways []string `json:"gateways,omitempty"` - - // An ordered list of route rules for HTTP traffic. HTTP routes will be - // applied to platform service ports named 'http-*'/'http2-*'/'grpc-*', gateway - // ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service - // entry ports using HTTP/HTTP2/GRPC protocols. The first rule matching - // an incoming request is used. - HTTP []HTTPRoute `json:"http,omitempty"` - - // An ordered list of route rule for non-terminated TLS & HTTPS - // traffic. Routing is typically performed using the SNI value presented - // by the ClientHello message. TLS routes will be applied to platform - // service ports named 'https-*', 'tls-*', unterminated gateway ports using - // HTTPS/TLS protocols (i.e. with "passthrough" TLS mode) and service - // entry ports using HTTPS/TLS protocols. The first rule matching an - // incoming request is used. NOTE: Traffic 'https-*' or 'tls-*' ports - // without associated virtual service will be treated as opaque TCP - // traffic. - TLS []TLSRoute `json:"tls,omitempty"` - - // An ordered list of route rules for opaque TCP traffic. TCP routes will - // be applied to any port that is not a HTTP or TLS port. The first rule - // matching an incoming request is used. - TCP []TCPRoute `json:"tcp,omitempty"` - - // A list of namespaces to which this virtual service is exported. Exporting a - // virtual service allows it to be used by sidecars and gateways defined in - // other namespaces. This feature provides a mechanism for service owners - // and mesh administrators to control the visibility of virtual services - // across namespace boundaries. - // - // If no namespaces are specified then the virtual service is exported to all - // namespaces by default. - // - // The value "." is reserved and defines an export to the same namespace that - // the virtual service is declared in. Similarly the value "*" is reserved and - // defines an export to all namespaces. - // - // NOTE: in the current release, the `exportTo` value is restricted to - // "." or "*" (i.e., the current namespace or all namespaces). - ExportTo []string `json:"exportTo,omitempty"` -} - -// Describes match conditions and actions for routing HTTP/1.1, HTTP2, and -// gRPC traffic. See VirtualService for usage examples. -type HTTPRoute struct { - // The name assigned to the route for debugging purposes. The - // route's name will be concatenated with the match's name and will - // be logged in the access logs for requests matching this - // route/match. - Name *string `json:"name,omitempty"` - - // Match conditions to be satisfied for the rule to be - // activated. All conditions inside a single match block have AND - // semantics, while the list of match blocks have OR semantics. The rule - // is matched if any one of the match blocks succeed. - Match []*HTTPMatchRequest `json:"match,omitempty"` - - // A http rule can either redirect or forward (default) traffic. The - // forwarding target can be one of several versions of a service (see - // glossary in beginning of document). Weights associated with the - // service version determine the proportion of traffic it receives. - Route []*HTTPRouteDestination `json:"route,omitempty"` - - // A http rule can either redirect or forward (default) traffic. If - // traffic passthrough option is specified in the rule, - // route/redirect will be ignored. The redirect primitive can be used to - // send a HTTP 301 redirect to a different URI or Authority. - Redirect *HTTPRedirect `json:"redirect,omitempty"` - - // Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with - // Redirect primitive. Rewrite will be performed before forwarding. - Rewrite *HTTPRewrite `json:"rewrite,omitempty"` - - // Timeout for HTTP requests. - Timeout *string `json:"timeout,omitempty"` - - // Retry policy for HTTP requests. - Retries *HTTPRetry `json:"retries,omitempty"` - - // Fault injection policy to apply on HTTP traffic at the client side. - // Note that timeouts or retries will not be enabled when faults are - // enabled on the client side. - Fault *HTTPFaultInjection `json:"fault,omitempty"` - - // Mirror HTTP traffic to a another destination in addition to forwarding - // the requests to the intended destination. Mirrored traffic is on a - // best effort basis where the sidecar/gateway will not wait for the - // mirrored cluster to respond before returning the response from the - // original destination. Statistics will be generated for the mirrored - // destination. - Mirror *Destination `json:"mirror,omitempty"` - - // Percentage of the traffic to be mirrored by the `mirror` field. - // Use of integer `mirror_percent` value is deprecated. Use the - // double `mirror_percentage` field instead - MirrorPercent *uint32 `json:"mirrorPercent,omitempty"` - - // Percentage of the traffic to be mirrored by the `mirror` field. - // If this field is absent, all the traffic (100%) will be mirrored. - // Max value is 100. - MirrorPercentage *Percentage `json:"mirrorPercentage,omitempty"` - - // Cross-Origin Resource Sharing policy (CORS). Refer to - // [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) - // for further details about cross origin resource sharing. - CorsPolicy *CorsPolicy `json:"corsPolicy,omitempty"` - - // Header manipulation rules - Headers *Headers `json:"headers,omitempty"` -} - -// Message headers can be manipulated when Envoy forwards requests to, -// or responses from, a destination service. Header manipulation rules can -// be specified for a specific route destination or for all destinations. -// The following VirtualService adds a `test` header with the value `true` -// to requests that are routed to any `reviews` service destination. -// It also romoves the `foo` response header, but only from responses -// coming from the `v1` subset (version) of the `reviews` service. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: reviews-route -// spec: -// hosts: -// - reviews.prod.svc.cluster.local -// http: -// - headers: -// request: -// set: -// test: true -// route: -// - destination: -// host: reviews.prod.svc.cluster.local -// subset: v2 -// weight: 25 -// - destination: -// host: reviews.prod.svc.cluster.local -// subset: v1 -// headers: -// response: -// remove: -// - foo -// weight: 75 -// ``` -type Headers struct { - // Header manipulation rules to apply before forwarding a request - // to the destination service - Request *HeaderOperations `json:"request,omitempty"` - - // Header manipulation rules to apply before returning a response - // to the caller - Response *HeaderOperations `json:"response,omitempty"` -} - -// HeaderOperations Describes the header manipulations to apply -type HeaderOperations struct { - // Overwrite the headers specified by key with the given values - Set map[string]string `json:"set,omitempty"` - - // Append the given values to the headers specified by keys - // (will create a comma-separated list of values) - Add map[string]string `json:"add,omitempty"` - - // Remove a the specified headers - Remove []string `json:"remove,omitempty"` -} - -// HttpMatchRequest specifies a set of criterion to be met in order for the -// rule to be applied to the HTTP request. For example, the following -// restricts the rule to match only requests where the URL path -// starts with /ratings/v2/ and the request contains a custom `end-user` header -// with value `jason`. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: ratings-route -// spec: -// hosts: -// - ratings.prod.svc.cluster.local -// http: -// - match: -// - headers: -// end-user: -// exact: jason -// uri: -// prefix: "/ratings/v2/" -// ignoreUriCase: true -// route: -// - destination: -// host: ratings.prod.svc.cluster.local -// ``` -// -// HTTPMatchRequest CANNOT be empty. -type HTTPMatchRequest struct { - // The name assigned to a match. The match's name will be - // concatenated with the parent route's name and will be logged in - // the access logs for requests matching this route. - Name *string `json:"name,omitempty"` - - // URI to match - // values are case-sensitive and formatted as follows: - // - // - `exact: "value"` for exact string match - // - // - `prefix: "value"` for prefix-based match - // - // - `regex: "value"` for ECMAscript style regex-based match - // - // **Note:** Case-insensitive matching could be enabled via the - // `ignore_uri_case` flag. - URI *v1alpha1.StringMatch `json:"uri,omitempty"` - - // URI Scheme - // values are case-sensitive and formatted as follows: - // - // - `exact: "value"` for exact string match - // - // - `prefix: "value"` for prefix-based match - // - // - `regex: "value"` for ECMAscript style regex-based match - // - Scheme *v1alpha1.StringMatch `json:"scheme,omitempty"` - - // HTTP Method - // values are case-sensitive and formatted as follows: - // - // - `exact: "value"` for exact string match - // - // - `prefix: "value"` for prefix-based match - // - // - `regex: "value"` for ECMAscript style regex-based match - // - Method *v1alpha1.StringMatch `json:"method,omitempty"` - - // HTTP Authority - // values are case-sensitive and formatted as follows: - // - // - `exact: "value"` for exact string match - // - // - `prefix: "value"` for prefix-based match - // - // - `regex: "value"` for ECMAscript style regex-based match - // - Authority *v1alpha1.StringMatch `json:"authority,omitempty"` - - // The header keys must be lowercase and use hyphen as the separator, - // e.g. _x-request-id_. - // - // Header values are case-sensitive and formatted as follows: - // - // - `exact: "value"` for exact string match - // - // - `prefix: "value"` for prefix-based match - // - // - `regex: "value"` for ECMAscript style regex-based match - // - // **Note:** The keys `uri`, `scheme`, `method`, and `authority` will be ignored. - Headers map[string]v1alpha1.StringMatch `json:"headers,omitempty"` - - // Specifies the ports on the host that is being addressed. Many services - // only expose a single port or label ports with the protocols they support, - // in these cases it is not required to explicitly select the port. - Port *uint32 `json:"port,omitempty"` - - // One or more labels that constrain the applicability of a rule to - // workloads with the given labels. If the VirtualService has a list of - // gateways specified at the top, it must include the reserved gateway - // `mesh` for this field to be applicable. - SourceLabels map[string]string `json:"sourceLabels,omitempty"` - - // Query parameters for matching. - // - // Ex: - // - For a query parameter like "?key=true", the map key would be "key" and - // the string match could be defined as `exact: "true"`. - // - For a query parameter like "?key", the map key would be "key" and the - // string match could be defined as `exact: ""`. - // - For a query parameter like "?key=123", the map key would be "key" and the - // string match could be defined as `regex: "\d+$"`. Note that this - // configuration will only match values like "123" but not "a123" or "123a". - // - // **Note:** `prefix` matching is currently not supported. - QueryParams map[string]*v1alpha1.StringMatch `json:"queryParams,omitempty"` - - // Flag to specify whether the URI matching should be case-insensitive. - // - // **Note:** The case will be ignored only in the case of `exact` and `prefix` - // URI matches. - IgnoreURICase *bool `json:"ignoreUriCase,omitempty"` -} - -// Each routing rule is associated with one or more service versions (see -// glossary in beginning of document). Weights associated with the version -// determine the proportion of traffic it receives. For example, the -// following rule will route 25% of traffic for the "reviews" service to -// instances with the "v2" tag and the remaining traffic (i.e., 75%) to -// "v1". -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: reviews-route -// spec: -// hosts: -// - reviews.prod.svc.cluster.local -// http: -// - route: -// - destination: -// host: reviews.prod.svc.cluster.local -// subset: v2 -// weight: 25 -// - destination: -// host: reviews.prod.svc.cluster.local -// subset: v1 -// weight: 75 -// ``` -// -// And the associated DestinationRule -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: reviews-destination -// spec: -// host: reviews.prod.svc.cluster.local -// subsets: -// - name: v1 -// labels: -// version: v1 -// - name: v2 -// labels: -// version: v2 -// ``` -// -// Traffic can also be split across two entirely different services without -// having to define new subsets. For example, the following rule forwards 25% of -// traffic to reviews.com to dev.reviews.com -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: reviews-route-two-domains -// spec: -// hosts: -// - reviews.com -// http: -// - route: -// - destination: -// host: dev.reviews.com -// weight: 25 -// - destination: -// host: reviews.com -// weight: 75 -// ``` -type HTTPRouteDestination struct { - // REQUIRED. Destination uniquely identifies the instances of a service - // to which the request/connection should be forwarded to. - Destination *Destination `json:"destination"` - - // REQUIRED. The proportion of traffic to be forwarded to the service - // version. (0-100). Sum of weights across destinations SHOULD BE == 100. - // If there is only one destination in a rule, the weight value is assumed to - // be 100. - Weight *int `json:"weight,omitempty"` - - // Header manipulation rules - Headers *Headers `json:"headers,omitempty"` -} - -// L4 routing rule weighted destination. -type RouteDestination struct { - // REQUIRED. Destination uniquely identifies the instances of a service - // to which the request/connection should be forwarded to. - Destination *Destination `json:"destination"` - - // REQUIRED. The proportion of traffic to be forwarded to the service - // version. (0-100). Sum of weights across destinations SHOULD BE == 100. - // If there is only one destination in a rule, the weight value is assumed to - // be 100. - Weight *int `json:"weight,omitempty"` -} - -// Destination indicates the network addressable service to which the -// request/connection will be sent after processing a routing rule. The -// destination.host should unambiguously refer to a service in the service -// registry. Istio's service registry is composed of all the services found -// in the platform's service registry (e.g., Kubernetes services, Consul -// services), as well as services declared through the -// [ServiceEntry](https://istio.io/docs/reference/config/networking/v1beta1/service-entry/#ServiceEntry) resource. -// -// *Note for Kubernetes users*: When short names are used (e.g. "reviews" -// instead of "reviews.default.svc.cluster.local"), Istio will interpret -// the short name based on the namespace of the rule, not the service. A -// rule in the "default" namespace containing a host "reviews will be -// interpreted as "reviews.default.svc.cluster.local", irrespective of the -// actual namespace associated with the reviews service. _To avoid potential -// misconfigurations, it is recommended to always use fully qualified -// domain names over short names._ -// -// The following Kubernetes example routes all traffic by default to pods -// of the reviews service with label "version: v1" (i.e., subset v1), and -// some to subset v2, in a Kubernetes environment. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: reviews-route -// namespace: foo -// spec: -// hosts: -// - reviews # interpreted as reviews.foo.svc.cluster.local -// http: -// - match: -// - uri: -// prefix: "/wpcatalog" -// - uri: -// prefix: "/consumercatalog" -// rewrite: -// uri: "/newcatalog" -// route: -// - destination: -// host: reviews # interpreted as reviews.foo.svc.cluster.local -// subset: v2 -// - route: -// - destination: -// host: reviews # interpreted as reviews.foo.svc.cluster.local -// subset: v1 -// ``` -// -// And the associated DestinationRule -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: DestinationRule -// metadata: -// name: reviews-destination -// namespace: foo -// spec: -// host: reviews # interpreted as reviews.foo.svc.cluster.local -// subsets: -// - name: v1 -// labels: -// version: v1 -// - name: v2 -// labels: -// version: v2 -// ``` -// -// The following VirtualService sets a timeout of 5s for all calls to -// productpage.prod.svc.cluster.local service in Kubernetes. Notice that -// there are no subsets defined in this rule. Istio will fetch all -// instances of productpage.prod.svc.cluster.local service from the service -// registry and populate the sidecar's load balancing pool. Also, notice -// that this rule is set in the istio-system namespace but uses the fully -// qualified domain name of the productpage service, -// productpage.prod.svc.cluster.local. Therefore the rule's namespace does -// not have an impact in resolving the name of the productpage service. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: my-productpage-rule -// namespace: istio-system -// spec: -// hosts: -// - productpage.prod.svc.cluster.local # ignores rule namespace -// http: -// - timeout: 5s -// route: -// - destination: -// host: productpage.prod.svc.cluster.local -// ``` -// -// To control routing for traffic bound to services outside the mesh, external -// services must first be added to Istio's internal service registry using the -// ServiceEntry resource. VirtualServices can then be defined to control traffic -// bound to these external services. For example, the following rules define a -// Service for wikipedia.org and set a timeout of 5s for http requests. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: external-svc-wikipedia -// spec: -// hosts: -// - wikipedia.org -// location: MESH_EXTERNAL -// ports: -// - number: 80 -// name: example-http -// protocol: HTTP -// resolution: DNS -// -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: my-wiki-rule -// spec: -// hosts: -// - wikipedia.org -// http: -// - timeout: 5s -// route: -// - destination: -// host: wikipedia.org -// ``` -type Destination struct { - // REQUIRED. The name of a service from the service registry. Service - // names are looked up from the platform's service registry (e.g., - // Kubernetes services, Consul services, etc.) and from the hosts - // declared by [ServiceEntry](https://istio.io/docs/reference/config/networking/v1beta1/service-entry/#ServiceEntry). Traffic forwarded to - // destinations that are not found in either of the two, will be dropped. - // - // *Note for Kubernetes users*: When short names are used (e.g. "reviews" - // instead of "reviews.default.svc.cluster.local"), Istio will interpret - // the short name based on the namespace of the rule, not the service. A - // rule in the "default" namespace containing a host "reviews will be - // interpreted as "reviews.default.svc.cluster.local", irrespective of - // the actual namespace associated with the reviews service. _To avoid - // potential misconfigurations, it is recommended to always use fully - // qualified domain names over short names._ - Host string `json:"host"` - - // The name of a subset within the service. Applicable only to services - // within the mesh. The subset must be defined in a corresponding - // DestinationRule. - Subset *string `json:"subset,omitempty"` - - // Specifies the port on the host that is being addressed. If a service - // exposes only a single port it is not required to explicitly select the - // port. - Port *PortSelector `json:"port,omitempty"` -} - -// PortSelector specifies the number of a port to be used for -// matching or selection for final routing. -type PortSelector struct { - // Valid port number - Number uint32 `json:"number"` -} - -// Describes match conditions and actions for routing TCP traffic. The -// following routing rule forwards traffic arriving at port 27017 for -// mongo.prod.svc.cluster.local to another Mongo server on port 5555. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: bookinfo-Mongo -// spec: -// hosts: -// - mongo.prod.svc.cluster.local -// tcp: -// - match: -// - port: 27017 -// route: -// - destination: -// host: mongo.backup.svc.cluster.local -// port: -// number: 5555 -// ``` -type TCPRoute struct { - // Match conditions to be satisfied for the rule to be - // activated. All conditions inside a single match block have AND - // semantics, while the list of match blocks have OR semantics. The rule - // is matched if any one of the match blocks succeed. - Match []L4MatchAttributes `json:"match"` - - // The destination to which the connection should be forwarded to. - Route []*RouteDestination `json:"route"` -} - -// Describes match conditions and actions for routing unterminated TLS -// traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS -// traffic arriving at port 443 of gateway called mygateway to internal -// services in the mesh based on the SNI value. -// -// ```yaml -// kind: VirtualService -// metadata: -// name: bookinfo-sni -// spec: -// hosts: -// - '*.bookinfo.com' -// gateways: -// - mygateway -// tls: -// - match: -// - port: 443 -// sniHosts: -// - login.bookinfo.com -// route: -// - destination: -// host: login.prod.svc.cluster.local -// - match: -// - port: 443 -// sniHosts: -// - reviews.bookinfo.com -// route: -// - destination: -// host: reviews.prod.svc.cluster.local -// ``` -type TLSRoute struct { - // REQUIRED. Match conditions to be satisfied for the rule to be - // activated. All conditions inside a single match block have AND - // semantics, while the list of match blocks have OR semantics. The rule - // is matched if any one of the match blocks succeed. - Match []TLSMatchAttributes `json:"match"` - - // The destination to which the connection should be forwarded to. - Route []*RouteDestination `json:"route"` -} - -// L4 connection match attributes. Note that L4 connection matching support -// is incomplete. -type L4MatchAttributes struct { - // IPv4 or IPv6 ip addresses of destination with optional subnet. E.g., - // a.b.c.d/xx form or just a.b.c.d. - DestinationSubnets []string `json:"destinationSubnets,omitempty"` - - // Specifies the port on the host that is being addressed. Many services - // only expose a single port or label ports with the protocols they support, - // in these cases it is not required to explicitly select the port. - Port *int `json:"port,omitempty"` - - // One or more labels that constrain the applicability of a rule to - // workloads with the given labels. If the VirtualService has a list of - // gateways specified at the top, it should include the reserved gateway - // `mesh` in order for this field to be applicable. - SourceLabels map[string]string `json:"sourceLabels,omitempty"` - - // Names of gateways where the rule should be applied to. Gateway names - // at the top of the VirtualService (if any) are overridden. The gateway - // match is independent of sourceLabels. - Gateways []string `json:"gateways,omitempty"` -} - -// TLS connection match attributes. -type TLSMatchAttributes struct { - // REQUIRED. SNI (server name indicator) to match on. Wildcard prefixes - // can be used in the SNI value, e.g., *.com will match foo.example.com - // as well as example.com. An SNI value must be a subset (i.e., fall - // within the domain) of the corresponding virtual serivce's hosts. - SniHosts []string `json:"sniHosts"` - - // IPv4 or IPv6 ip addresses of destination with optional subnet. E.g., - // a.b.c.d/xx form or just a.b.c.d. - DestinationSubnets []string `json:"destinationSubnets,omitempty"` - - // Specifies the port on the host that is being addressed. Many services - // only expose a single port or label ports with the protocols they support, - // in these cases it is not required to explicitly select the port. - Port *int `json:"port,omitempty"` - - // One or more labels that constrain the applicability of a rule to - // workloads with the given labels. If the VirtualService has a list of - // gateways specified at the top, it should include the reserved gateway - // `mesh` in order for this field to be applicable. - SourceLabels map[string]string `json:"sourceLabels,omitempty"` - - // Names of gateways where the rule should be applied to. Gateway names - // at the top of the VirtualService (if any) are overridden. The gateway - // match is independent of sourceLabels. - Gateways []string `json:"gateways,omitempty"` -} - -// HTTPRedirect can be used to send a 301 redirect response to the caller, -// where the Authority/Host and the URI in the response can be swapped with -// the specified values. For example, the following rule redirects -// requests for /v1/getProductRatings API on the ratings service to -// /v1/bookRatings provided by the bookratings service. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: ratings-route -// spec: -// hosts: -// - ratings.prod.svc.cluster.local -// http: -// - match: -// - uri: -// exact: /v1/getProductRatings -// redirect: -// uri: /v1/bookRatings -// authority: newratings.default.svc.cluster.local -// ... -// ``` -type HTTPRedirect struct { - // On a redirect, overwrite the Path portion of the URL with this - // value. Note that the entire path will be replaced, irrespective of the - // request URI being matched as an exact path or prefix. - URI *string `json:"uri,omitempty"` - - // On a redirect, overwrite the Authority/Host portion of the URL with - // this value. - Authority *string `json:"authority,omitempty"` - - // On a redirect, Specifies the HTTP status code to use in the redirect - // response. The default response code is MOVED_PERMANENTLY (301). - RedirectCode *uint32 `json:"redirectCode,omitempty"` -} - -// HTTPRewrite can be used to rewrite specific parts of a HTTP request -// before forwarding the request to the destination. Rewrite primitive can -// be used only with HTTPRouteDestination. The following example -// demonstrates how to rewrite the URL prefix for api call (/ratings) to -// ratings service before making the actual API call. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: ratings-route -// spec: -// hosts: -// - ratings.prod.svc.cluster.local -// http: -// - match: -// - uri: -// prefix: /ratings -// rewrite: -// uri: /v1/bookRatings -// route: -// - destination: -// host: ratings.prod.svc.cluster.local -// subset: v1 -// ``` -type HTTPRewrite struct { - // rewrite the path (or the prefix) portion of the URI with this - // value. If the original URI was matched based on prefix, the value - // provided in this field will replace the corresponding matched prefix. - URI *string `json:"uri,omitempty"` - - // rewrite the Authority/Host header with this value. - Authority *string `json:"authority,omitempty"` -} - -// Describes the retry policy to use when a HTTP request fails. For -// example, the following rule sets the maximum number of retries to 3 when -// calling ratings:v1 service, with a 2s timeout per retry attempt. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: ratings-route -// spec: -// hosts: -// - ratings.prod.svc.cluster.local -// http: -// - route: -// - destination: -// host: ratings.prod.svc.cluster.local -// subset: v1 -// retries: -// attempts: 3 -// perTryTimeout: 2s -// retryOn: gateway-error,connect-failure,refused-stream -// ``` -type HTTPRetry struct { - // REQUIRED. Number of retries for a given request. The interval - // between retries will be determined automatically (25ms+). Actual - // number of retries attempted depends on the httpReqTimeout. - Attempts int `json:"attempts"` - - // Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms. - PerTryTimeout string `json:"perTryTimeout"` - - // Specifies the conditions under which retry takes place. - // One or more policies can be specified using a ‘,’ delimited list. - // See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on) - // and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details. - RetryOn *string `json:"retryOn,omitempty"` -} - -// Describes the Cross-Origin Resource Sharing (CORS) policy, for a given -// service. Refer to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS) -// for further details about cross origin resource sharing. For example, -// the following rule restricts cross origin requests to those originating -// from example.com domain using HTTP POST/GET, and sets the -// `Access-Control-Allow-Credentials` header to false. In addition, it only -// exposes `X-Foo-bar` header and sets an expiry period of 1 day. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: ratings-route -// spec: -// hosts: -// - ratings.prod.svc.cluster.local -// http: -// - route: -// - destination: -// host: ratings.prod.svc.cluster.local -// subset: v1 -// corsPolicy: -// allowOrigin: -// - example.com -// allowMethods: -// - POST -// - GET -// allowCredentials: false -// allowHeaders: -// - X-Foo-Bar -// maxAge: "24h" -// ``` -type CorsPolicy struct { - // The list of origins that are allowed to perform CORS requests. The - // content will be serialized into the Access-Control-Allow-Origin - // header. Wildcard * will allow all origins. - AllowOrigin []string `json:"allowOrigin,omitempty"` - - // List of HTTP methods allowed to access the resource. The content will - // be serialized into the Access-Control-Allow-Methods header. - AllowMethods []string `json:"allowMethods,omitempty"` - - // List of HTTP headers that can be used when requesting the - // resource. Serialized to Access-Control-Allow-Methods header. - AllowHeaders []string `json:"allowHeaders,omitempty"` - - // A white list of HTTP headers that the browsers are allowed to - // access. Serialized into Access-Control-Expose-Headers header. - ExposeHeaders []string `json:"exposeHeaders,omitempty"` - - // Specifies how long the results of a preflight request can be - // cached. Translates to the `Access-Control-Max-Age` header. - MaxAge *string `json:"maxAge,omitempty"` - - // Indicates whether the caller is allowed to send the actual request - // (not the preflight) using credentials. Translates to - // `Access-Control-Allow-Credentials` header. - AllowCredentials *bool `json:"allowCredentials,omitempty"` -} - -// HTTPFaultInjection can be used to specify one or more faults to inject -// while forwarding http requests to the destination specified in a route. -// Fault specification is part of a VirtualService rule. Faults include -// aborting the Http request from downstream service, and/or delaying -// proxying of requests. A fault rule MUST HAVE delay or abort or both. -// -// *Note:* Delay and abort faults are independent of one another, even if -// both are specified simultaneously. -type HTTPFaultInjection struct { - // Delay requests before forwarding, emulating various failures such as - // network issues, overloaded upstream service, etc. - Delay *Delay `json:"delay,omitempty"` - - // Abort Http request attempts and return error codes back to downstream - // service, giving the impression that the upstream service is faulty. - Abort *Abort `json:"abort,omitempty"` -} - -// Delay specification is used to inject latency into the request -// forwarding path. The following example will introduce a 5 second delay -// in 1 out of every 1000 requests to the "v1" version of the "reviews" -// service from all pods with label env: prod -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: reviews-route -// spec: -// hosts: -// - reviews.prod.svc.cluster.local -// http: -// - match: -// - sourceLabels: -// env: prod -// route: -// - destination: -// host: reviews.prod.svc.cluster.local -// subset: v1 -// fault: -// delay: -// percentage: -// value: 0.1 -// fixedDelay: 5s -// ``` -// -// The _fixedDelay_ field is used to indicate the amount of delay in seconds. -// The optional _percentage_ field can be used to only delay a certain -// percentage of requests. If left unspecified, all request will be delayed. -type Delay struct { - // REQUIRED. Add a fixed delay before forwarding the request. Format: - // 1h/1m/1s/1ms. MUST be >=1ms. - FixedDelay string `json:"fixedDelay"` - - // Percentage of requests on which the delay will be injected. - Percentage *Percentage `json:"percentage,omitempty"` -} - -// Abort specification is used to prematurely abort a request with a -// pre-specified error code. The following example will return an HTTP 400 -// error code for 1 out of every 1000 requests to the "ratings" service "v1". -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: VirtualService -// metadata: -// name: ratings-route -// spec: -// hosts: -// - ratings.prod.svc.cluster.local -// http: -// - route: -// - destination: -// host: ratings.prod.svc.cluster.local -// subset: v1 -// fault: -// abort: -// percentage: -// value: 0.1 -// httpStatus: 400 -// ``` -// -// The _httpStatus_ field is used to indicate the HTTP status code to -// return to the caller. The optional _percentage_ field can be used to only -// abort a certain percentage of requests. If not specified, all requests are -// aborted. -type Abort struct { - // REQUIRED. HTTP status code to use to abort the Http request. - HTTPStatus int `json:"httpStatus"` - - // Percentage of requests on which the delay will be injected. - Percentage *Percentage `json:"percentage,omitempty"` -} - -// Percent specifies a percentage in the range of [0.0, 100.0]. -type Percentage struct { - Value float32 `json:"value"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// VirtualServiceList is a list of VirtualService resources -type VirtualServiceList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata"` - - Items []VirtualService `json:"items"` -} diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/workloadentry_types.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/workloadentry_types.go deleted file mode 100644 index 9bf2e8341..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/workloadentry_types.go +++ /dev/null @@ -1,190 +0,0 @@ -// Copyright © 2020 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -package v1beta1 - -import v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - -// +genclient -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// WorkloadEntry -type WorkloadEntry struct { - v1.TypeMeta `json:",inline"` - v1.ObjectMeta `json:"metadata,omitempty"` - - // Spec defines the implementation of this definition. - Spec WorkloadEntrySpec `json:"spec"` -} - -// `WorkloadEntry` enables operators to describe the properties of a -// single non-Kubernetes workload such as a VM or a bare metal server -// as it is are onboarded into the mesh. A `WorkloadEntry` must be -// accompanied by an Istio `ServiceEntry` that selects the workload -// through the appropriate labels and provides the service definition -// for a `MESH_INTERNAL` service (hostnames, port properties, etc.). A -// `ServiceEntry` object can select multiple workload entries as well -// as Kubernetes pods based on the label selector specified in the -// service entry. -// -// When a workload connects to `istiod`, the status field in the -// custom resource will be updated to indicate the health of the -// workload along with other details, similar to how Kubernetes -// updates the status of a pod. -// -// The following example declares a workload entry representing a -// VM for the `details.bookinfo.com` service. This VM has -// sidecar installed and bootstrapped using the `details-legacy` -// service account. The sidecar receives HTTP traffic on port 80 -// (wrapped in istio mutual TLS) and forwards it to the application on -// the localhost on the same port. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: WorkloadEntry -// metadata: -// name: details-svc -// spec: -// # use of the service account indicates that the workload has a -// # sidecar proxy bootstrapped with this service account. Pods with -// # sidecars will automatically communicate with the workload using -// # istio mutual TLS. -// serviceAccount: details-legacy -// address: 2.2.2.2 -// labels: -// app: details-legacy -// instance-id: vm1 -// # ports if not specified will be the same as service ports -// ``` -// -// and the associated service entry -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: details-svc -// spec: -// hosts: -// - details.bookinfo.com -// location: MESH_INTERNAL -// ports: -// - number: 80 -// name: http -// protocol: HTTP -// resolution: STATIC -// workloadSelector: -// labels: -// app: details-legacy -// ``` -// -// The following example declares the same VM workload using -// its fully qualified DNS name. The service entry's resolution -// mode should be changed to DNS to indicate that the client-side -// sidecars should dynamically resolve the DNS name at runtime before -// forwarding the request. -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: WorkloadEntry -// metadata: -// name: details-svc -// spec: -// # use of the service account indicates that the workload has a -// # sidecar proxy bootstrapped with this service account. Pods with -// # sidecars will automatically communicate with the workload using -// # istio mutual TLS. -// serviceAccount: details-legacy -// address: vm1.vpc01.corp.net -// labels: -// app: details-legacy -// instance-id: vm1 -// # ports if not specified will be the same as service ports -// ``` -// -// and the associated service entry -// -// ```yaml -// apiVersion: networking.istio.io/v1beta1 -// kind: ServiceEntry -// metadata: -// name: details-svc -// spec: -// hosts: -// - details.bookinfo.com -// location: MESH_INTERNAL -// ports: -// - number: 80 -// name: http -// protocol: HTTP -// resolution: DNS -// workloadSelector: -// labels: -// app: details-legacy -// ``` -type WorkloadEntrySpec struct { - // Address associated with the network endpoint without the - // port. Domain names can be used if and only if the resolution is set - // to DNS, and must be fully-qualified without wildcards. Use the form - // unix:///absolute/path/to/socket for Unix domain socket endpoints. - Address string `json:"address"` - // Set of ports associated with the endpoint. The ports must be - // associated with a port name that was declared as part of the - // service. Do not use for `unix://` addresses. - Ports map[string]uint32 `json:"ports,omitempty"` - // One or more labels associated with the endpoint. - Labels map[string]string `json:"labels,omitempty"` - // Network enables Istio to group endpoints resident in the same L3 - // domain/network. All endpoints in the same network are assumed to be - // directly reachable from one another. When endpoints in different - // networks cannot reach each other directly, an Istio Gateway can be - // used to establish connectivity (usually using the - // `AUTO_PASSTHROUGH` mode in a Gateway Server). This is - // an advanced configuration used typically for spanning an Istio mesh - // over multiple clusters. - Network string `json:"network,omitempty"` - // The locality associated with the endpoint. A locality corresponds - // to a failure domain (e.g., country/region/zone). Arbitrary failure - // domain hierarchies can be represented by separating each - // encapsulating failure domain by /. For example, the locality of an - // an endpoint in US, in US-East-1 region, within availability zone - // az-1, in data center rack r11 can be represented as - // us/us-east-1/az-1/r11. Istio will configure the sidecar to route to - // endpoints within the same locality as the sidecar. If none of the - // endpoints in the locality are available, endpoints parent locality - // (but within the same network ID) will be chosen. For example, if - // there are two endpoints in same network (networkID "n1"), say e1 - // with locality us/us-east-1/az-1/r11 and e2 with locality - // us/us-east-1/az-2/r12, a sidecar from us/us-east-1/az-1/r11 locality - // will prefer e1 from the same locality over e2 from a different - // locality. Endpoint e2 could be the IP associated with a gateway - // (that bridges networks n1 and n2), or the IP associated with a - // standard service endpoint. - Locality string `json:"locality,omitempty"` - // The load balancing weight associated with the endpoint. Endpoints - // with higher weights will receive proportionally higher traffic. - Weight uint32 `json:"weight,omitempty"` - // The service account associated with the workload if a sidecar - // is present in the workload. The service account must be present - // in the same namespace as the configuration ( WorkloadEntry or a - // ServiceEntry) - ServiceAccount string `json:"serviceAccount,omitempty"` -} - -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// WorkloadEntryList is a collection of EnvoyFilters. -type WorkloadEntryList struct { - v1.TypeMeta `json:",inline"` - v1.ListMeta `json:"metadata"` - Items []WorkloadEntry `json:"items"` -} diff --git a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/zz_generated.deepcopy.go b/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/zz_generated.deepcopy.go deleted file mode 100644 index 60351b991..000000000 --- a/third_party/github.com/banzaicloud/istio-client-go/pkg/networking/v1beta1/zz_generated.deepcopy.go +++ /dev/null @@ -1,1955 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -// Copyright © 2019 Banzai Cloud -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by controller-gen. DO NOT EDIT. - -package v1beta1 - -import ( - "github.com/banzaicloud/istio-client-go/pkg/common/v1alpha1" - "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Abort) DeepCopyInto(out *Abort) { - *out = *in - if in.Percentage != nil { - in, out := &in.Percentage, &out.Percentage - *out = new(Percentage) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Abort. -func (in *Abort) DeepCopy() *Abort { - if in == nil { - return nil - } - out := new(Abort) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ConnectionPoolSettings) DeepCopyInto(out *ConnectionPoolSettings) { - *out = *in - if in.TCP != nil { - in, out := &in.TCP, &out.TCP - *out = new(TCPSettings) - (*in).DeepCopyInto(*out) - } - if in.HTTP != nil { - in, out := &in.HTTP, &out.HTTP - *out = new(HTTPSettings) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionPoolSettings. -func (in *ConnectionPoolSettings) DeepCopy() *ConnectionPoolSettings { - if in == nil { - return nil - } - out := new(ConnectionPoolSettings) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ConsistentHashLB) DeepCopyInto(out *ConsistentHashLB) { - *out = *in - if in.HTTPHeaderName != nil { - in, out := &in.HTTPHeaderName, &out.HTTPHeaderName - *out = new(string) - **out = **in - } - if in.HTTPCookie != nil { - in, out := &in.HTTPCookie, &out.HTTPCookie - *out = new(HTTPCookie) - (*in).DeepCopyInto(*out) - } - if in.UseSourceIP != nil { - in, out := &in.UseSourceIP, &out.UseSourceIP - *out = new(bool) - **out = **in - } - if in.MinimumRingSize != nil { - in, out := &in.MinimumRingSize, &out.MinimumRingSize - *out = new(uint64) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConsistentHashLB. -func (in *ConsistentHashLB) DeepCopy() *ConsistentHashLB { - if in == nil { - return nil - } - out := new(ConsistentHashLB) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *CorsPolicy) DeepCopyInto(out *CorsPolicy) { - *out = *in - if in.AllowOrigin != nil { - in, out := &in.AllowOrigin, &out.AllowOrigin - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowMethods != nil { - in, out := &in.AllowMethods, &out.AllowMethods - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.AllowHeaders != nil { - in, out := &in.AllowHeaders, &out.AllowHeaders - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.ExposeHeaders != nil { - in, out := &in.ExposeHeaders, &out.ExposeHeaders - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.MaxAge != nil { - in, out := &in.MaxAge, &out.MaxAge - *out = new(string) - **out = **in - } - if in.AllowCredentials != nil { - in, out := &in.AllowCredentials, &out.AllowCredentials - *out = new(bool) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CorsPolicy. -func (in *CorsPolicy) DeepCopy() *CorsPolicy { - if in == nil { - return nil - } - out := new(CorsPolicy) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Delay) DeepCopyInto(out *Delay) { - *out = *in - if in.Percentage != nil { - in, out := &in.Percentage, &out.Percentage - *out = new(Percentage) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Delay. -func (in *Delay) DeepCopy() *Delay { - if in == nil { - return nil - } - out := new(Delay) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Destination) DeepCopyInto(out *Destination) { - *out = *in - if in.Subset != nil { - in, out := &in.Subset, &out.Subset - *out = new(string) - **out = **in - } - if in.Port != nil { - in, out := &in.Port, &out.Port - *out = new(PortSelector) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Destination. -func (in *Destination) DeepCopy() *Destination { - if in == nil { - return nil - } - out := new(Destination) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *DestinationRule) DeepCopyInto(out *DestinationRule) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationRule. -func (in *DestinationRule) DeepCopy() *DestinationRule { - if in == nil { - return nil - } - out := new(DestinationRule) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *DestinationRule) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *DestinationRuleList) DeepCopyInto(out *DestinationRuleList) { - *out = *in - out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]DestinationRule, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationRuleList. -func (in *DestinationRuleList) DeepCopy() *DestinationRuleList { - if in == nil { - return nil - } - out := new(DestinationRuleList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *DestinationRuleList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *DestinationRuleSpec) DeepCopyInto(out *DestinationRuleSpec) { - *out = *in - if in.TrafficPolicy != nil { - in, out := &in.TrafficPolicy, &out.TrafficPolicy - *out = new(TrafficPolicy) - (*in).DeepCopyInto(*out) - } - if in.Subsets != nil { - in, out := &in.Subsets, &out.Subsets - *out = make([]Subset, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.ExportTo != nil { - in, out := &in.ExportTo, &out.ExportTo - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationRuleSpec. -func (in *DestinationRuleSpec) DeepCopy() *DestinationRuleSpec { - if in == nil { - return nil - } - out := new(DestinationRuleSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Gateway) DeepCopyInto(out *Gateway) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Gateway. -func (in *Gateway) DeepCopy() *Gateway { - if in == nil { - return nil - } - out := new(Gateway) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *Gateway) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *GatewayList) DeepCopyInto(out *GatewayList) { - *out = *in - out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]Gateway, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayList. -func (in *GatewayList) DeepCopy() *GatewayList { - if in == nil { - return nil - } - out := new(GatewayList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *GatewayList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *GatewaySpec) DeepCopyInto(out *GatewaySpec) { - *out = *in - if in.Servers != nil { - in, out := &in.Servers, &out.Servers - *out = make([]Server, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.Selector != nil { - in, out := &in.Selector, &out.Selector - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewaySpec. -func (in *GatewaySpec) DeepCopy() *GatewaySpec { - if in == nil { - return nil - } - out := new(GatewaySpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HTTPCookie) DeepCopyInto(out *HTTPCookie) { - *out = *in - if in.Path != nil { - in, out := &in.Path, &out.Path - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPCookie. -func (in *HTTPCookie) DeepCopy() *HTTPCookie { - if in == nil { - return nil - } - out := new(HTTPCookie) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HTTPFaultInjection) DeepCopyInto(out *HTTPFaultInjection) { - *out = *in - if in.Delay != nil { - in, out := &in.Delay, &out.Delay - *out = new(Delay) - (*in).DeepCopyInto(*out) - } - if in.Abort != nil { - in, out := &in.Abort, &out.Abort - *out = new(Abort) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPFaultInjection. -func (in *HTTPFaultInjection) DeepCopy() *HTTPFaultInjection { - if in == nil { - return nil - } - out := new(HTTPFaultInjection) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HTTPMatchRequest) DeepCopyInto(out *HTTPMatchRequest) { - *out = *in - if in.Name != nil { - in, out := &in.Name, &out.Name - *out = new(string) - **out = **in - } - if in.URI != nil { - in, out := &in.URI, &out.URI - *out = new(v1alpha1.StringMatch) - **out = **in - } - if in.Scheme != nil { - in, out := &in.Scheme, &out.Scheme - *out = new(v1alpha1.StringMatch) - **out = **in - } - if in.Method != nil { - in, out := &in.Method, &out.Method - *out = new(v1alpha1.StringMatch) - **out = **in - } - if in.Authority != nil { - in, out := &in.Authority, &out.Authority - *out = new(v1alpha1.StringMatch) - **out = **in - } - if in.Headers != nil { - in, out := &in.Headers, &out.Headers - *out = make(map[string]v1alpha1.StringMatch, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.Port != nil { - in, out := &in.Port, &out.Port - *out = new(uint32) - **out = **in - } - if in.SourceLabels != nil { - in, out := &in.SourceLabels, &out.SourceLabels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.QueryParams != nil { - in, out := &in.QueryParams, &out.QueryParams - *out = make(map[string]*v1alpha1.StringMatch, len(*in)) - for key, val := range *in { - var outVal *v1alpha1.StringMatch - if val == nil { - (*out)[key] = nil - } else { - in, out := &val, &outVal - *out = new(v1alpha1.StringMatch) - **out = **in - } - (*out)[key] = outVal - } - } - if in.IgnoreURICase != nil { - in, out := &in.IgnoreURICase, &out.IgnoreURICase - *out = new(bool) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPMatchRequest. -func (in *HTTPMatchRequest) DeepCopy() *HTTPMatchRequest { - if in == nil { - return nil - } - out := new(HTTPMatchRequest) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HTTPRedirect) DeepCopyInto(out *HTTPRedirect) { - *out = *in - if in.URI != nil { - in, out := &in.URI, &out.URI - *out = new(string) - **out = **in - } - if in.Authority != nil { - in, out := &in.Authority, &out.Authority - *out = new(string) - **out = **in - } - if in.RedirectCode != nil { - in, out := &in.RedirectCode, &out.RedirectCode - *out = new(uint32) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRedirect. -func (in *HTTPRedirect) DeepCopy() *HTTPRedirect { - if in == nil { - return nil - } - out := new(HTTPRedirect) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HTTPRetry) DeepCopyInto(out *HTTPRetry) { - *out = *in - if in.RetryOn != nil { - in, out := &in.RetryOn, &out.RetryOn - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRetry. -func (in *HTTPRetry) DeepCopy() *HTTPRetry { - if in == nil { - return nil - } - out := new(HTTPRetry) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HTTPRewrite) DeepCopyInto(out *HTTPRewrite) { - *out = *in - if in.URI != nil { - in, out := &in.URI, &out.URI - *out = new(string) - **out = **in - } - if in.Authority != nil { - in, out := &in.Authority, &out.Authority - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRewrite. -func (in *HTTPRewrite) DeepCopy() *HTTPRewrite { - if in == nil { - return nil - } - out := new(HTTPRewrite) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HTTPRoute) DeepCopyInto(out *HTTPRoute) { - *out = *in - if in.Name != nil { - in, out := &in.Name, &out.Name - *out = new(string) - **out = **in - } - if in.Match != nil { - in, out := &in.Match, &out.Match - *out = make([]*HTTPMatchRequest, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(HTTPMatchRequest) - (*in).DeepCopyInto(*out) - } - } - } - if in.Route != nil { - in, out := &in.Route, &out.Route - *out = make([]*HTTPRouteDestination, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(HTTPRouteDestination) - (*in).DeepCopyInto(*out) - } - } - } - if in.Redirect != nil { - in, out := &in.Redirect, &out.Redirect - *out = new(HTTPRedirect) - (*in).DeepCopyInto(*out) - } - if in.Rewrite != nil { - in, out := &in.Rewrite, &out.Rewrite - *out = new(HTTPRewrite) - (*in).DeepCopyInto(*out) - } - if in.Timeout != nil { - in, out := &in.Timeout, &out.Timeout - *out = new(string) - **out = **in - } - if in.Retries != nil { - in, out := &in.Retries, &out.Retries - *out = new(HTTPRetry) - (*in).DeepCopyInto(*out) - } - if in.Fault != nil { - in, out := &in.Fault, &out.Fault - *out = new(HTTPFaultInjection) - (*in).DeepCopyInto(*out) - } - if in.Mirror != nil { - in, out := &in.Mirror, &out.Mirror - *out = new(Destination) - (*in).DeepCopyInto(*out) - } - if in.MirrorPercent != nil { - in, out := &in.MirrorPercent, &out.MirrorPercent - *out = new(uint32) - **out = **in - } - if in.MirrorPercentage != nil { - in, out := &in.MirrorPercentage, &out.MirrorPercentage - *out = new(Percentage) - **out = **in - } - if in.CorsPolicy != nil { - in, out := &in.CorsPolicy, &out.CorsPolicy - *out = new(CorsPolicy) - (*in).DeepCopyInto(*out) - } - if in.Headers != nil { - in, out := &in.Headers, &out.Headers - *out = new(Headers) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRoute. -func (in *HTTPRoute) DeepCopy() *HTTPRoute { - if in == nil { - return nil - } - out := new(HTTPRoute) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HTTPRouteDestination) DeepCopyInto(out *HTTPRouteDestination) { - *out = *in - if in.Destination != nil { - in, out := &in.Destination, &out.Destination - *out = new(Destination) - (*in).DeepCopyInto(*out) - } - if in.Weight != nil { - in, out := &in.Weight, &out.Weight - *out = new(int) - **out = **in - } - if in.Headers != nil { - in, out := &in.Headers, &out.Headers - *out = new(Headers) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteDestination. -func (in *HTTPRouteDestination) DeepCopy() *HTTPRouteDestination { - if in == nil { - return nil - } - out := new(HTTPRouteDestination) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HTTPSettings) DeepCopyInto(out *HTTPSettings) { - *out = *in - if in.HTTP1MaxPendingRequests != nil { - in, out := &in.HTTP1MaxPendingRequests, &out.HTTP1MaxPendingRequests - *out = new(int32) - **out = **in - } - if in.HTTP2MaxRequests != nil { - in, out := &in.HTTP2MaxRequests, &out.HTTP2MaxRequests - *out = new(int32) - **out = **in - } - if in.MaxRequestsPerConnection != nil { - in, out := &in.MaxRequestsPerConnection, &out.MaxRequestsPerConnection - *out = new(int32) - **out = **in - } - if in.MaxRetries != nil { - in, out := &in.MaxRetries, &out.MaxRetries - *out = new(int32) - **out = **in - } - if in.IdleTimeout != nil { - in, out := &in.IdleTimeout, &out.IdleTimeout - *out = new(string) - **out = **in - } - if in.H2UpgradePolicy != nil { - in, out := &in.H2UpgradePolicy, &out.H2UpgradePolicy - *out = new(H2UpgradePolicy) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPSettings. -func (in *HTTPSettings) DeepCopy() *HTTPSettings { - if in == nil { - return nil - } - out := new(HTTPSettings) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *HeaderOperations) DeepCopyInto(out *HeaderOperations) { - *out = *in - if in.Set != nil { - in, out := &in.Set, &out.Set - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.Add != nil { - in, out := &in.Add, &out.Add - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.Remove != nil { - in, out := &in.Remove, &out.Remove - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderOperations. -func (in *HeaderOperations) DeepCopy() *HeaderOperations { - if in == nil { - return nil - } - out := new(HeaderOperations) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Headers) DeepCopyInto(out *Headers) { - *out = *in - if in.Request != nil { - in, out := &in.Request, &out.Request - *out = new(HeaderOperations) - (*in).DeepCopyInto(*out) - } - if in.Response != nil { - in, out := &in.Response, &out.Response - *out = new(HeaderOperations) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Headers. -func (in *Headers) DeepCopy() *Headers { - if in == nil { - return nil - } - out := new(Headers) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioEgressListener) DeepCopyInto(out *IstioEgressListener) { - *out = *in - if in.Port != nil { - in, out := &in.Port, &out.Port - *out = new(Port) - **out = **in - } - if in.Hosts != nil { - in, out := &in.Hosts, &out.Hosts - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioEgressListener. -func (in *IstioEgressListener) DeepCopy() *IstioEgressListener { - if in == nil { - return nil - } - out := new(IstioEgressListener) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioIngressListener) DeepCopyInto(out *IstioIngressListener) { - *out = *in - if in.Port != nil { - in, out := &in.Port, &out.Port - *out = new(Port) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioIngressListener. -func (in *IstioIngressListener) DeepCopy() *IstioIngressListener { - if in == nil { - return nil - } - out := new(IstioIngressListener) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *L4MatchAttributes) DeepCopyInto(out *L4MatchAttributes) { - *out = *in - if in.DestinationSubnets != nil { - in, out := &in.DestinationSubnets, &out.DestinationSubnets - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Port != nil { - in, out := &in.Port, &out.Port - *out = new(int) - **out = **in - } - if in.SourceLabels != nil { - in, out := &in.SourceLabels, &out.SourceLabels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.Gateways != nil { - in, out := &in.Gateways, &out.Gateways - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new L4MatchAttributes. -func (in *L4MatchAttributes) DeepCopy() *L4MatchAttributes { - if in == nil { - return nil - } - out := new(L4MatchAttributes) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *LoadBalancerSettings) DeepCopyInto(out *LoadBalancerSettings) { - *out = *in - if in.Simple != nil { - in, out := &in.Simple, &out.Simple - *out = new(SimpleLB) - **out = **in - } - if in.ConsistentHash != nil { - in, out := &in.ConsistentHash, &out.ConsistentHash - *out = new(ConsistentHashLB) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoadBalancerSettings. -func (in *LoadBalancerSettings) DeepCopy() *LoadBalancerSettings { - if in == nil { - return nil - } - out := new(LoadBalancerSettings) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OutboundTrafficPolicy) DeepCopyInto(out *OutboundTrafficPolicy) { - *out = *in - if in.Mode != nil { - in, out := &in.Mode, &out.Mode - *out = new(OutboundTrafficPolicyMode) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutboundTrafficPolicy. -func (in *OutboundTrafficPolicy) DeepCopy() *OutboundTrafficPolicy { - if in == nil { - return nil - } - out := new(OutboundTrafficPolicy) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *OutlierDetection) DeepCopyInto(out *OutlierDetection) { - *out = *in - if in.ConsecutiveGatewayErrors != nil { - in, out := &in.ConsecutiveGatewayErrors, &out.ConsecutiveGatewayErrors - *out = new(uint32) - **out = **in - } - if in.Consecutive5XxErrors != nil { - in, out := &in.Consecutive5XxErrors, &out.Consecutive5XxErrors - *out = new(uint32) - **out = **in - } - if in.Interval != nil { - in, out := &in.Interval, &out.Interval - *out = new(string) - **out = **in - } - if in.BaseEjectionTime != nil { - in, out := &in.BaseEjectionTime, &out.BaseEjectionTime - *out = new(string) - **out = **in - } - if in.MaxEjectionPercent != nil { - in, out := &in.MaxEjectionPercent, &out.MaxEjectionPercent - *out = new(int32) - **out = **in - } - if in.MinHealthPercent != nil { - in, out := &in.MinHealthPercent, &out.MinHealthPercent - *out = new(int32) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutlierDetection. -func (in *OutlierDetection) DeepCopy() *OutlierDetection { - if in == nil { - return nil - } - out := new(OutlierDetection) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Percentage) DeepCopyInto(out *Percentage) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Percentage. -func (in *Percentage) DeepCopy() *Percentage { - if in == nil { - return nil - } - out := new(Percentage) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Port) DeepCopyInto(out *Port) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Port. -func (in *Port) DeepCopy() *Port { - if in == nil { - return nil - } - out := new(Port) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PortSelector) DeepCopyInto(out *PortSelector) { - *out = *in -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. -func (in *PortSelector) DeepCopy() *PortSelector { - if in == nil { - return nil - } - out := new(PortSelector) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PortTrafficPolicy) DeepCopyInto(out *PortTrafficPolicy) { - *out = *in - in.TrafficPolicyCommon.DeepCopyInto(&out.TrafficPolicyCommon) - if in.Port != nil { - in, out := &in.Port, &out.Port - *out = new(PortSelector) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortTrafficPolicy. -func (in *PortTrafficPolicy) DeepCopy() *PortTrafficPolicy { - if in == nil { - return nil - } - out := new(PortTrafficPolicy) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *RouteDestination) DeepCopyInto(out *RouteDestination) { - *out = *in - if in.Destination != nil { - in, out := &in.Destination, &out.Destination - *out = new(Destination) - (*in).DeepCopyInto(*out) - } - if in.Weight != nil { - in, out := &in.Weight, &out.Weight - *out = new(int) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteDestination. -func (in *RouteDestination) DeepCopy() *RouteDestination { - if in == nil { - return nil - } - out := new(RouteDestination) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Server) DeepCopyInto(out *Server) { - *out = *in - if in.Port != nil { - in, out := &in.Port, &out.Port - *out = new(Port) - **out = **in - } - if in.Hosts != nil { - in, out := &in.Hosts, &out.Hosts - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.TLS != nil { - in, out := &in.TLS, &out.TLS - *out = new(TLSOptions) - (*in).DeepCopyInto(*out) - } - if in.DefaultEndpoint != nil { - in, out := &in.DefaultEndpoint, &out.DefaultEndpoint - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Server. -func (in *Server) DeepCopy() *Server { - if in == nil { - return nil - } - out := new(Server) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ServiceEntry) DeepCopyInto(out *ServiceEntry) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceEntry. -func (in *ServiceEntry) DeepCopy() *ServiceEntry { - if in == nil { - return nil - } - out := new(ServiceEntry) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ServiceEntry) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ServiceEntryEndpoint) DeepCopyInto(out *ServiceEntryEndpoint) { - *out = *in - if in.Address != nil { - in, out := &in.Address, &out.Address - *out = new(string) - **out = **in - } - if in.Ports != nil { - in, out := &in.Ports, &out.Ports - *out = make(map[string]uint32, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.Labels != nil { - in, out := &in.Labels, &out.Labels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.Network != nil { - in, out := &in.Network, &out.Network - *out = new(string) - **out = **in - } - if in.Locality != nil { - in, out := &in.Locality, &out.Locality - *out = new(string) - **out = **in - } - if in.Weight != nil { - in, out := &in.Weight, &out.Weight - *out = new(uint32) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceEntryEndpoint. -func (in *ServiceEntryEndpoint) DeepCopy() *ServiceEntryEndpoint { - if in == nil { - return nil - } - out := new(ServiceEntryEndpoint) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ServiceEntryList) DeepCopyInto(out *ServiceEntryList) { - *out = *in - out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]ServiceEntry, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceEntryList. -func (in *ServiceEntryList) DeepCopy() *ServiceEntryList { - if in == nil { - return nil - } - out := new(ServiceEntryList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ServiceEntryList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ServiceEntrySpec) DeepCopyInto(out *ServiceEntrySpec) { - *out = *in - if in.Hosts != nil { - in, out := &in.Hosts, &out.Hosts - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Addresses != nil { - in, out := &in.Addresses, &out.Addresses - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Ports != nil { - in, out := &in.Ports, &out.Ports - *out = make([]*Port, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(Port) - **out = **in - } - } - } - if in.Location != nil { - in, out := &in.Location, &out.Location - *out = new(ServiceEntryLocation) - **out = **in - } - if in.Resolution != nil { - in, out := &in.Resolution, &out.Resolution - *out = new(ServiceEntryResolution) - **out = **in - } - if in.Endpoints != nil { - in, out := &in.Endpoints, &out.Endpoints - *out = make([]*ServiceEntryEndpoint, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(ServiceEntryEndpoint) - (*in).DeepCopyInto(*out) - } - } - } - if in.ExportTo != nil { - in, out := &in.ExportTo, &out.ExportTo - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.SubjectAltNames != nil { - in, out := &in.SubjectAltNames, &out.SubjectAltNames - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceEntrySpec. -func (in *ServiceEntrySpec) DeepCopy() *ServiceEntrySpec { - if in == nil { - return nil - } - out := new(ServiceEntrySpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Sidecar) DeepCopyInto(out *Sidecar) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Sidecar. -func (in *Sidecar) DeepCopy() *Sidecar { - if in == nil { - return nil - } - out := new(Sidecar) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *Sidecar) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *SidecarList) DeepCopyInto(out *SidecarList) { - *out = *in - out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]Sidecar, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SidecarList. -func (in *SidecarList) DeepCopy() *SidecarList { - if in == nil { - return nil - } - out := new(SidecarList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *SidecarList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *SidecarSpec) DeepCopyInto(out *SidecarSpec) { - *out = *in - if in.WorkloadSelector != nil { - in, out := &in.WorkloadSelector, &out.WorkloadSelector - *out = new(WorkloadSelector) - (*in).DeepCopyInto(*out) - } - if in.Ingress != nil { - in, out := &in.Ingress, &out.Ingress - *out = make([]*IstioIngressListener, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(IstioIngressListener) - (*in).DeepCopyInto(*out) - } - } - } - if in.Egress != nil { - in, out := &in.Egress, &out.Egress - *out = make([]*IstioEgressListener, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(IstioEgressListener) - (*in).DeepCopyInto(*out) - } - } - } - if in.OutboundTrafficPolicy != nil { - in, out := &in.OutboundTrafficPolicy, &out.OutboundTrafficPolicy - *out = new(OutboundTrafficPolicy) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SidecarSpec. -func (in *SidecarSpec) DeepCopy() *SidecarSpec { - if in == nil { - return nil - } - out := new(SidecarSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Subset) DeepCopyInto(out *Subset) { - *out = *in - if in.Labels != nil { - in, out := &in.Labels, &out.Labels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.TrafficPolicy != nil { - in, out := &in.TrafficPolicy, &out.TrafficPolicy - *out = new(TrafficPolicy) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Subset. -func (in *Subset) DeepCopy() *Subset { - if in == nil { - return nil - } - out := new(Subset) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TCPKeepalive) DeepCopyInto(out *TCPKeepalive) { - *out = *in - if in.Probes != nil { - in, out := &in.Probes, &out.Probes - *out = new(uint32) - **out = **in - } - if in.Time != nil { - in, out := &in.Time, &out.Time - *out = new(string) - **out = **in - } - if in.Interval != nil { - in, out := &in.Interval, &out.Interval - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPKeepalive. -func (in *TCPKeepalive) DeepCopy() *TCPKeepalive { - if in == nil { - return nil - } - out := new(TCPKeepalive) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TCPRoute) DeepCopyInto(out *TCPRoute) { - *out = *in - if in.Match != nil { - in, out := &in.Match, &out.Match - *out = make([]L4MatchAttributes, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.Route != nil { - in, out := &in.Route, &out.Route - *out = make([]*RouteDestination, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(RouteDestination) - (*in).DeepCopyInto(*out) - } - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPRoute. -func (in *TCPRoute) DeepCopy() *TCPRoute { - if in == nil { - return nil - } - out := new(TCPRoute) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TCPSettings) DeepCopyInto(out *TCPSettings) { - *out = *in - if in.MaxConnections != nil { - in, out := &in.MaxConnections, &out.MaxConnections - *out = new(int32) - **out = **in - } - if in.ConnectTimeout != nil { - in, out := &in.ConnectTimeout, &out.ConnectTimeout - *out = new(string) - **out = **in - } - if in.TCPKeepalive != nil { - in, out := &in.TCPKeepalive, &out.TCPKeepalive - *out = new(TCPKeepalive) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPSettings. -func (in *TCPSettings) DeepCopy() *TCPSettings { - if in == nil { - return nil - } - out := new(TCPSettings) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TLSMatchAttributes) DeepCopyInto(out *TLSMatchAttributes) { - *out = *in - if in.SniHosts != nil { - in, out := &in.SniHosts, &out.SniHosts - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.DestinationSubnets != nil { - in, out := &in.DestinationSubnets, &out.DestinationSubnets - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Port != nil { - in, out := &in.Port, &out.Port - *out = new(int) - **out = **in - } - if in.SourceLabels != nil { - in, out := &in.SourceLabels, &out.SourceLabels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.Gateways != nil { - in, out := &in.Gateways, &out.Gateways - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSMatchAttributes. -func (in *TLSMatchAttributes) DeepCopy() *TLSMatchAttributes { - if in == nil { - return nil - } - out := new(TLSMatchAttributes) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TLSOptions) DeepCopyInto(out *TLSOptions) { - *out = *in - if in.HTTPSRedirect != nil { - in, out := &in.HTTPSRedirect, &out.HTTPSRedirect - *out = new(bool) - **out = **in - } - if in.ServerCertificate != nil { - in, out := &in.ServerCertificate, &out.ServerCertificate - *out = new(string) - **out = **in - } - if in.PrivateKey != nil { - in, out := &in.PrivateKey, &out.PrivateKey - *out = new(string) - **out = **in - } - if in.CaCertificates != nil { - in, out := &in.CaCertificates, &out.CaCertificates - *out = new(string) - **out = **in - } - if in.CredentialName != nil { - in, out := &in.CredentialName, &out.CredentialName - *out = new(string) - **out = **in - } - if in.SubjectAltNames != nil { - in, out := &in.SubjectAltNames, &out.SubjectAltNames - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.VerifyCertificateSpki != nil { - in, out := &in.VerifyCertificateSpki, &out.VerifyCertificateSpki - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.VerifyCertificateHash != nil { - in, out := &in.VerifyCertificateHash, &out.VerifyCertificateHash - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.MinProtocolVersion != nil { - in, out := &in.MinProtocolVersion, &out.MinProtocolVersion - *out = new(TLSProtocol) - **out = **in - } - if in.MaxProtocolVersion != nil { - in, out := &in.MaxProtocolVersion, &out.MaxProtocolVersion - *out = new(TLSProtocol) - **out = **in - } - if in.CipherSuites != nil { - in, out := &in.CipherSuites, &out.CipherSuites - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSOptions. -func (in *TLSOptions) DeepCopy() *TLSOptions { - if in == nil { - return nil - } - out := new(TLSOptions) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TLSRoute) DeepCopyInto(out *TLSRoute) { - *out = *in - if in.Match != nil { - in, out := &in.Match, &out.Match - *out = make([]TLSMatchAttributes, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.Route != nil { - in, out := &in.Route, &out.Route - *out = make([]*RouteDestination, len(*in)) - for i := range *in { - if (*in)[i] != nil { - in, out := &(*in)[i], &(*out)[i] - *out = new(RouteDestination) - (*in).DeepCopyInto(*out) - } - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSRoute. -func (in *TLSRoute) DeepCopy() *TLSRoute { - if in == nil { - return nil - } - out := new(TLSRoute) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TLSSettings) DeepCopyInto(out *TLSSettings) { - *out = *in - if in.ClientCertificate != nil { - in, out := &in.ClientCertificate, &out.ClientCertificate - *out = new(string) - **out = **in - } - if in.PrivateKey != nil { - in, out := &in.PrivateKey, &out.PrivateKey - *out = new(string) - **out = **in - } - if in.CaCertificates != nil { - in, out := &in.CaCertificates, &out.CaCertificates - *out = new(string) - **out = **in - } - if in.SubjectAltNames != nil { - in, out := &in.SubjectAltNames, &out.SubjectAltNames - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.SNI != nil { - in, out := &in.SNI, &out.SNI - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSettings. -func (in *TLSSettings) DeepCopy() *TLSSettings { - if in == nil { - return nil - } - out := new(TLSSettings) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TrafficPolicy) DeepCopyInto(out *TrafficPolicy) { - *out = *in - in.TrafficPolicyCommon.DeepCopyInto(&out.TrafficPolicyCommon) - if in.PortLevelSettings != nil { - in, out := &in.PortLevelSettings, &out.PortLevelSettings - *out = make([]PortTrafficPolicy, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrafficPolicy. -func (in *TrafficPolicy) DeepCopy() *TrafficPolicy { - if in == nil { - return nil - } - out := new(TrafficPolicy) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *TrafficPolicyCommon) DeepCopyInto(out *TrafficPolicyCommon) { - *out = *in - if in.LoadBalancer != nil { - in, out := &in.LoadBalancer, &out.LoadBalancer - *out = new(LoadBalancerSettings) - (*in).DeepCopyInto(*out) - } - if in.ConnectionPool != nil { - in, out := &in.ConnectionPool, &out.ConnectionPool - *out = new(ConnectionPoolSettings) - (*in).DeepCopyInto(*out) - } - if in.OutlierDetection != nil { - in, out := &in.OutlierDetection, &out.OutlierDetection - *out = new(OutlierDetection) - (*in).DeepCopyInto(*out) - } - if in.TLS != nil { - in, out := &in.TLS, &out.TLS - *out = new(TLSSettings) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrafficPolicyCommon. -func (in *TrafficPolicyCommon) DeepCopy() *TrafficPolicyCommon { - if in == nil { - return nil - } - out := new(TrafficPolicyCommon) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *VirtualService) DeepCopyInto(out *VirtualService) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualService. -func (in *VirtualService) DeepCopy() *VirtualService { - if in == nil { - return nil - } - out := new(VirtualService) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *VirtualService) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *VirtualServiceList) DeepCopyInto(out *VirtualServiceList) { - *out = *in - out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]VirtualService, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualServiceList. -func (in *VirtualServiceList) DeepCopy() *VirtualServiceList { - if in == nil { - return nil - } - out := new(VirtualServiceList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *VirtualServiceList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *VirtualServiceSpec) DeepCopyInto(out *VirtualServiceSpec) { - *out = *in - if in.Hosts != nil { - in, out := &in.Hosts, &out.Hosts - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.Gateways != nil { - in, out := &in.Gateways, &out.Gateways - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.HTTP != nil { - in, out := &in.HTTP, &out.HTTP - *out = make([]HTTPRoute, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.TLS != nil { - in, out := &in.TLS, &out.TLS - *out = make([]TLSRoute, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.TCP != nil { - in, out := &in.TCP, &out.TCP - *out = make([]TCPRoute, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } - if in.ExportTo != nil { - in, out := &in.ExportTo, &out.ExportTo - *out = make([]string, len(*in)) - copy(*out, *in) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualServiceSpec. -func (in *VirtualServiceSpec) DeepCopy() *VirtualServiceSpec { - if in == nil { - return nil - } - out := new(VirtualServiceSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *WorkloadEntry) DeepCopyInto(out *WorkloadEntry) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Spec.DeepCopyInto(&out.Spec) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadEntry. -func (in *WorkloadEntry) DeepCopy() *WorkloadEntry { - if in == nil { - return nil - } - out := new(WorkloadEntry) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *WorkloadEntry) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *WorkloadEntryList) DeepCopyInto(out *WorkloadEntryList) { - *out = *in - out.TypeMeta = in.TypeMeta - out.ListMeta = in.ListMeta - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]WorkloadEntry, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadEntryList. -func (in *WorkloadEntryList) DeepCopy() *WorkloadEntryList { - if in == nil { - return nil - } - out := new(WorkloadEntryList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *WorkloadEntryList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *WorkloadEntrySpec) DeepCopyInto(out *WorkloadEntrySpec) { - *out = *in - if in.Ports != nil { - in, out := &in.Ports, &out.Ports - *out = make(map[string]uint32, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } - if in.Labels != nil { - in, out := &in.Labels, &out.Labels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadEntrySpec. -func (in *WorkloadEntrySpec) DeepCopy() *WorkloadEntrySpec { - if in == nil { - return nil - } - out := new(WorkloadEntrySpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *WorkloadSelector) DeepCopyInto(out *WorkloadSelector) { - *out = *in - if in.Labels != nil { - in, out := &in.Labels, &out.Labels - *out = make(map[string]string, len(*in)) - for key, val := range *in { - (*out)[key] = val - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkloadSelector. -func (in *WorkloadSelector) DeepCopy() *WorkloadSelector { - if in == nil { - return nil - } - out := new(WorkloadSelector) - in.DeepCopyInto(out) - return out -} diff --git a/third_party/github.com/banzaicloud/istio-operator/.editorconfig b/third_party/github.com/banzaicloud/istio-operator/.editorconfig deleted file mode 100644 index 9ea0d10da..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/.editorconfig +++ /dev/null @@ -1,18 +0,0 @@ -root = true - -[*] -charset = utf-8 -end_of_line = lf -indent_size = 4 -indent_style = space -insert_final_newline = true -trim_trailing_whitespace = true - -[{*.go,*.mod}] -indent_style = tab - -[{Makefile,*.mk}] -indent_style = tab - -[{*.yaml,*.yml}] -indent_size = 2 diff --git a/third_party/github.com/banzaicloud/istio-operator/.gitignore b/third_party/github.com/banzaicloud/istio-operator/.gitignore deleted file mode 100644 index 69eed6437..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/.gitignore +++ /dev/null @@ -1,33 +0,0 @@ - -# Binaries for programs and plugins -*.exe -*.exe~ -*.dll -*.so -*.dylib -bin - -# Test binary, build with `go test -c` -*.test - -# Output of the go coverage tool, specifically when used with LiteIDE -*.out - -# Kubernetes Generated files - skip generated files, except for vendored files - -!vendor/**/zz_generated.* - -# editor and IDE paraphernalia -*.swp -*.swo -*~ - -.idea/* -!/.idea/go.imports.xml -/.licensei.cache -bin/* -cover.out - -/build/* -!/build/buf.* -!/build/fixup_structs diff --git a/third_party/github.com/banzaicloud/istio-operator/.licensei.toml b/third_party/github.com/banzaicloud/istio-operator/.licensei.toml deleted file mode 100644 index 218397e73..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/.licensei.toml +++ /dev/null @@ -1,51 +0,0 @@ -approved = ["mit", "apache-2.0", "bsd-3-clause", "bsd-2-clause", "mpl-2.0"] - -ignored = [ - "github.com/ghodss/yaml", - "github.com/gogo/protobuf", - "google.golang.org/protobuf", - "sigs.k8s.io/yaml", - "gopkg.in/fsnotify.v1", - - "github.com/davecgh/go-spew", # ISC license - "github.com/russross/blackfriday", # BSD-2 - "github.com/russross/blackfriday/v2", # BSD-2 - "github.com/xeipuuv/gojsonpointer", # Apache2 - "github.com/xeipuuv/gojsonreference", # Apache2 - "github.com/xeipuuv/gojsonschema", # Apache2 - "github.com/russross/blackfriday", # Simplifed BSD - "gomodules.xyz/jsonpatch/v2", # Apache2 - - # Unsupported VCS - "cloud.google.com/go", - "google.golang.org/api", -] - -[header] -ignorePaths = ["build", "vendor"] - -ignoreFiles = [ - "*.pb.go", - "*.gen.go", - "*.gogen.go", - "generated.go", - "zz_generated.deepcopy.go", - "*_test.go", -] - -template = """/* -Copyright :YEAR: Cisco Systems, Inc. and/or its affiliates. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -""" diff --git a/third_party/github.com/banzaicloud/istio-operator/CODEOWNERS b/third_party/github.com/banzaicloud/istio-operator/CODEOWNERS deleted file mode 100644 index 02f96cd86..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/CODEOWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# Each line is a file pattern followed by one or more owners. -# https://help.github.com/articles/about-codeowners/ - -# These owners will be the default owners for everything in -# the repo. Unless a later match takes precedence. -* @martonsereg @waynz0r @Laci21 diff --git a/third_party/github.com/banzaicloud/istio-operator/CONTRIBUTING.md b/third_party/github.com/banzaicloud/istio-operator/CONTRIBUTING.md deleted file mode 100644 index 88ef97c96..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/CONTRIBUTING.md +++ /dev/null @@ -1,18 +0,0 @@ -### Issues - -Please format your issues in such a way as to help others who might be facing similar challenges. -Give your issues meaningful titles, that offer context and helps us and the community to understand and quickly ramp up on it. - -We are grateful for any issues submitted. Questions, feature requests or ideas are welcomed. - -### Pull Requests - -Try to keep pull requests tidy, and be prepared for feedback. Everyone is welcomed to contribute to Istio-operator. - -#### Formatting Go Code - -To get your pull request merged, Golang files must be formatted using the `go fmt` tool. - -#### Linting - -Go code must pass [`lint`](https://github.com/golang/lint) checks. diff --git a/third_party/github.com/banzaicloud/istio-operator/LICENSE b/third_party/github.com/banzaicloud/istio-operator/LICENSE deleted file mode 100644 index f49a4e16e..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/LICENSE +++ /dev/null @@ -1,201 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - - APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - - Copyright [yyyy] [name of copyright owner] - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. \ No newline at end of file diff --git a/third_party/github.com/banzaicloud/istio-operator/README.md b/third_party/github.com/banzaicloud/istio-operator/README.md deleted file mode 100644 index f6f5086d9..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/README.md +++ /dev/null @@ -1,193 +0,0 @@ -# Istio operator - -Istio operator is a Kubernetes operator to deploy and manage [Istio](https://istio.io/) resources for a Kubernetes cluster. - -## Overview - -[Istio](https://istio.io/) is an open platform to connect, manage, and secure microservices and it is emerging as the `standard` for building service meshes on Kubernetes. - -The goal of the **Istio-operator** is to enable popular service mesh use cases (multi cluster topologies, multiple gateways support etc) by introducing easy to use higher level abstractions. - -## In this README - -- [Istio operator](#istio-operator) - - [Overview](#overview) - - [In this README](#in-this-readme) - - [Istio operator vs Calisti](#istio-operator-vs-calisti) - - [Getting started](#getting-started) - - [Prerequisites](#prerequisites) - - [Build and deploy](#build-and-deploy) - - [Issues, feature requests](#issues-feature-requests) - - [Contributing](#contributing) - - [Got stuck? Find help!](#got-stuck-find-help) - - [Community support](#community-support) - - [Engineering blog](#engineering-blog) - - [License](#license) - -## Istio operator vs [Calisti](https://calisti.app/) - -[Calisti](https://calisti.app/) is an enterprise-ready Istio platform for DevOps and SREs that automates lifecycle management and simplifies connectivity, security & observability for microservice-based applications. -The Cisco Istio operator is the core part of Calisti's Service Mesh Manager (SMM) component, which helps install, upgrade and manage Istio meshes. Still, SMM also provides many other features to secure, operate and observe Istio conveniently. - -The differences are presented in this table: - -| | Istio operator | Cisco Service Mesh Manager | -|:-------------------------:|:-----------------------:|:--------------------------:| -| Install Istio | :heavy_check_mark: | :heavy_check_mark: | -| Manage Istio | :heavy_check_mark: | :heavy_check_mark: | -| Upgrade Istio | :heavy_check_mark: | :heavy_check_mark: | -| Uninstall Istio | :heavy_check_mark: | :heavy_check_mark: | -| Multiple gateways support | :heavy_check_mark: | :heavy_check_mark: | -| Multi cluster support | needs some manual steps | fully automatic | -| Prometheus | | :heavy_check_mark: | -| Grafana | | :heavy_check_mark: | -| Jaeger | | :heavy_check_mark: | -| Cert manager | | :heavy_check_mark: | -| Dashboard | | :heavy_check_mark: | -| CLI | | :heavy_check_mark: | -| OIDC authentication | | :heavy_check_mark: | -| VM integration | | :heavy_check_mark: | -| Topology graph | | :heavy_check_mark: | -| Outlier detection | | :heavy_check_mark: | -| Service Level Objectives | | :heavy_check_mark: | -| Live access logs | | :heavy_check_mark: | -| mTLS management | | :heavy_check_mark: | -| Gateway management | | :heavy_check_mark: | -| Istio traffic management | | :heavy_check_mark: | -| Validations | | :heavy_check_mark: | -| Support | Community | Enterprise | - -For a complete list of SMM features, please check out the [SMM docs](https://smm-docs.eticloud.io/docs/). - -## Getting started - -### Prerequisites -- kubectl installed -- kubernetes cluster (version 1.23+) -- active kubecontext to the kubernetes cluster - -### Build and deploy -Download or check out the latest stable release. - -Run `make deploy` to deploy the operator's controller-manager on your kubernetes cluster. - -Check if the controller is running in the `istio-system` namespace: -``` -$ kubectl get pod -n istio-system - -NAME READY STATUS RESTARTS AGE -istio-operator-controller-manager-6f764787c-rbnht 2/2 Running 0 5m18s -``` - -Deploy the [Istio control plane sample](config/samples/servicemesh_v1alpha1_istiocontrolplane.yaml) to the `istio-system` namespace -``` -$ kubectl -n istio-system apply -f config/samples/servicemesh_v1alpha1_istiocontrolplane.yaml -istiocontrolplane.servicemesh.cisco.com/icp-v117x-sample created -``` - -Label the namespace, where you would like to enable sidecar injection for your pods. The label should consist of the name of the deployed IstioControlPlane and the namespace where it is deployed. -``` -$ kubectl label namespace demoapp istio.io/rev=icp-v117x-sample.istio-system -namespace/demoapp labeled -``` - -Deploy the [Istio ingress gateway sample](config/samples/servicemesh_v1alpha1_istiomeshgateway.yaml) to your desired namespace -``` -$ kubectl -n demoapp apply -f config/samples/servicemesh_v1alpha1_istiomeshgateway.yaml -istiomeshgateway.servicemesh.cisco.com/imgw-sample created -``` - -Deploy your application (or the [sample bookinfo app](https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml)). -``` -$ kubectl -n demoapp apply -f https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/platform/kube/bookinfo.yaml -service/details created -serviceaccount/bookinfo-details created -deployment.apps/details-v1 created -service/ratings created -serviceaccount/bookinfo-ratings created -deployment.apps/ratings-v1 created -service/reviews created -serviceaccount/bookinfo-reviews created -deployment.apps/reviews-v1 created -deployment.apps/reviews-v2 created -deployment.apps/reviews-v3 created -service/productpage created -serviceaccount/bookinfo-productpage created -deployment.apps/productpage-v1 created -``` - -Verify that all applications' pods are running and have the sidecar proxy injected. The READY column shows the number of containers for the pod: this should be 1/1 for the gateway, and at least 2/2 for the other pods (the original container of the pods + the sidecar container). -``` -$ kubectl get pod -n demoapp -NAME READY STATUS RESTARTS AGE -details-v1-79f774bdb9-8xqwj 2/2 Running 0 35s -imgw-sample-66555d5b84-kv62w 1/1 Running 0 7m21s -productpage-v1-6b746f74dc-cx6x6 2/2 Running 0 33s -ratings-v1-b6994bb9-g9vm2 2/2 Running 0 35s -reviews-v1-545db77b95-rdmsp 2/2 Running 0 34s -reviews-v2-7bf8c9648f-rzmvj 2/2 Running 0 34s -reviews-v3-84779c7bbc-t5rfq 2/2 Running 0 33s -``` - -Deploy the VirtualService and Gateway needed for your application. -**For the [demo bookinfo](https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml) application, you need to modify the Istio Gateway entry!** The `spec.selector.istio` field should be set from `ingressgateway` to `imgw-sample` so it will be applied to the sample IstioMeshGateway deployed before. The port needs to be set to the targetPort of the deployed IstioMeshGateway. -``` -curl https://raw.githubusercontent.com/istio/istio/master/samples/bookinfo/networking/bookinfo-gateway.yaml | sed 's/istio: ingressgateway # use istio default controller/istio: imgw-sample/g;s/number: 80/number: 9080/g' | kubectl apply -f - -``` -``` -$ kubectl -n demoapp apply -f bookinfo-gateway.yaml -gateway.networking.istio.io/bookinfo-gateway created -virtualservice.networking.istio.io/bookinfo created -``` - -To access your application, use the public IP address of the `imgw-sample` LoadBalancer service. -``` -$ IP=$(kubectl -n demoapp get svc imgw-sample -o jsonpath='{.status.loadBalancer.ingress[0].ip}') -$ curl -I $IP/productpage -HTTP/1.1 200 OK -content-type: text/html; charset=utf-8 -content-length: 4183 -server: istio-envoy -date: Mon, 02 May 2022 14:20:49 GMT -x-envoy-upstream-service-time: 739 -``` - -## Issues, feature requests - -Please note that the Istio operator is constantly under development, and new releases might introduce breaking changes. -We are striving to keep backward compatibility as much as possible while adding new features at a rapid pace. -Issues, new features or bugs are tracked on the projects [GitHub page](https://github.com/banzaicloud/istio-operator/issues) - please feel free to add yours! - -## Contributing - -If you find this project useful, here's how you can help: - -- Send a pull request with your new features and bug fixes -- Help new users with issues they may encounter -- Support the development of this project and star this repo! - -## Got stuck? Find help! - -### Community support - -If you encounter any problems not addressed in our documentation, [open an issue](https://github.com/banzaicloud/istio-operator/issues) or talk to us on the [Outshift Slack channel #istio-operator](https://eti.cisco.com/slack). - -### Engineering blog - -We occasionally write blog posts about [Istio](https://ciscotechblog.com/tags/istio/) itself and the [Istio operator](https://ciscotechblog.com/tags/istio-operator/). - -## License - -Copyright (c) 2021-2023 Cisco Systems, Inc. and/or its affiliates - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - -[http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0) - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. diff --git a/third_party/github.com/banzaicloud/istio-operator/api/go.mod b/third_party/github.com/banzaicloud/istio-operator/api/go.mod deleted file mode 100644 index 1df42a1d2..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/go.mod +++ /dev/null @@ -1,35 +0,0 @@ -module github.com/banzaicloud/istio-operator/api/v2 - -go 1.25 - -require ( - github.com/golang/protobuf v1.5.4 - google.golang.org/genproto/googleapis/api v0.0.0-20251029180050-ab9386a59fda - google.golang.org/protobuf v1.36.10 - istio.io/api v1.27.3 - k8s.io/api v0.34.1 - k8s.io/apimachinery v0.34.1 - sigs.k8s.io/controller-runtime v0.22.3 -) - -require ( - github.com/fxamacker/cbor/v2 v2.9.0 // indirect - github.com/go-logr/logr v1.4.3 // indirect - github.com/gogo/protobuf v1.3.2 // indirect - github.com/json-iterator/go v1.1.12 // indirect - github.com/kr/text v0.2.0 // indirect - github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect - github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect - github.com/spf13/pflag v1.0.10 // indirect - github.com/stretchr/testify v1.11.1 // indirect - github.com/x448/float16 v0.8.4 // indirect - go.yaml.in/yaml/v2 v2.4.3 // indirect - golang.org/x/net v0.46.0 // indirect - golang.org/x/text v0.30.0 // indirect - gopkg.in/inf.v0 v0.9.1 // indirect - k8s.io/klog/v2 v2.130.1 // indirect - k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect - sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect - sigs.k8s.io/randfill v1.0.0 // indirect - sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect -) diff --git a/third_party/github.com/banzaicloud/istio-operator/api/go.sum b/third_party/github.com/banzaicloud/istio-operator/api/go.sum deleted file mode 100644 index 8adf4fdb9..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/go.sum +++ /dev/null @@ -1,117 +0,0 @@ -github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= -github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM= -github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ= -github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI= -github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI= -github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8= -github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= -github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= -github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek= -github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= -github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8= -github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU= -github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= -github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo= -github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144= -github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= -github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= -github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= -github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= -github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= -github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= -github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= -github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg= -github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= -github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8= -github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= -github.com/onsi/ginkgo/v2 v2.22.0 h1:Yed107/8DjTr0lKCNt7Dn8yQ6ybuDRQoMGrNFKzMfHg= -github.com/onsi/ginkgo/v2 v2.22.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo= -github.com/onsi/gomega v1.36.1 h1:bJDPBO7ibjxcbHMgSCoo4Yj18UWbKDlLwX1x9sybDcw= -github.com/onsi/gomega v1.36.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= -github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= -github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= -github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk= -github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI= -github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U= -github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= -github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= -github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= -github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0= -go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= -golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= -golang.org/x/net v0.46.0 h1:giFlY12I07fugqwPuWJi68oOnpfqFnJIJzaIIm2JVV4= -golang.org/x/net v0.46.0/go.mod h1:Q9BGdFy1y4nkUwiLvT5qtyhAnEHgnQ/zd8PfU6nc210= -golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.37.0 h1:fdNQudmxPjkdUTPnLn5mdQv7Zwvbvpaxqs831goi9kQ= -golang.org/x/sys v0.37.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.30.0 h1:yznKA/E9zq54KzlzBEAWn1NXSQ8DIp/NYMy88xJjl4k= -golang.org/x/text v0.30.0/go.mod h1:yDdHFIX9t+tORqspjENWgzaCVXgk0yYnYuSZ8UzzBVM= -golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= -golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= -golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE= -golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.37.0 h1:DVSRzp7FwePZW356yEAChSdNcQo6Nsp+fex1SUW09lE= -golang.org/x/tools v0.37.0/go.mod h1:MBN5QPQtLMHVdvsbtarmTNukZDdgwdwlO5qGacAzF0w= -golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -google.golang.org/genproto/googleapis/api v0.0.0-20251029180050-ab9386a59fda h1:+2XxjfsAu6vqFxwGBRcHiMaDCuZiqXGDUDVWVtrFAnE= -google.golang.org/genproto/googleapis/api v0.0.0-20251029180050-ab9386a59fda/go.mod h1:fDMmzKV90WSg1NbozdqrE64fkuTv6mlq2zxo9ad+3yo= -google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE= -google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= -gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= -gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= -gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= -gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= -gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -istio.io/api v1.27.3 h1:Ek00/+kB0wepYuevSfE0Edh2o5ndEtekmo/Nkx5LIYA= -istio.io/api v1.27.3/go.mod h1:DTVGH6CLXj5W8FF9JUD3Tis78iRgT1WeuAnxfTz21Wg= -k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM= -k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk= -k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4= -k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw= -k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= -k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck= -k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.22.3 h1:I7mfqz/a/WdmDCEnXmSPm8/b/yRTy6JsKKENTijTq8Y= -sigs.k8s.io/controller-runtime v0.22.3/go.mod h1:+QX1XUpTXN4mLoblf4tqr5CQcyHPAki2HLXqQMY6vh8= -sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 h1:IpInykpT6ceI+QxKBbEflcR5EXP7sU1kvOlxwZh5txg= -sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg= -sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= -sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= -sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco= -sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= -sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= -sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4= diff --git a/third_party/github.com/banzaicloud/istio-operator/api/options/options.pb.go b/third_party/github.com/banzaicloud/istio-operator/api/options/options.pb.go deleted file mode 100644 index 5dc1868c4..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/options/options.pb.go +++ /dev/null @@ -1,109 +0,0 @@ -// Copyright 2021 Cisco Systems, Inc. and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.28.0 -// protoc (unknown) -// source: api/options/options.proto - -package options - -import ( - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - descriptorpb "google.golang.org/protobuf/types/descriptorpb" - reflect "reflect" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -var file_api_options_options_proto_extTypes = []protoimpl.ExtensionInfo{ - { - ExtendedType: (*descriptorpb.FieldOptions)(nil), - ExtensionType: (*string)(nil), - Field: 800815, - Name: "istio_operator.v2.api.options.intorstring", - Tag: "bytes,800815,opt,name=intorstring", - Filename: "api/options/options.proto", - }, -} - -// Extension fields to descriptor.FieldOptions. -var ( - // optional string intorstring = 800815; - E_Intorstring = &file_api_options_options_proto_extTypes[0] -) - -var File_api_options_options_proto protoreflect.FileDescriptor - -var file_api_options_options_proto_rawDesc = []byte{ - 0x0a, 0x19, 0x61, 0x70, 0x69, 0x2f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x6f, 0x70, - 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1d, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, - 0x70, 0x69, 0x2e, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x65, 0x73, 0x63, - 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x3a, 0x44, 0x0a, 0x0b, - 0x69, 0x6e, 0x74, 0x6f, 0x72, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x12, 0x1d, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x46, 0x69, - 0x65, 0x6c, 0x64, 0x4f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0xaf, 0xf0, 0x30, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0b, 0x69, 0x6e, 0x74, 0x6f, 0x72, 0x73, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x88, - 0x01, 0x01, 0x42, 0x36, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, - 0x2f, 0x62, 0x61, 0x6e, 0x7a, 0x61, 0x69, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x2f, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x2d, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2f, 0x61, 0x70, 0x69, 0x2f, - 0x76, 0x32, 0x2f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, -} - -var file_api_options_options_proto_goTypes = []interface{}{ - (*descriptorpb.FieldOptions)(nil), // 0: google.protobuf.FieldOptions -} -var file_api_options_options_proto_depIdxs = []int32{ - 0, // 0: istio_operator.v2.api.options.intorstring:extendee -> google.protobuf.FieldOptions - 1, // [1:1] is the sub-list for method output_type - 1, // [1:1] is the sub-list for method input_type - 1, // [1:1] is the sub-list for extension type_name - 0, // [0:1] is the sub-list for extension extendee - 0, // [0:0] is the sub-list for field type_name -} - -func init() { file_api_options_options_proto_init() } -func file_api_options_options_proto_init() { - if File_api_options_options_proto != nil { - return - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_api_options_options_proto_rawDesc, - NumEnums: 0, - NumMessages: 0, - NumExtensions: 1, - NumServices: 0, - }, - GoTypes: file_api_options_options_proto_goTypes, - DependencyIndexes: file_api_options_options_proto_depIdxs, - ExtensionInfos: file_api_options_options_proto_extTypes, - }.Build() - File_api_options_options_proto = out.File - file_api_options_options_proto_rawDesc = nil - file_api_options_options_proto_goTypes = nil - file_api_options_options_proto_depIdxs = nil -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/options/options.pb.html b/third_party/github.com/banzaicloud/istio-operator/api/options/options.pb.html deleted file mode 100644 index 31dee11e7..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/options/options.pb.html +++ /dev/null @@ -1,6 +0,0 @@ ---- -title: istio_operator.v2.api.options -layout: protoc-gen-docs -generator: protoc-gen-docs -number_of_entries: 0 ---- diff --git a/third_party/github.com/banzaicloud/istio-operator/api/options/options.proto b/third_party/github.com/banzaicloud/istio-operator/api/options/options.proto deleted file mode 100644 index 4e19ce8f9..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/options/options.proto +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright 2021 Cisco Systems, Inc. and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -import "google/protobuf/descriptor.proto"; - -package istio_operator.v2.api.options; - -option go_package = "github.com/banzaicloud/istio-operator/api/v2/options"; - -// mark whether the field is IntOrString type -// available values: -// "true": single field -// "map": map of fields -extend google.protobuf.FieldOptions { - optional string intorstring = 800815; -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/options/options_deepcopy.gen.go b/third_party/github.com/banzaicloud/istio-operator/api/options/options_deepcopy.gen.go deleted file mode 100644 index a0856ec46..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/options/options_deepcopy.gen.go +++ /dev/null @@ -1,2 +0,0 @@ -// Code generated by protoc-gen-deepcopy. DO NOT EDIT. -package options diff --git a/third_party/github.com/banzaicloud/istio-operator/api/options/options_json.gen.go b/third_party/github.com/banzaicloud/istio-operator/api/options/options_json.gen.go deleted file mode 100644 index 477aa4958..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/options/options_json.gen.go +++ /dev/null @@ -1,11 +0,0 @@ -// Code generated by protoc-gen-jsonshim. DO NOT EDIT. -package options - -import ( - protojson "google.golang.org/protobuf/encoding/protojson" -) - -var ( - OptionsMarshaler = protojson.MarshalOptions{} - OptionsUnmarshaler = protojson.UnmarshalOptions{DiscardUnknown: true} -) diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.gen.json b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.gen.json deleted file mode 100644 index a40687984..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.gen.json +++ /dev/null @@ -1,2569 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "", - "version": "v1alpha1" - }, - "components": { - "schemas": { - "istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration": { - "type": "object", - "properties": { - "env": { - "description": "If present will be appended to the environment variables of the container", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVar" - } - }, - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "image": { - "description": "Standard Kubernetes container image configuration", - "type": "string" - }, - "volumeMounts": { - "description": "Pod volumes to mount into the container's filesystem. Cannot be updated.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeMount" - } - }, - "securityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecurityContext" - } - } - }, - "istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig": { - "type": "object", - "properties": { - "env": { - "description": "If present will be appended to the environment variables of the container", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVar" - } - }, - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "image": { - "description": "Standard Kubernetes container image configuration", - "type": "string" - }, - "volumeMounts": { - "description": "Pod volumes to mount into the container's filesystem. Cannot be updated.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeMount" - } - }, - "livenessProbe": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Probe" - }, - "readinessProbe": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Probe" - }, - "imagePullPolicy": { - "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.", - "type": "string" - }, - "securityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecurityContext" - }, - "volumes": { - "description": "List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Volume" - } - }, - "nodeSelector": { - "description": "Standard Kubernetes node selector configuration", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "imagePullSecrets": { - "description": "ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - }, - "affinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Affinity" - }, - "tolerations": { - "description": "If specified, the pod's tolerations.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Toleration" - } - }, - "priorityClassName": { - "description": "If specified, indicates the pod's priority. \"system-node-critical\" and \"system-cluster-critical\" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.", - "type": "string" - }, - "topologySpreadConstraints": { - "description": "Used to control how Pods are spread across a cluster among failure-domains. This can help to achieve high availability as well as efficient resource utilization. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TopologySpreadConstraint" - } - }, - "replicas": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Replicas" - }, - "podMetadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "podDisruptionBudget": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.PodDisruptionBudget" - }, - "deploymentStrategy": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.DeploymentStrategy" - }, - "podSecurityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodSecurityContext" - } - } - }, - "istio_operator.v2.api.v1alpha1.ConfigState": { - "type": "string", - "enum": [ - "Unspecified", - "Created", - "ReconcileFailed", - "Reconciling", - "Available", - "Unmanaged" - ] - }, - "istio_operator.v2.api.v1alpha1.ContainerImageConfiguration": { - "type": "object", - "properties": { - "imagePullPolicy": { - "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.", - "type": "string" - }, - "imagePullSecrets": { - "description": "ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - }, - "hub": { - "description": "Default hub for container images.", - "type": "string" - }, - "tag": { - "description": "Default tag for container images.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.DeploymentStrategy": { - "type": "object", - "properties": { - "type": { - "description": "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate.", - "type": "string" - }, - "rollingUpdate": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment" - } - } - }, - "istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment": { - "type": "object", - "properties": { - "maxUnavailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "maxSurge": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - } - } - }, - "istio_operator.v2.api.v1alpha1.HTTPGetAction": { - "description": "HTTPGetAction describes an action based on HTTP Get requests.", - "type": "object", - "properties": { - "path": { - "description": "Path to access on the HTTP server.", - "type": "string" - }, - "port": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "host": { - "description": "Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.", - "type": "string" - }, - "scheme": { - "description": "Scheme to use for connecting to the host. Defaults to HTTP.", - "type": "string" - }, - "httpHeaders": { - "description": "Custom headers to set in the request. HTTP allows repeated headers.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HTTPHeader" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.IntOrString": { - "description": "IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number. GOTYPE: *IntOrString", - "oneOf": [ - { - "type": "string" - }, - { - "type": "integer" - } - ] - }, - "istio_operator.v2.api.v1alpha1.K8sObjectMeta": { - "description": "Generic k8s resource metadata", - "type": "object", - "properties": { - "labels": { - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch": { - "type": "object", - "properties": { - "groupVersionKind": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.GroupVersionKind" - }, - "objectKey": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.NamespacedName" - }, - "patches": { - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.GroupVersionKind": { - "type": "object", - "properties": { - "kind": { - "type": "string" - }, - "group": { - "type": "string" - }, - "version": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch": { - "type": "object", - "properties": { - "path": { - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Type" - }, - "value": { - "type": "string" - }, - "parseValue": { - "type": "boolean" - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Type": { - "type": "string", - "enum": [ - "unspecified", - "replace", - "remove" - ] - }, - "istio_operator.v2.api.v1alpha1.NamespacedName": { - "type": "object", - "properties": { - "name": { - "description": "Name of the referenced Kubernetes resource", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced Kubernetes resource", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.PodDisruptionBudget": { - "description": "PodDisruptionBudget is a description of a PodDisruptionBudget", - "type": "object", - "properties": { - "maxUnavailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "minAvailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - } - } - }, - "istio_operator.v2.api.v1alpha1.Probe": { - "description": "Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.", - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes", - "type": "integer", - "format": "int32" - }, - "terminationGracePeriodSeconds": { - "description": "Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.", - "type": "integer", - "format": "int64" - }, - "initialDelaySeconds": { - "description": "Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes", - "type": "integer", - "format": "int32" - }, - "periodSeconds": { - "description": "How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.", - "type": "integer", - "format": "int32" - }, - "successThreshold": { - "description": "Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.", - "type": "integer", - "format": "int32" - }, - "failureThreshold": { - "description": "Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.", - "type": "integer", - "format": "int32" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ExecAction" - } - } - }, - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.HTTPGetAction" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.TCPSocketAction" - } - } - }, - { - "required": [ - "grpc" - ], - "properties": { - "grpc": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GRPCAction" - } - } - } - ] - } - }, - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ExecAction" - } - } - }, - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.HTTPGetAction" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.TCPSocketAction" - } - } - }, - { - "required": [ - "grpc" - ], - "properties": { - "grpc": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GRPCAction" - } - } - } - ] - }, - "istio_operator.v2.api.v1alpha1.Quantity": { - "description": "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and Int64() accessors. GOTYPE: *Quantity", - "oneOf": [ - { - "type": "string" - }, - { - "type": "integer" - } - ], - "pattern": "^(\\\\+|-)?(([0-9]+(\\\\.[0-9]*)?)|(\\\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\\\+|-)?(([0-9]+(\\\\.[0-9]*)?)|(\\\\.[0-9]+))))?$" - }, - "istio_operator.v2.api.v1alpha1.Replicas": { - "description": "Replicas contains pod replica configuration", - "type": "object", - "properties": { - "count": { - "description": "Standard Kubernetes replica count configuration", - "type": "integer", - "nullable": true - }, - "max": { - "description": "max is the upper limit for the number of replicas to which the autoscaler can scale up. min and max both need to be set the turn on autoscaling. It cannot be less than min.", - "type": "integer", - "nullable": true - }, - "min": { - "description": "min is the lower limit for the number of replicas to which the autoscaler can scale down. min and max both need to be set the turn on autoscaling.", - "type": "integer", - "nullable": true - }, - "targetCPUUtilizationPercentage": { - "description": "target average CPU utilization (represented as a percentage of requested CPU) over all the pods; default 80% will be used if not specified.", - "type": "integer", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.ResourceRequirements": { - "description": "ResourceRequirements describes the compute resource requirements.", - "type": "object", - "properties": { - "limits": { - "description": "Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Quantity" - } - }, - "requests": { - "description": "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Quantity" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.Service": { - "description": "Service describes the attributes that a user creates on a service.", - "type": "object", - "properties": { - "type": { - "description": "type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ExternalName\" maps to the specified externalName. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a stable IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", - "type": "string" - }, - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "ports": { - "description": "The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ServicePort" - } - }, - "selector": { - "description": "Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "clusterIP": { - "description": "clusterIP is the IP address of the service and is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. This field can not be changed through updates. Valid values are \"None\", empty string (\"\"), or a valid IP address. \"None\" can be specified for headless services when proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "string" - }, - "externalIPs": { - "description": "externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.", - "type": "array", - "items": { - "type": "string" - } - }, - "sessionAffinity": { - "description": "Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "string" - }, - "loadBalancerIP": { - "description": "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.", - "type": "string" - }, - "loadBalancerSourceRanges": { - "description": "If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/", - "type": "array", - "items": { - "type": "string" - } - }, - "externalName": { - "description": "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires Type to be ExternalName.", - "type": "string" - }, - "externalTrafficPolicy": { - "description": "externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. \"Local\" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. \"Cluster\" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.", - "type": "string" - }, - "healthCheckNodePort": { - "description": "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.", - "type": "integer", - "format": "int32" - }, - "publishNotReadyAddresses": { - "description": "publishNotReadyAddresses, when set to true, indicates that DNS implementations must publish the notReadyAddresses of subsets for the Endpoints associated with the Service. The default value is false. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate SRV records for its Pods without respect to their readiness for purpose of peer discovery.", - "type": "boolean", - "nullable": true - }, - "sessionAffinityConfig": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SessionAffinityConfig" - }, - "ipFamily": { - "description": "ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which allocate external load-balancers should use the same IP family. Endpoints for this Service will be of this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.ServicePort": { - "description": "ServicePort contains information on service's port.", - "type": "object", - "properties": { - "name": { - "description": "The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. if only one ServicePort is defined on this service.", - "type": "string" - }, - "protocol": { - "description": "The IP protocol for this port. Supports \"TCP\", \"UDP\", and \"SCTP\". Default is TCP.", - "type": "string" - }, - "port": { - "description": "The port that will be exposed by this service.", - "type": "integer", - "format": "int32" - }, - "targetPort": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "nodePort": { - "description": "The port on each node on which this service is exposed when type=NodePort or LoadBalancer. Usually assigned by the system. If specified, it will be allocated to the service if unused or else creation of the service will fail. Default is to auto-allocate a port if the ServiceType of this Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", - "type": "integer", - "format": "int32" - } - } - }, - "istio_operator.v2.api.v1alpha1.TCPSocketAction": { - "description": "TCPSocketAction describes an action based on opening a socket", - "type": "object", - "properties": { - "port": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "host": { - "description": "Optional: Host name to connect to, defaults to the pod IP.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.UnprotectedService": { - "description": "Service describes the attributes that a user creates on a service.", - "type": "object", - "properties": { - "type": { - "description": "type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ExternalName\" maps to the specified externalName. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a stable IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", - "type": "string" - }, - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "ports": { - "description": "The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ServicePort" - } - }, - "selector": { - "description": "Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "clusterIP": { - "description": "clusterIP is the IP address of the service and is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. This field can not be changed through updates. Valid values are \"None\", empty string (\"\"), or a valid IP address. \"None\" can be specified for headless services when proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "string" - }, - "externalIPs": { - "description": "externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.", - "type": "array", - "items": { - "type": "string" - } - }, - "sessionAffinity": { - "description": "Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "string" - }, - "loadBalancerIP": { - "description": "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.", - "type": "string" - }, - "loadBalancerSourceRanges": { - "description": "If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/", - "type": "array", - "items": { - "type": "string" - } - }, - "externalName": { - "description": "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires Type to be ExternalName.", - "type": "string" - }, - "externalTrafficPolicy": { - "description": "externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. \"Local\" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. \"Cluster\" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.", - "type": "string" - }, - "healthCheckNodePort": { - "description": "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.", - "type": "integer", - "format": "int32" - }, - "publishNotReadyAddresses": { - "description": "publishNotReadyAddresses, when set to true, indicates that DNS implementations must publish the notReadyAddresses of subsets for the Endpoints associated with the Service. The default value is false. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate SRV records for its Pods without respect to their readiness for purpose of peer discovery.", - "type": "boolean", - "nullable": true - }, - "sessionAffinityConfig": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SessionAffinityConfig" - }, - "ipFamily": { - "description": "ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which allocate external load-balancers should use the same IP family. Endpoints for this Service will be of this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource": { - "description": "Represents a Persistent Disk resource in AWS. An AWS EBS disk must exist before mounting to a container. The disk must also be in the same AWS zone as the kubelet. An AWS EBS disk can only be mounted as read/write once. AWS EBS volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "volumeID": { - "description": "volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore", - "type": "string" - }, - "fsType": { - "description": "fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "partition": { - "description": "partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).", - "type": "integer", - "format": "int32" - }, - "readOnly": { - "description": "readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.Affinity": { - "description": "Affinity is a group of affinity scheduling rules.", - "type": "object", - "properties": { - "nodeAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeAffinity" - }, - "podAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinity" - }, - "podAntiAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAntiAffinity" - } - } - }, - "k8s.io.api.core.v1.AzureDiskVolumeSource": { - "description": "AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.", - "type": "object", - "properties": { - "kind": { - "description": "kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared", - "type": "string" - }, - "fsType": { - "description": "fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "readOnly": { - "description": "readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "diskName": { - "description": "diskName is the Name of the data disk in the blob storage", - "type": "string" - }, - "diskURI": { - "description": "diskURI is the URI of data disk in the blob storage", - "type": "string" - }, - "cachingMode": { - "description": "cachingMode is the Host Caching mode: None, Read Only, Read Write.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.AzureFileVolumeSource": { - "description": "AzureFile represents an Azure File Service mount on the host and bind mount to the pod.", - "type": "object", - "properties": { - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "secretName": { - "description": "secretName is the name of secret that contains Azure Storage Account Name and Key", - "type": "string" - }, - "shareName": { - "description": "shareName is the azure share Name", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.CSIVolumeSource": { - "description": "Represents a source location of a volume to mount, managed by an external CSI driver", - "type": "object", - "properties": { - "fsType": { - "description": "fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.", - "type": "string" - }, - "readOnly": { - "description": "readOnly specifies a read-only configuration for the volume. Defaults to false (read/write).", - "type": "boolean" - }, - "driver": { - "description": "driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.", - "type": "string" - }, - "volumeAttributes": { - "description": "volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "nodePublishSecretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.Capabilities": { - "description": "Adds and removes POSIX capabilities from running containers.", - "type": "object", - "properties": { - "add": { - "description": "Added capabilities", - "type": "array", - "items": { - "type": "string" - } - }, - "drop": { - "description": "Removed capabilities", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.CephFSVolumeSource": { - "description": "Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /", - "type": "string" - }, - "readOnly": { - "description": "readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "boolean" - }, - "monitors": { - "description": "monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "array", - "items": { - "type": "string" - } - }, - "user": { - "description": "user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "string" - }, - "secretFile": { - "description": "secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.CinderVolumeSource": { - "description": "Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "volumeID": { - "description": "volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md", - "type": "string" - }, - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md", - "type": "string" - }, - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.ClientIPConfig": { - "description": "ClientIPConfig represents the configurations of Client IP based session affinity.", - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be \u003e0 \u0026\u0026 \u003c=86400(for 1 day) if ServiceAffinity == \"ClientIP\". Default value is 10800(for 3 hours).", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.ConfigMapKeySelector": { - "description": "Selects a key from a ConfigMap.", - "type": "object", - "properties": { - "key": { - "description": "The key to select.", - "type": "string" - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the ConfigMap or its key must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.ConfigMapProjection": { - "description": "Adapts a ConfigMap into a projected volume. The contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.", - "type": "object", - "properties": { - "items": { - "description": "items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "optional specify whether the ConfigMap or its keys must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.ConfigMapVolumeSource": { - "description": "Adapts a ConfigMap into a volume. The contents of the target ConfigMap's Data field will be presented in a volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. ConfigMap volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "items": { - "description": "items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "optional specify whether the ConfigMap or its keys must be defined", - "type": "boolean" - }, - "defaultMode": { - "description": "defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.DownwardAPIProjection": { - "description": "Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.", - "type": "object", - "properties": { - "items": { - "description": "Items is a list of DownwardAPIVolume file", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeFile" - } - } - } - }, - "k8s.io.api.core.v1.DownwardAPIVolumeFile": { - "description": "DownwardAPIVolumeFile represents information to create the file containing the pod field", - "type": "object", - "properties": { - "path": { - "description": "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'", - "type": "string" - }, - "fieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ObjectFieldSelector" - }, - "resourceFieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceFieldSelector" - }, - "mode": { - "description": "Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.DownwardAPIVolumeSource": { - "description": "DownwardAPIVolumeSource represents a volume containing downward API info. Downward API volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "items": { - "description": "Items is a list of downward API volume file", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeFile" - } - }, - "defaultMode": { - "description": "Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.EmptyDirVolumeSource": { - "description": "Represents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "medium": { - "description": "medium represents what type of storage medium should back this directory. The default is \"\" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir", - "type": "string" - }, - "sizeLimit": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - }, - "k8s.io.api.core.v1.EnvVar": { - "description": "EnvVar represents an environment variable present in a Container.", - "type": "object", - "properties": { - "name": { - "description": "Name of the environment variable. Must be a C_IDENTIFIER.", - "type": "string" - }, - "value": { - "description": "Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\".", - "type": "string" - }, - "valueFrom": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVarSource" - } - } - }, - "k8s.io.api.core.v1.EnvVarSource": { - "description": "EnvVarSource represents a source for the value of an EnvVar.", - "type": "object", - "properties": { - "fieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ObjectFieldSelector" - }, - "resourceFieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceFieldSelector" - }, - "configMapKeyRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapKeySelector" - }, - "secretKeyRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretKeySelector" - } - } - }, - "k8s.io.api.core.v1.EphemeralVolumeSource": { - "description": "Represents an ephemeral volume that is handled by a normal storage driver.", - "type": "object", - "properties": { - "volumeClaimTemplate": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PersistentVolumeClaimTemplate" - } - } - }, - "k8s.io.api.core.v1.ExecAction": { - "description": "ExecAction describes a \"run in container\" action.", - "type": "object", - "properties": { - "command": { - "description": "Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FCVolumeSource": { - "description": "Represents a Fibre Channel volume. Fibre Channel volumes can only be mounted as read/write once. Fibre Channel volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "readOnly": { - "description": "readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "targetWWNs": { - "description": "targetWWNs is Optional: FC target worldwide names (WWNs)", - "type": "array", - "items": { - "type": "string" - } - }, - "lun": { - "description": "lun is Optional: FC target lun number", - "type": "integer", - "format": "int32" - }, - "wwids": { - "description": "wwids Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FlexVolumeSource": { - "description": "FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.", - "type": "string" - }, - "readOnly": { - "description": "readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "driver": { - "description": "driver is the name of the driver to use for this volume.", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "options": { - "description": "options is Optional: this field holds extra command options if any.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FlockerVolumeSource": { - "description": "Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "datasetName": { - "description": "datasetName is Name of the dataset stored as metadata -\u003e name on the dataset for Flocker should be considered as deprecated", - "type": "string" - }, - "datasetUUID": { - "description": "datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GCEPersistentDiskVolumeSource": { - "description": "Represents a Persistent Disk resource in Google Compute Engine. A GCE PD must exist before mounting to a container. The disk must also be in the same GCE project and zone as the kubelet. A GCE PD can only be mounted as read/write once or read-only many times. GCE PDs support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "partition": { - "description": "partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk", - "type": "integer", - "format": "int32" - }, - "readOnly": { - "description": "readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk", - "type": "boolean" - }, - "pdName": { - "description": "pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GRPCAction": { - "type": "object", - "properties": { - "port": { - "description": "Port number of the gRPC service. Number must be in the range 1 to 65535.", - "type": "integer", - "format": "int32" - }, - "service": { - "description": "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GitRepoVolumeSource": { - "description": "Represents a volume that is populated with the contents of a git repository. Git repo volumes do not support ownership management. Git repo volumes support SELinux relabeling. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.", - "type": "object", - "properties": { - "repository": { - "description": "repository is the URL", - "type": "string" - }, - "revision": { - "description": "revision is the commit hash for the specified revision.", - "type": "string" - }, - "directory": { - "description": "directory is the target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GlusterfsVolumeSource": { - "description": "Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "boolean" - }, - "endpoints": { - "description": "endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.HTTPHeader": { - "description": "HTTPHeader describes a custom header to be used in HTTP probes", - "type": "object", - "properties": { - "name": { - "description": "The header field name", - "type": "string" - }, - "value": { - "description": "The header field value", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.HostPathVolumeSource": { - "description": "Represents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath", - "type": "string" - }, - "type": { - "description": "type for HostPath Volume Defaults to \"\" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ISCSIVolumeSource": { - "description": "Represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "lun": { - "description": "lun represents iSCSI Target Lun number.", - "type": "integer", - "format": "int32" - }, - "targetPortal": { - "description": "targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).", - "type": "string" - }, - "iqn": { - "description": "iqn is the target iSCSI Qualified Name.", - "type": "string" - }, - "iscsiInterface": { - "description": "iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).", - "type": "string" - }, - "portals": { - "description": "portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).", - "type": "array", - "items": { - "type": "string" - } - }, - "chapAuthDiscovery": { - "description": "chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication", - "type": "boolean" - }, - "chapAuthSession": { - "description": "chapAuthSession defines whether support iSCSI Session CHAP authentication", - "type": "boolean" - }, - "initiatorName": { - "description": "initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface \u003ctarget portal\u003e:\u003cvolume name\u003e will be created for the connection.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.KeyToPath": { - "description": "Maps a string key to a path within a volume.", - "type": "object", - "properties": { - "path": { - "description": "path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.", - "type": "string" - }, - "key": { - "description": "key is the key to project.", - "type": "string" - }, - "mode": { - "description": "mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.LocalObjectReference": { - "description": "LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.", - "type": "object", - "properties": { - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.NFSVolumeSource": { - "description": "Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "boolean" - }, - "server": { - "description": "server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.NodeAffinity": { - "description": "Node affinity is a group of node affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelector" - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PreferredSchedulingTerm" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelector": { - "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", - "type": "object", - "properties": { - "nodeSelectorTerms": { - "description": "Required. A list of node selector terms. The terms are ORed.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorTerm" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelectorRequirement": { - "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", - "type": "object", - "properties": { - "key": { - "description": "The label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", - "type": "string" - }, - "values": { - "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelectorTerm": { - "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "A list of node selector requirements by node's labels.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorRequirement" - } - }, - "matchFields": { - "description": "A list of node selector requirements by node's fields.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorRequirement" - } - } - } - }, - "k8s.io.api.core.v1.ObjectFieldSelector": { - "description": "ObjectFieldSelector selects an APIVersioned field of an object.", - "type": "object", - "properties": { - "apiVersion": { - "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", - "type": "string" - }, - "fieldPath": { - "description": "Path of the field to select in the specified API version.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PersistentVolumeClaimSpec": { - "description": "PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes", - "type": "object", - "properties": { - "resources": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceRequirements" - }, - "accessModes": { - "description": "accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1", - "type": "array", - "items": { - "type": "string" - } - }, - "selector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "volumeName": { - "description": "volumeName is the binding reference to the PersistentVolume backing this claim.", - "type": "string" - }, - "storageClassName": { - "description": "storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1", - "type": "string" - }, - "volumeMode": { - "description": "volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.", - "type": "string" - }, - "dataSource": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TypedLocalObjectReference" - }, - "dataSourceRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TypedLocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.PersistentVolumeClaimTemplate": { - "description": "PersistentVolumeClaimTemplate is used to produce PersistentVolumeClaim objects as part of an EphemeralVolumeSource.", - "type": "object", - "properties": { - "metadata": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PersistentVolumeClaimSpec" - } - } - }, - "k8s.io.api.core.v1.PersistentVolumeClaimVolumeSource": { - "description": "PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).", - "type": "object", - "properties": { - "readOnly": { - "description": "readOnly Will force the ReadOnly setting in VolumeMounts. Default false.", - "type": "boolean" - }, - "claimName": { - "description": "claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PhotonPersistentDiskVolumeSource": { - "description": "Represents a Photon Controller persistent disk resource.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "pdID": { - "description": "pdID is the ID that identifies Photon Controller persistent disk", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PodAffinity": { - "description": "Pod affinity is a group of inter pod affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "description": "If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WeightedPodAffinityTerm" - } - } - } - }, - "k8s.io.api.core.v1.PodAffinityTerm": { - "description": "Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key \u003ctopologyKey\u003e matches that of any node on which a pod of the set of pods is running", - "type": "object", - "properties": { - "labelSelector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "namespaces": { - "description": "namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means \"this pod's namespace\".", - "type": "array", - "items": { - "type": "string" - } - }, - "topologyKey": { - "description": "This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.", - "type": "string" - }, - "namespaceSelector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - } - } - }, - "k8s.io.api.core.v1.PodAntiAffinity": { - "description": "Pod anti affinity is a group of inter pod anti affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "description": "If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WeightedPodAffinityTerm" - } - } - } - }, - "k8s.io.api.core.v1.PodSecurityContext": { - "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", - "type": "object", - "properties": { - "seLinuxOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SELinuxOptions" - }, - "windowsOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WindowsSecurityContextOptions" - }, - "runAsUser": { - "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsGroup": { - "description": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsNonRoot": { - "description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", - "type": "boolean" - }, - "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows.", - "type": "array", - "items": { - "type": "integer", - "format": "int64" - } - }, - "fsGroup": { - "description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "sysctls": { - "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Sysctl" - } - }, - "fsGroupChangePolicy": { - "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used. Note that this field cannot be set when spec.os.name is windows.", - "type": "string" - }, - "seccompProfile": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SeccompProfile" - } - } - }, - "k8s.io.api.core.v1.PortworxVolumeSource": { - "description": "PortworxVolumeSource represents a Portworx volume resource.", - "type": "object", - "properties": { - "volumeID": { - "description": "volumeID uniquely identifies a Portworx volume", - "type": "string" - }, - "fsType": { - "description": "fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.PreferredSchedulingTerm": { - "description": "An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).", - "type": "object", - "properties": { - "weight": { - "description": "Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.", - "type": "integer", - "format": "int32" - }, - "preference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorTerm" - } - } - }, - "k8s.io.api.core.v1.ProjectedVolumeSource": { - "description": "Represents a projected volume source", - "type": "object", - "properties": { - "defaultMode": { - "description": "defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - }, - "sources": { - "description": "sources is the list of volume projections", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeProjection" - } - } - } - }, - "k8s.io.api.core.v1.QuobyteVolumeSource": { - "description": "Represents a Quobyte mount that lasts the lifetime of a pod. Quobyte volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "group": { - "description": "group to map volume access to Default is no group", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.", - "type": "boolean" - }, - "user": { - "description": "user to map volume access to Defaults to serivceaccount user", - "type": "string" - }, - "registry": { - "description": "registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes", - "type": "string" - }, - "volume": { - "description": "volume is a string that references an already created Quobyte volume by name.", - "type": "string" - }, - "tenant": { - "description": "tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.RBDVolumeSource": { - "description": "Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "boolean" - }, - "monitors": { - "description": "monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "array", - "items": { - "type": "string" - } - }, - "user": { - "description": "user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "image": { - "description": "image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - }, - "pool": { - "description": "pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - }, - "keyring": { - "description": "keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ResourceFieldSelector": { - "description": "ResourceFieldSelector represents container resources (cpu, memory) and their output format", - "type": "object", - "properties": { - "resource": { - "description": "Required: resource to select", - "type": "string" - }, - "containerName": { - "description": "Container name: required for volumes, optional for env vars", - "type": "string" - }, - "divisor": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - }, - "k8s.io.api.core.v1.ResourceRequirements": { - "description": "ResourceRequirements describes the compute resource requirements.", - "type": "object", - "properties": { - "limits": { - "description": "Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - }, - "requests": { - "description": "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - } - }, - "k8s.io.api.core.v1.SELinuxOptions": { - "description": "SELinuxOptions are the labels to be applied to the container", - "type": "object", - "properties": { - "type": { - "description": "Type is a SELinux type label that applies to the container.", - "type": "string" - }, - "user": { - "description": "User is a SELinux user label that applies to the container.", - "type": "string" - }, - "role": { - "description": "Role is a SELinux role label that applies to the container.", - "type": "string" - }, - "level": { - "description": "Level is SELinux level label that applies to the container.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ScaleIOVolumeSource": { - "description": "ScaleIOVolumeSource represents a persistent ScaleIO volume", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Default is \"xfs\".", - "type": "string" - }, - "readOnly": { - "description": "readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "volumeName": { - "description": "volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.", - "type": "string" - }, - "gateway": { - "description": "gateway is the host address of the ScaleIO API Gateway.", - "type": "string" - }, - "system": { - "description": "system is the name of the storage system as configured in ScaleIO.", - "type": "string" - }, - "sslEnabled": { - "description": "sslEnabled Flag enable/disable SSL communication with Gateway, default false", - "type": "boolean" - }, - "protectionDomain": { - "description": "protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.", - "type": "string" - }, - "storagePool": { - "description": "storagePool is the ScaleIO Storage Pool associated with the protection domain.", - "type": "string" - }, - "storageMode": { - "description": "storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.SeccompProfile": { - "description": "SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.", - "type": "object", - "properties": { - "type": { - "description": "type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.", - "type": "string" - }, - "localhostProfile": { - "description": "localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is \"Localhost\".", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.SecretKeySelector": { - "description": "SecretKeySelector selects a key of a Secret.", - "type": "object", - "properties": { - "key": { - "description": "The key of the secret to select from. Must be a valid secret key.", - "type": "string" - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the Secret or its key must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.SecretProjection": { - "description": "Adapts a secret into a projected volume. The contents of the target Secret's Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.", - "type": "object", - "properties": { - "items": { - "description": "items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "optional field specify whether the Secret or its key must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.SecretVolumeSource": { - "description": "Adapts a Secret into a volume. The contents of the target Secret's Data field will be presented in a volume as files using the keys in the Data field as the file names. Secret volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "items": { - "description": "items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "secretName": { - "description": "secretName is the name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret", - "type": "string" - }, - "optional": { - "description": "optional field specify whether the Secret or its keys must be defined", - "type": "boolean" - }, - "defaultMode": { - "description": "defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.SecurityContext": { - "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", - "type": "object", - "properties": { - "seLinuxOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SELinuxOptions" - }, - "windowsOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WindowsSecurityContextOptions" - }, - "runAsUser": { - "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsGroup": { - "description": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsNonRoot": { - "description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", - "type": "boolean" - }, - "seccompProfile": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SeccompProfile" - }, - "capabilities": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Capabilities" - }, - "privileged": { - "description": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.", - "type": "boolean" - }, - "readOnlyRootFilesystem": { - "description": "Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.", - "type": "boolean" - }, - "allowPrivilegeEscalation": { - "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.", - "type": "boolean" - }, - "procMount": { - "description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ServiceAccountTokenProjection": { - "description": "ServiceAccountTokenProjection represents a projected service account token volume. This projection can be used to insert a service account token into the pods runtime filesystem for use against APIs (Kubernetes API Server or otherwise).", - "type": "object", - "properties": { - "path": { - "description": "path is the path relative to the mount point of the file to project the token into.", - "type": "string" - }, - "audience": { - "description": "audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.", - "type": "string" - }, - "expirationSeconds": { - "description": "expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.", - "type": "integer", - "format": "int64" - } - } - }, - "k8s.io.api.core.v1.SessionAffinityConfig": { - "description": "SessionAffinityConfig represents the configurations of session affinity.", - "type": "object", - "properties": { - "clientIP": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ClientIPConfig" - } - } - }, - "k8s.io.api.core.v1.StorageOSVolumeSource": { - "description": "Represents a StorageOS persistent volume resource.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "volumeName": { - "description": "volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.", - "type": "string" - }, - "volumeNamespace": { - "description": "volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Sysctl": { - "description": "Sysctl defines a kernel parameter to be set", - "type": "object", - "properties": { - "name": { - "description": "Name of a property to set", - "type": "string" - }, - "value": { - "description": "Value of a property to set", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Toleration": { - "description": "The pod this Toleration is attached to tolerates any taint that matches the triple \u003ckey,value,effect\u003e using the matching operator \u003coperator\u003e.", - "type": "object", - "properties": { - "key": { - "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.", - "type": "string" - }, - "operator": { - "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.", - "type": "string" - }, - "value": { - "description": "Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.", - "type": "string" - }, - "effect": { - "description": "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.", - "type": "string" - }, - "tolerationSeconds": { - "description": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.", - "type": "integer", - "format": "int64" - } - } - }, - "k8s.io.api.core.v1.TopologySpreadConstraint": { - "description": "TopologySpreadConstraint specifies how to spread matching pods among the given topology.", - "type": "object", - "properties": { - "labelSelector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "topologyKey": { - "description": "TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each \u003ckey, value\u003e as a \"bucket\", and try to put balanced number of pods into each bucket. It's a required field.", - "type": "string" - }, - "maxSkew": { - "description": "MaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.", - "type": "integer", - "format": "int32" - }, - "whenUnsatisfiable": { - "description": "WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered \"Unsatisfiable\" for an incoming pod if and only if every possible node assignment for that pod would violate \"MaxSkew\" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.TypedLocalObjectReference": { - "description": "TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace.", - "type": "object", - "properties": { - "name": { - "description": "Name is the name of resource being referenced", - "type": "string" - }, - "kind": { - "description": "Kind is the type of resource being referenced", - "type": "string" - }, - "apiGroup": { - "description": "APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Volume": { - "description": "Volume represents a named volume in a pod that may be accessed by any container in the pod.", - "type": "object", - "properties": { - "name": { - "description": "name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", - "type": "string" - }, - "volumeSource": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeSource" - } - } - }, - "k8s.io.api.core.v1.VolumeMount": { - "description": "VolumeMount describes a mounting of a Volume within a container.", - "type": "object", - "properties": { - "name": { - "description": "This must match the Name of a Volume.", - "type": "string" - }, - "readOnly": { - "description": "Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.", - "type": "boolean" - }, - "mountPath": { - "description": "Path within the container at which the volume should be mounted. Must not contain ':'.", - "type": "string" - }, - "subPath": { - "description": "Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).", - "type": "string" - }, - "mountPropagation": { - "description": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.", - "type": "string" - }, - "subPathExpr": { - "description": "Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to \"\" (volume's root). SubPathExpr and SubPath are mutually exclusive.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.VolumeProjection": { - "description": "Projection that may be projected along with other supported volume types", - "type": "object", - "properties": { - "configMap": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapProjection" - }, - "secret": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretProjection" - }, - "downwardAPI": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIProjection" - }, - "serviceAccountToken": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ServiceAccountTokenProjection" - } - } - }, - "k8s.io.api.core.v1.VolumeSource": { - "description": "Represents the source of a volume to mount. Only one of its members may be specified.", - "type": "object", - "properties": { - "configMap": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapVolumeSource" - }, - "gcePersistentDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GCEPersistentDiskVolumeSource" - }, - "awsElasticBlockStore": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource" - }, - "hostPath": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HostPathVolumeSource" - }, - "glusterfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GlusterfsVolumeSource" - }, - "nfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NFSVolumeSource" - }, - "rbd": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.RBDVolumeSource" - }, - "iscsi": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ISCSIVolumeSource" - }, - "cinder": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CinderVolumeSource" - }, - "cephfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CephFSVolumeSource" - }, - "fc": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FCVolumeSource" - }, - "flocker": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FlockerVolumeSource" - }, - "flexVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FlexVolumeSource" - }, - "azureFile": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AzureFileVolumeSource" - }, - "vsphereVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VsphereVirtualDiskVolumeSource" - }, - "quobyte": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.QuobyteVolumeSource" - }, - "azureDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AzureDiskVolumeSource" - }, - "photonPersistentDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PhotonPersistentDiskVolumeSource" - }, - "portworxVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PortworxVolumeSource" - }, - "scaleIO": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ScaleIOVolumeSource" - }, - "storageos": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.StorageOSVolumeSource" - }, - "csi": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CSIVolumeSource" - }, - "secret": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretVolumeSource" - }, - "downwardAPI": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeSource" - }, - "emptyDir": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EmptyDirVolumeSource" - }, - "gitRepo": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GitRepoVolumeSource" - }, - "persistentVolumeClaim": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PersistentVolumeClaimVolumeSource" - }, - "projected": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ProjectedVolumeSource" - }, - "ephemeral": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EphemeralVolumeSource" - } - } - }, - "k8s.io.api.core.v1.VsphereVirtualDiskVolumeSource": { - "description": "Represents a vSphere volume resource.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "volumePath": { - "description": "volumePath is the path that identifies vSphere volume vmdk", - "type": "string" - }, - "storagePolicyName": { - "description": "storagePolicyName is the storage Policy Based Management (SPBM) profile name.", - "type": "string" - }, - "storagePolicyID": { - "description": "storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.WeightedPodAffinityTerm": { - "description": "The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)", - "type": "object", - "properties": { - "weight": { - "description": "weight associated with matching the corresponding podAffinityTerm, in the range 1-100.", - "type": "integer", - "format": "int32" - }, - "podAffinityTerm": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - } - }, - "k8s.io.api.core.v1.WindowsSecurityContextOptions": { - "description": "WindowsSecurityContextOptions contain Windows-specific options and credentials.", - "type": "object", - "properties": { - "gmsaCredentialSpecName": { - "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", - "type": "string" - }, - "gmsaCredentialSpec": { - "description": "GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.", - "type": "string" - }, - "runAsUserName": { - "description": "The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", - "type": "string" - }, - "hostProcess": { - "description": "HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.", - "type": "boolean" - } - } - }, - "k8s.io.apimachinery.pkg.api.resource.Quantity": { - "description": "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors. The serialization format is: \u003cquantity\u003e ::= \u003csignedNumber\u003e\u003csuffix\u003e (Note that \u003csuffix\u003e may be empty, from the \"\" case in \u003cdecimalSI\u003e.) \u003cdigit\u003e ::= 0 | 1 | ... | 9 \u003cdigits\u003e ::= \u003cdigit\u003e | \u003cdigit\u003e\u003cdigits\u003e \u003cnumber\u003e ::= \u003cdigits\u003e | \u003cdigits\u003e.\u003cdigits\u003e | \u003cdigits\u003e. | .\u003cdigits\u003e \u003csign\u003e ::= \"+\" | \"-\" \u003csignedNumber\u003e ::= \u003cnumber\u003e | \u003csign\u003e\u003cnumber\u003e \u003csuffix\u003e ::= \u003cbinarySI\u003e | \u003cdecimalExponent\u003e | \u003cdecimalSI\u003e \u003cbinarySI\u003e ::= Ki | Mi | Gi | Ti | Pi | Ei (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html) \u003cdecimalSI\u003e ::= m | \"\" | k | M | G | T | P | E (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) \u003cdecimalExponent\u003e ::= \"e\" \u003csignedNumber\u003e | \"E\" \u003csignedNumber\u003e No matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities. When a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized. Before serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that: a. No precision is lost b. No fractional digits will be emitted c. The exponent (or suffix) is as large as possible. The sign will be omitted unless the number is negative. Examples: 1.5 will be serialized as \"1500m\" 1.5Gi will be serialized as \"1536Mi\" Note that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise. Non-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.) This format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.", - "type": "object", - "properties": { - "string": { - "type": "string" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.FieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format. Each key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:\u003cname\u003e', where \u003cname\u003e is the name of a field in a struct, or key in a map 'v:\u003cvalue\u003e', where \u003cvalue\u003e is the exact json formatted value of a list item 'i:\u003cindex\u003e', where \u003cindex\u003e is position of a item in a list 'k:\u003ckeys\u003e', where \u003ckeys\u003e is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set. The exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": "object", - "properties": { - "Raw": { - "description": "Raw is the underlying serialization of this object.", - "type": "string", - "format": "binary" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector": { - "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", - "type": "object", - "properties": { - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", - "type": "object", - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "type": "object", - "properties": { - "time": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.Time" - }, - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": "string" - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": "string" - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": "string" - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": "string" - }, - "fieldsV1": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.FieldsV1" - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": "string" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "type": "object", - "properties": { - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names", - "type": "string" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": "string" - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": "string" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": "string" - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces", - "type": "string" - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids", - "type": "string" - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "type": "integer", - "format": "int64" - }, - "creationTimestamp": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.Time" - }, - "deletionTimestamp": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.Time" - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "type": "integer", - "format": "int64" - }, - "labels": { - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.OwnerReference" - } - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "type": "array", - "items": { - "type": "string" - } - }, - "clusterName": { - "description": "The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.", - "type": "string" - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.OwnerReference": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "type": "object", - "properties": { - "name": { - "description": "Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names", - "type": "string" - }, - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids", - "type": "string" - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": "boolean" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": "boolean" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.Time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "type": "object", - "properties": { - "seconds": { - "description": "Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive.", - "type": "integer", - "format": "int64" - }, - "nanos": { - "description": "Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context.", - "type": "integer", - "format": "int32" - } - } - } - } - } -} \ No newline at end of file diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.go deleted file mode 100644 index d9c4c895c..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.go +++ /dev/null @@ -1,76 +0,0 @@ -/* -Copyright 2021 Cisco Systems, Inc. and/or its affiliates. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - "strconv" - - "github.com/golang/protobuf/jsonpb" - resource "k8s.io/apimachinery/pkg/api/resource" - "k8s.io/apimachinery/pkg/util/intstr" -) - -// define new type from k8s quantity to marshal/unmarshal jsonpb -type Quantity struct { - resource.Quantity `json:"quantity,omitempty"` -} - -// MarshalJSONPB implements the jsonpb.JSONPBMarshaler interface. -func (q *Quantity) MarshalJSONPB(_ *jsonpb.Marshaler) ([]byte, error) { - return q.Quantity.MarshalJSON() -} - -// UnmarshalJSONPB implements the jsonpb.JSONPBUnmarshaler interface. -func (q *Quantity) UnmarshalJSONPB(_ *jsonpb.Unmarshaler, value []byte) error { - // If its a string that isnt wrapped in quotes add them to appease kubernetes unmarshal - if _, err := strconv.Atoi(string(value)); err != nil && len(value) > 0 && value[0] != '"' { - value = append([]byte{'"'}, value...) - value = append(value, '"') - } - - return q.Quantity.UnmarshalJSON(value) -} - -// define new type from k8s intstr to marshal/unmarshal jsonpb -type IntOrString struct { - intstr.IntOrString `json:"intorsting,omitempty"` -} - -// MarshalJSONPB implements the jsonpb.JSONPBMarshaler interface. -func (intstrpb *IntOrString) MarshalJSONPB(_ *jsonpb.Marshaler) ([]byte, error) { - return intstrpb.IntOrString.MarshalJSON() -} - -// UnmarshalJSONPB implements the jsonpb.JSONPBUnmarshaler interface. -func (intstrpb *IntOrString) UnmarshalJSONPB(_ *jsonpb.Unmarshaler, value []byte) error { - // If its a string that isnt wrapped in quotes add them to appease kubernetes unmarshal - if _, err := strconv.Atoi(string(value)); err != nil && len(value) > 0 && value[0] != '"' { - value = append([]byte{'"'}, value...) - value = append(value, '"') - } - return intstrpb.IntOrString.UnmarshalJSON(value) -} - -// FromInt creates an IntOrStringForPB object with an int32 value. -func FromInt(val int) IntOrString { - return IntOrString{intstr.FromInt(val)} -} - -// FromString creates an IntOrStringForPB object with a string value. -func FromString(val string) IntOrString { - return IntOrString{intstr.FromString(val)} -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.pb.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.pb.go deleted file mode 100644 index 4e9fbd447..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.pb.go +++ /dev/null @@ -1,3091 +0,0 @@ -// Copyright 2021 Cisco Systems, Inc. and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.28.0 -// protoc (unknown) -// source: api/v1alpha1/common.proto - -package v1alpha1 - -import ( - _ "github.com/banzaicloud/istio-operator/api/v2/options" - _ "github.com/golang/protobuf/protoc-gen-go/descriptor" - wrappers "github.com/golang/protobuf/ptypes/wrappers" - _ "google.golang.org/genproto/googleapis/api/annotations" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - v1 "k8s.io/api/core/v1" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -type ConfigState int32 - -const ( - ConfigState_Unspecified ConfigState = 0 - ConfigState_Created ConfigState = 1 - ConfigState_ReconcileFailed ConfigState = 2 - ConfigState_Reconciling ConfigState = 3 - ConfigState_Available ConfigState = 4 - ConfigState_Unmanaged ConfigState = 5 -) - -// Enum value maps for ConfigState. -var ( - ConfigState_name = map[int32]string{ - 0: "Unspecified", - 1: "Created", - 2: "ReconcileFailed", - 3: "Reconciling", - 4: "Available", - 5: "Unmanaged", - } - ConfigState_value = map[string]int32{ - "Unspecified": 0, - "Created": 1, - "ReconcileFailed": 2, - "Reconciling": 3, - "Available": 4, - "Unmanaged": 5, - } -) - -func (x ConfigState) Enum() *ConfigState { - p := new(ConfigState) - *p = x - return p -} - -func (x ConfigState) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (ConfigState) Descriptor() protoreflect.EnumDescriptor { - return file_api_v1alpha1_common_proto_enumTypes[0].Descriptor() -} - -func (ConfigState) Type() protoreflect.EnumType { - return &file_api_v1alpha1_common_proto_enumTypes[0] -} - -func (x ConfigState) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use ConfigState.Descriptor instead. -func (ConfigState) EnumDescriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{0} -} - -type K8SResourceOverlayPatch_Type int32 - -const ( - K8SResourceOverlayPatch_unspecified K8SResourceOverlayPatch_Type = 0 - K8SResourceOverlayPatch_replace K8SResourceOverlayPatch_Type = 1 - K8SResourceOverlayPatch_remove K8SResourceOverlayPatch_Type = 2 -) - -// Enum value maps for K8SResourceOverlayPatch_Type. -var ( - K8SResourceOverlayPatch_Type_name = map[int32]string{ - 0: "unspecified", - 1: "replace", - 2: "remove", - } - K8SResourceOverlayPatch_Type_value = map[string]int32{ - "unspecified": 0, - "replace": 1, - "remove": 2, - } -) - -func (x K8SResourceOverlayPatch_Type) Enum() *K8SResourceOverlayPatch_Type { - p := new(K8SResourceOverlayPatch_Type) - *p = x - return p -} - -func (x K8SResourceOverlayPatch_Type) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (K8SResourceOverlayPatch_Type) Descriptor() protoreflect.EnumDescriptor { - return file_api_v1alpha1_common_proto_enumTypes[1].Descriptor() -} - -func (K8SResourceOverlayPatch_Type) Type() protoreflect.EnumType { - return &file_api_v1alpha1_common_proto_enumTypes[1] -} - -func (x K8SResourceOverlayPatch_Type) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use K8SResourceOverlayPatch_Type.Descriptor instead. -func (K8SResourceOverlayPatch_Type) EnumDescriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{15, 0} -} - -// Generic k8s resource metadata -type K8SObjectMeta struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Map of string keys and values that can be used to organize and categorize - // (scope and select) objects. May match selectors of replication controllers - // and services. - // More info: http://kubernetes.io/docs/user-guide/labels - // +optional - Labels map[string]string `protobuf:"bytes,11,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - // Annotations is an unstructured key value map stored with a resource that may be - // set by external tools to store and retrieve arbitrary metadata. They are not - // queryable and should be preserved when modifying objects. - // More info: http://kubernetes.io/docs/user-guide/annotations - // +optional - Annotations map[string]string `protobuf:"bytes,12,rep,name=annotations,proto3" json:"annotations,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` -} - -func (x *K8SObjectMeta) Reset() { - *x = K8SObjectMeta{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *K8SObjectMeta) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*K8SObjectMeta) ProtoMessage() {} - -func (x *K8SObjectMeta) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use K8SObjectMeta.ProtoReflect.Descriptor instead. -func (*K8SObjectMeta) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{0} -} - -func (x *K8SObjectMeta) GetLabels() map[string]string { - if x != nil { - return x.Labels - } - return nil -} - -func (x *K8SObjectMeta) GetAnnotations() map[string]string { - if x != nil { - return x.Annotations - } - return nil -} - -type ContainerImageConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Default hub for container images. - Hub string `protobuf:"bytes,1,opt,name=hub,proto3" json:"hub,omitempty"` - // Default tag for container images. - Tag string `protobuf:"bytes,2,opt,name=tag,proto3" json:"tag,omitempty"` - // Image pull policy. - // One of Always, Never, IfNotPresent. - // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - // +optional - // +kubebuilder:validation:Enum=Always;Never;IfNotPresent - ImagePullPolicy string `protobuf:"bytes,3,opt,name=imagePullPolicy,proto3" json:"imagePullPolicy,omitempty"` - // ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. - // +optional - ImagePullSecrets []*v1.LocalObjectReference `protobuf:"bytes,4,rep,name=imagePullSecrets,proto3" json:"imagePullSecrets,omitempty"` -} - -func (x *ContainerImageConfiguration) Reset() { - *x = ContainerImageConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ContainerImageConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ContainerImageConfiguration) ProtoMessage() {} - -func (x *ContainerImageConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ContainerImageConfiguration.ProtoReflect.Descriptor instead. -func (*ContainerImageConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{1} -} - -func (x *ContainerImageConfiguration) GetHub() string { - if x != nil { - return x.Hub - } - return "" -} - -func (x *ContainerImageConfiguration) GetTag() string { - if x != nil { - return x.Tag - } - return "" -} - -func (x *ContainerImageConfiguration) GetImagePullPolicy() string { - if x != nil { - return x.ImagePullPolicy - } - return "" -} - -func (x *ContainerImageConfiguration) GetImagePullSecrets() []*v1.LocalObjectReference { - if x != nil { - return x.ImagePullSecrets - } - return nil -} - -type BaseKubernetesContainerConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Standard Kubernetes container image configuration - Image string `protobuf:"bytes,1,opt,name=image,proto3" json:"image,omitempty"` - // If present will be appended to the environment variables of the container - Env []*v1.EnvVar `protobuf:"bytes,2,rep,name=env,proto3" json:"env,omitempty"` - // Standard Kubernetes resource configuration, memory and CPU resource requirements - Resources *ResourceRequirements `protobuf:"bytes,3,opt,name=resources,proto3" json:"resources,omitempty"` - // Standard Kubernetes security context configuration - SecurityContext *v1.SecurityContext `protobuf:"bytes,4,opt,name=securityContext,proto3" json:"securityContext,omitempty"` - // Pod volumes to mount into the container's filesystem. - // Cannot be updated. - // +optional - // +patchMergeKey=mountPath - // +patchStrategy=merge - VolumeMounts []*v1.VolumeMount `protobuf:"bytes,5,rep,name=volumeMounts,proto3" json:"volumeMounts,omitempty"` -} - -func (x *BaseKubernetesContainerConfiguration) Reset() { - *x = BaseKubernetesContainerConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *BaseKubernetesContainerConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*BaseKubernetesContainerConfiguration) ProtoMessage() {} - -func (x *BaseKubernetesContainerConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[2] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use BaseKubernetesContainerConfiguration.ProtoReflect.Descriptor instead. -func (*BaseKubernetesContainerConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{2} -} - -func (x *BaseKubernetesContainerConfiguration) GetImage() string { - if x != nil { - return x.Image - } - return "" -} - -func (x *BaseKubernetesContainerConfiguration) GetEnv() []*v1.EnvVar { - if x != nil { - return x.Env - } - return nil -} - -func (x *BaseKubernetesContainerConfiguration) GetResources() *ResourceRequirements { - if x != nil { - return x.Resources - } - return nil -} - -func (x *BaseKubernetesContainerConfiguration) GetSecurityContext() *v1.SecurityContext { - if x != nil { - return x.SecurityContext - } - return nil -} - -func (x *BaseKubernetesContainerConfiguration) GetVolumeMounts() []*v1.VolumeMount { - if x != nil { - return x.VolumeMounts - } - return nil -} - -type BaseKubernetesResourceConfig struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Generic k8s resource metadata - Metadata *K8SObjectMeta `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` - // Standard Kubernetes container image configuration - Image string `protobuf:"bytes,2,opt,name=image,proto3" json:"image,omitempty"` - // If present will be appended to the environment variables of the container - Env []*v1.EnvVar `protobuf:"bytes,3,rep,name=env,proto3" json:"env,omitempty"` - // Standard Kubernetes resource configuration, memory and CPU resource requirements - Resources *ResourceRequirements `protobuf:"bytes,4,opt,name=resources,proto3" json:"resources,omitempty"` - // Standard Kubernetes node selector configuration - NodeSelector map[string]string `protobuf:"bytes,5,rep,name=nodeSelector,proto3" json:"nodeSelector,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - // Standard Kubernetes affinity configuration - Affinity *v1.Affinity `protobuf:"bytes,6,opt,name=affinity,proto3" json:"affinity,omitempty"` - // Standard Kubernetes security context configuration - SecurityContext *v1.SecurityContext `protobuf:"bytes,7,opt,name=securityContext,proto3" json:"securityContext,omitempty"` - // Image pull policy. - // One of Always, Never, IfNotPresent. - // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - // +optional - ImagePullPolicy string `protobuf:"bytes,8,opt,name=imagePullPolicy,proto3" json:"imagePullPolicy,omitempty"` - // ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. - // +optional - ImagePullSecrets []*v1.LocalObjectReference `protobuf:"bytes,9,rep,name=imagePullSecrets,proto3" json:"imagePullSecrets,omitempty"` - // If specified, indicates the pod's priority. "system-node-critical" and - // "system-cluster-critical" are two special keywords which indicate the - // highest priorities with the former being the highest priority. Any other - // name must be defined by creating a PriorityClass object with that name. - // If not specified, the pod priority will be default or zero if there is no - // default. - // +optional - PriorityClassName string `protobuf:"bytes,10,opt,name=priorityClassName,proto3" json:"priorityClassName,omitempty"` - // If specified, the pod's tolerations. - // +optional - Tolerations []*v1.Toleration `protobuf:"bytes,11,rep,name=tolerations,proto3" json:"tolerations,omitempty"` - // List of volumes that can be mounted by containers belonging to the pod. - // More info: https://kubernetes.io/docs/concepts/storage/volumes - // +optional - // +patchMergeKey=name - // +patchStrategy=merge,retainKeys - Volumes []*v1.Volume `protobuf:"bytes,12,rep,name=volumes,proto3" json:"volumes,omitempty"` - // Pod volumes to mount into the container's filesystem. - // Cannot be updated. - // +optional - // +patchMergeKey=mountPath - // +patchStrategy=merge - VolumeMounts []*v1.VolumeMount `protobuf:"bytes,13,rep,name=volumeMounts,proto3" json:"volumeMounts,omitempty"` - // Replica configuration - Replicas *Replicas `protobuf:"bytes,14,opt,name=replicas,proto3" json:"replicas,omitempty"` - // Standard Kubernetes pod annotation and label configuration - PodMetadata *K8SObjectMeta `protobuf:"bytes,15,opt,name=podMetadata,proto3" json:"podMetadata,omitempty"` - // PodDisruptionBudget configuration - PodDisruptionBudget *PodDisruptionBudget `protobuf:"bytes,16,opt,name=podDisruptionBudget,proto3" json:"podDisruptionBudget,omitempty"` - // DeploymentStrategy configuration - DeploymentStrategy *DeploymentStrategy `protobuf:"bytes,17,opt,name=deploymentStrategy,proto3" json:"deploymentStrategy,omitempty"` - // Standard Kubernetes pod security context configuration - PodSecurityContext *v1.PodSecurityContext `protobuf:"bytes,18,opt,name=podSecurityContext,proto3" json:"podSecurityContext,omitempty"` - // Periodic probe of container liveness. - // Container will be restarted if the probe fails. - // Cannot be updated. - // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - // +optional - LivenessProbe *Probe `protobuf:"bytes,19,opt,name=livenessProbe,proto3" json:"livenessProbe,omitempty"` - // Periodic probe of container service readiness. - // Container will be removed from service endpoints if the probe fails. - // Cannot be updated. - // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - // +optional - ReadinessProbe *Probe `protobuf:"bytes,20,opt,name=readinessProbe,proto3" json:"readinessProbe,omitempty"` - // Used to control how Pods are spread across a cluster among failure-domains. - // This can help to achieve high availability as well as efficient resource utilization. - // More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints - // +optional - TopologySpreadConstraints []*v1.TopologySpreadConstraint `protobuf:"bytes,21,rep,name=topologySpreadConstraints,proto3" json:"topologySpreadConstraints,omitempty"` -} - -func (x *BaseKubernetesResourceConfig) Reset() { - *x = BaseKubernetesResourceConfig{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[3] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *BaseKubernetesResourceConfig) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*BaseKubernetesResourceConfig) ProtoMessage() {} - -func (x *BaseKubernetesResourceConfig) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[3] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use BaseKubernetesResourceConfig.ProtoReflect.Descriptor instead. -func (*BaseKubernetesResourceConfig) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{3} -} - -func (x *BaseKubernetesResourceConfig) GetMetadata() *K8SObjectMeta { - if x != nil { - return x.Metadata - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetImage() string { - if x != nil { - return x.Image - } - return "" -} - -func (x *BaseKubernetesResourceConfig) GetEnv() []*v1.EnvVar { - if x != nil { - return x.Env - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetResources() *ResourceRequirements { - if x != nil { - return x.Resources - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetNodeSelector() map[string]string { - if x != nil { - return x.NodeSelector - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetAffinity() *v1.Affinity { - if x != nil { - return x.Affinity - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetSecurityContext() *v1.SecurityContext { - if x != nil { - return x.SecurityContext - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetImagePullPolicy() string { - if x != nil { - return x.ImagePullPolicy - } - return "" -} - -func (x *BaseKubernetesResourceConfig) GetImagePullSecrets() []*v1.LocalObjectReference { - if x != nil { - return x.ImagePullSecrets - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetPriorityClassName() string { - if x != nil { - return x.PriorityClassName - } - return "" -} - -func (x *BaseKubernetesResourceConfig) GetTolerations() []*v1.Toleration { - if x != nil { - return x.Tolerations - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetVolumes() []*v1.Volume { - if x != nil { - return x.Volumes - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetVolumeMounts() []*v1.VolumeMount { - if x != nil { - return x.VolumeMounts - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetReplicas() *Replicas { - if x != nil { - return x.Replicas - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetPodMetadata() *K8SObjectMeta { - if x != nil { - return x.PodMetadata - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetPodDisruptionBudget() *PodDisruptionBudget { - if x != nil { - return x.PodDisruptionBudget - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetDeploymentStrategy() *DeploymentStrategy { - if x != nil { - return x.DeploymentStrategy - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetPodSecurityContext() *v1.PodSecurityContext { - if x != nil { - return x.PodSecurityContext - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetLivenessProbe() *Probe { - if x != nil { - return x.LivenessProbe - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetReadinessProbe() *Probe { - if x != nil { - return x.ReadinessProbe - } - return nil -} - -func (x *BaseKubernetesResourceConfig) GetTopologySpreadConstraints() []*v1.TopologySpreadConstraint { - if x != nil { - return x.TopologySpreadConstraints - } - return nil -} - -type DeploymentStrategy struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. - // +optional - Type string `protobuf:"bytes,1,opt,name=type,proto3" json:"type,omitempty"` - // Rolling update config params. Present only if DeploymentStrategyType = - // RollingUpdate. - // +optional - RollingUpdate *DeploymentStrategy_RollingUpdateDeployment `protobuf:"bytes,2,opt,name=rollingUpdate,proto3" json:"rollingUpdate,omitempty"` -} - -func (x *DeploymentStrategy) Reset() { - *x = DeploymentStrategy{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *DeploymentStrategy) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DeploymentStrategy) ProtoMessage() {} - -func (x *DeploymentStrategy) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[4] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DeploymentStrategy.ProtoReflect.Descriptor instead. -func (*DeploymentStrategy) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{4} -} - -func (x *DeploymentStrategy) GetType() string { - if x != nil { - return x.Type - } - return "" -} - -func (x *DeploymentStrategy) GetRollingUpdate() *DeploymentStrategy_RollingUpdateDeployment { - if x != nil { - return x.RollingUpdate - } - return nil -} - -// PodDisruptionBudget is a description of a PodDisruptionBudget -type PodDisruptionBudget struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // An eviction is allowed if at least "minAvailable" pods selected by - // "selector" will still be available after the eviction, i.e. even in the - // absence of the evicted pod. So for example you can prevent all voluntary - // evictions by specifying "100%". - // +optional - MinAvailable *IntOrString `protobuf:"bytes,1,opt,name=minAvailable,proto3" json:"minAvailable,omitempty"` - // An eviction is allowed if at most "maxUnavailable" pods selected by - // "selector" are unavailable after the eviction, i.e. even in absence of - // the evicted pod. For example, one can prevent all voluntary evictions - // by specifying 0. This is a mutually exclusive setting with "minAvailable". - // +optional - MaxUnavailable *IntOrString `protobuf:"bytes,2,opt,name=maxUnavailable,proto3" json:"maxUnavailable,omitempty"` -} - -func (x *PodDisruptionBudget) Reset() { - *x = PodDisruptionBudget{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *PodDisruptionBudget) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*PodDisruptionBudget) ProtoMessage() {} - -func (x *PodDisruptionBudget) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[5] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use PodDisruptionBudget.ProtoReflect.Descriptor instead. -func (*PodDisruptionBudget) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{5} -} - -func (x *PodDisruptionBudget) GetMinAvailable() *IntOrString { - if x != nil { - return x.MinAvailable - } - return nil -} - -func (x *PodDisruptionBudget) GetMaxUnavailable() *IntOrString { - if x != nil { - return x.MaxUnavailable - } - return nil -} - -// Probe describes a health check to be performed against a container to determine whether it is -// alive or ready to receive traffic. -type Probe struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The action taken to determine the health of a container - // - // Types that are assignable to Handler: - // - // *Probe_Exec - // *Probe_HttpGet - // *Probe_TcpSocket - // *Probe_Grpc - Handler isProbe_Handler `protobuf_oneof:"handler"` - // Number of seconds after the container has started before liveness probes are initiated. - // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - // +optional - InitialDelaySeconds int32 `protobuf:"varint,5,opt,name=initialDelaySeconds,proto3" json:"initialDelaySeconds,omitempty"` - // Number of seconds after which the probe times out. - // Defaults to 1 second. Minimum value is 1. - // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - // +optional - TimeoutSeconds int32 `protobuf:"varint,6,opt,name=timeoutSeconds,proto3" json:"timeoutSeconds,omitempty"` - // How often (in seconds) to perform the probe. - // Default to 10 seconds. Minimum value is 1. - // +optional - PeriodSeconds int32 `protobuf:"varint,7,opt,name=periodSeconds,proto3" json:"periodSeconds,omitempty"` - // Minimum consecutive successes for the probe to be considered successful after having failed. - // Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - // +optional - SuccessThreshold int32 `protobuf:"varint,8,opt,name=successThreshold,proto3" json:"successThreshold,omitempty"` - // Minimum consecutive failures for the probe to be considered failed after having succeeded. - // Defaults to 3. Minimum value is 1. - // +optional - FailureThreshold int32 `protobuf:"varint,9,opt,name=failureThreshold,proto3" json:"failureThreshold,omitempty"` - // Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - // The grace period is the duration in seconds after the processes running in the pod are sent - // a termination signal and the time when the processes are forcibly halted with a kill signal. - // Set this value longer than the expected cleanup time for your process. - // If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - // value overrides the value provided by the pod spec. - // Value must be non-negative integer. The value zero indicates stop immediately via - // the kill signal (no opportunity to shut down). - // This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - // Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - // +optional - TerminationGracePeriodSeconds int64 `protobuf:"varint,10,opt,name=terminationGracePeriodSeconds,proto3" json:"terminationGracePeriodSeconds,omitempty"` -} - -func (x *Probe) Reset() { - *x = Probe{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[6] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *Probe) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Probe) ProtoMessage() {} - -func (x *Probe) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[6] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Probe.ProtoReflect.Descriptor instead. -func (*Probe) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{6} -} - -func (m *Probe) GetHandler() isProbe_Handler { - if m != nil { - return m.Handler - } - return nil -} - -func (x *Probe) GetExec() *v1.ExecAction { - if x, ok := x.GetHandler().(*Probe_Exec); ok { - return x.Exec - } - return nil -} - -func (x *Probe) GetHttpGet() *HTTPGetAction { - if x, ok := x.GetHandler().(*Probe_HttpGet); ok { - return x.HttpGet - } - return nil -} - -func (x *Probe) GetTcpSocket() *TCPSocketAction { - if x, ok := x.GetHandler().(*Probe_TcpSocket); ok { - return x.TcpSocket - } - return nil -} - -func (x *Probe) GetGrpc() *v1.GRPCAction { - if x, ok := x.GetHandler().(*Probe_Grpc); ok { - return x.Grpc - } - return nil -} - -func (x *Probe) GetInitialDelaySeconds() int32 { - if x != nil { - return x.InitialDelaySeconds - } - return 0 -} - -func (x *Probe) GetTimeoutSeconds() int32 { - if x != nil { - return x.TimeoutSeconds - } - return 0 -} - -func (x *Probe) GetPeriodSeconds() int32 { - if x != nil { - return x.PeriodSeconds - } - return 0 -} - -func (x *Probe) GetSuccessThreshold() int32 { - if x != nil { - return x.SuccessThreshold - } - return 0 -} - -func (x *Probe) GetFailureThreshold() int32 { - if x != nil { - return x.FailureThreshold - } - return 0 -} - -func (x *Probe) GetTerminationGracePeriodSeconds() int64 { - if x != nil { - return x.TerminationGracePeriodSeconds - } - return 0 -} - -type isProbe_Handler interface { - isProbe_Handler() -} - -type Probe_Exec struct { - // Exec specifies the action to take. - // +optional - Exec *v1.ExecAction `protobuf:"bytes,1,opt,name=exec,proto3,oneof"` -} - -type Probe_HttpGet struct { - // HTTPGet specifies the http request to perform. - // +optional - HttpGet *HTTPGetAction `protobuf:"bytes,2,opt,name=httpGet,proto3,oneof"` -} - -type Probe_TcpSocket struct { - // TCPSocket specifies an action involving a TCP port. - // +optional - TcpSocket *TCPSocketAction `protobuf:"bytes,3,opt,name=tcpSocket,proto3,oneof"` -} - -type Probe_Grpc struct { - // GRPC specifies an action involving a GRPC port. - // This is a beta field and requires enabling GRPCContainerProbe feature gate. - // +featureGate=GRPCContainerProbe - // +optional - Grpc *v1.GRPCAction `protobuf:"bytes,4,opt,name=grpc,proto3,oneof"` -} - -func (*Probe_Exec) isProbe_Handler() {} - -func (*Probe_HttpGet) isProbe_Handler() {} - -func (*Probe_TcpSocket) isProbe_Handler() {} - -func (*Probe_Grpc) isProbe_Handler() {} - -// HTTPGetAction describes an action based on HTTP Get requests. -type HTTPGetAction struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Path to access on the HTTP server. - // +optional - Path string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"` - // Name or number of the port to access on the container. - // Number must be in the range 1 to 65535. - // Name must be an IANA_SVC_NAME. - Port *IntOrString `protobuf:"bytes,2,opt,name=port,proto3" json:"port,omitempty"` - // Host name to connect to, defaults to the pod IP. You probably want to set - // "Host" in httpHeaders instead. - // +optional - Host string `protobuf:"bytes,3,opt,name=host,proto3" json:"host,omitempty"` - // Scheme to use for connecting to the host. - // Defaults to HTTP. - // +optional - Scheme string `protobuf:"bytes,4,opt,name=scheme,proto3" json:"scheme,omitempty"` - // Custom headers to set in the request. HTTP allows repeated headers. - // +optional - HttpHeaders []*v1.HTTPHeader `protobuf:"bytes,5,rep,name=httpHeaders,proto3" json:"httpHeaders,omitempty"` -} - -func (x *HTTPGetAction) Reset() { - *x = HTTPGetAction{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[7] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *HTTPGetAction) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*HTTPGetAction) ProtoMessage() {} - -func (x *HTTPGetAction) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[7] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use HTTPGetAction.ProtoReflect.Descriptor instead. -func (*HTTPGetAction) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{7} -} - -func (x *HTTPGetAction) GetPath() string { - if x != nil { - return x.Path - } - return "" -} - -func (x *HTTPGetAction) GetPort() *IntOrString { - if x != nil { - return x.Port - } - return nil -} - -func (x *HTTPGetAction) GetHost() string { - if x != nil { - return x.Host - } - return "" -} - -func (x *HTTPGetAction) GetScheme() string { - if x != nil { - return x.Scheme - } - return "" -} - -func (x *HTTPGetAction) GetHttpHeaders() []*v1.HTTPHeader { - if x != nil { - return x.HttpHeaders - } - return nil -} - -// TCPSocketAction describes an action based on opening a socket -type TCPSocketAction struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Number or name of the port to access on the container. - // Number must be in the range 1 to 65535. - // Name must be an IANA_SVC_NAME. - Port *IntOrString `protobuf:"bytes,1,opt,name=port,proto3" json:"port,omitempty"` - // Optional: Host name to connect to, defaults to the pod IP. - // +optional - Host string `protobuf:"bytes,2,opt,name=host,proto3" json:"host,omitempty"` -} - -func (x *TCPSocketAction) Reset() { - *x = TCPSocketAction{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[8] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *TCPSocketAction) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*TCPSocketAction) ProtoMessage() {} - -func (x *TCPSocketAction) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[8] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use TCPSocketAction.ProtoReflect.Descriptor instead. -func (*TCPSocketAction) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{8} -} - -func (x *TCPSocketAction) GetPort() *IntOrString { - if x != nil { - return x.Port - } - return nil -} - -func (x *TCPSocketAction) GetHost() string { - if x != nil { - return x.Host - } - return "" -} - -// Service describes the attributes that a user creates on a service. -type Service struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Metadata *K8SObjectMeta `protobuf:"bytes,16,opt,name=metadata,proto3" json:"metadata,omitempty"` - // The list of ports that are exposed by this service. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +patchMergeKey=port - // +patchStrategy=merge - // +listType=map - // +listMapKey=port - // +listMapKey=protocol - // +kubebuilder:validation:MinItems=1 - Ports []*ServicePort `protobuf:"bytes,1,rep,name=ports,proto3" json:"ports,omitempty"` - // Route service traffic to pods with label keys and values matching this - // selector. If empty or not present, the service is assumed to have an - // external process managing its endpoints, which Kubernetes will not - // modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - // Ignored if type is ExternalName. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/ - // +optional - Selector map[string]string `protobuf:"bytes,2,rep,name=selector,proto3" json:"selector,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - // clusterIP is the IP address of the service and is usually assigned - // randomly by the master. If an address is specified manually and is not in - // use by others, it will be allocated to the service; otherwise, creation - // of the service will fail. This field can not be changed through updates. - // Valid values are "None", empty string (""), or a valid IP address. "None" - // can be specified for headless services when proxying is not required. - // Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if - // type is ExternalName. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +optional - ClusterIP string `protobuf:"bytes,3,opt,name=clusterIP,proto3" json:"clusterIP,omitempty"` - // type determines how the Service is exposed. Defaults to ClusterIP. Valid - // options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - // "ExternalName" maps to the specified externalName. - // "ClusterIP" allocates a cluster-internal IP address for load-balancing to - // endpoints. Endpoints are determined by the selector or if that is not - // specified, by manual construction of an Endpoints object. If clusterIP is - // "None", no virtual IP is allocated and the endpoints are published as a - // set of endpoints rather than a stable IP. - // "NodePort" builds on ClusterIP and allocates a port on every node which - // routes to the clusterIP. - // "LoadBalancer" builds on NodePort and creates an - // external load-balancer (if supported in the current cloud) which routes - // to the clusterIP. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - // +optional - // +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer - Type string `protobuf:"bytes,4,opt,name=type,proto3" json:"type,omitempty"` - // externalIPs is a list of IP addresses for which nodes in the cluster - // will also accept traffic for this service. These IPs are not managed by - // Kubernetes. The user is responsible for ensuring that traffic arrives - // at a node with this IP. A common example is external load-balancers - // that are not part of the Kubernetes system. - // +optional - ExternalIPs []string `protobuf:"bytes,5,rep,name=externalIPs,proto3" json:"externalIPs,omitempty"` - // Supports "ClientIP" and "None". Used to maintain session affinity. - // Enable client IP based session affinity. - // Must be ClientIP or None. - // Defaults to None. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +optional - SessionAffinity string `protobuf:"bytes,7,opt,name=sessionAffinity,proto3" json:"sessionAffinity,omitempty"` - // Only applies to Service Type: LoadBalancer - // LoadBalancer will get created with the IP specified in this field. - // This feature depends on whether the underlying cloud-provider supports specifying - // the loadBalancerIP when a load balancer is created. - // This field will be ignored if the cloud-provider does not support the feature. - // +optional - LoadBalancerIP string `protobuf:"bytes,8,opt,name=loadBalancerIP,proto3" json:"loadBalancerIP,omitempty"` - // If specified and supported by the platform, this will restrict traffic through the cloud-provider - // load-balancer will be restricted to the specified client IPs. This field will be ignored if the - // cloud-provider does not support the feature." - // More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - // +optional - LoadBalancerSourceRanges []string `protobuf:"bytes,9,rep,name=loadBalancerSourceRanges,proto3" json:"loadBalancerSourceRanges,omitempty"` - // externalName is the external reference that kubedns or equivalent will - // return as a CNAME record for this service. No proxying will be involved. - // Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - // and requires Type to be ExternalName. - // +optional - ExternalName string `protobuf:"bytes,10,opt,name=externalName,proto3" json:"externalName,omitempty"` - // externalTrafficPolicy denotes if this Service desires to route external - // traffic to node-local or cluster-wide endpoints. "Local" preserves the - // client source IP and avoids a second hop for LoadBalancer and Nodeport - // type services, but risks potentially imbalanced traffic spreading. - // "Cluster" obscures the client source IP and may cause a second hop to - // another node, but should have good overall load-spreading. - // +optional - ExternalTrafficPolicy string `protobuf:"bytes,11,opt,name=externalTrafficPolicy,proto3" json:"externalTrafficPolicy,omitempty"` - // healthCheckNodePort specifies the healthcheck nodePort for the service. - // If not specified, HealthCheckNodePort is created by the service api - // backend with the allocated nodePort. Will use user-specified nodePort value - // if specified by the client. Only effects when Type is set to LoadBalancer - // and ExternalTrafficPolicy is set to Local. - // +optional - HealthCheckNodePort int32 `protobuf:"varint,12,opt,name=healthCheckNodePort,proto3" json:"healthCheckNodePort,omitempty"` - // publishNotReadyAddresses, when set to true, indicates that DNS implementations - // must publish the notReadyAddresses of subsets for the Endpoints associated with - // the Service. The default value is false. - // The primary use case for setting this field is to use a StatefulSet's Headless Service - // to propagate SRV records for its Pods without respect to their readiness for purpose - // of peer discovery. - // +optional - PublishNotReadyAddresses *wrappers.BoolValue `protobuf:"bytes,13,opt,name=publishNotReadyAddresses,proto3" json:"publishNotReadyAddresses,omitempty"` - // sessionAffinityConfig contains the configurations of session affinity. - // +optional - SessionAffinityConfig *v1.SessionAffinityConfig `protobuf:"bytes,14,opt,name=sessionAffinityConfig,proto3" json:"sessionAffinityConfig,omitempty"` - // ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. - // IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is - // available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. - // Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which - // allocate external load-balancers should use the same IP family. Endpoints for this Service will be of - // this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the - // cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. - // +optional - IpFamily string `protobuf:"bytes,15,opt,name=ipFamily,proto3" json:"ipFamily,omitempty"` -} - -func (x *Service) Reset() { - *x = Service{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[9] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *Service) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Service) ProtoMessage() {} - -func (x *Service) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[9] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Service.ProtoReflect.Descriptor instead. -func (*Service) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{9} -} - -func (x *Service) GetMetadata() *K8SObjectMeta { - if x != nil { - return x.Metadata - } - return nil -} - -func (x *Service) GetPorts() []*ServicePort { - if x != nil { - return x.Ports - } - return nil -} - -func (x *Service) GetSelector() map[string]string { - if x != nil { - return x.Selector - } - return nil -} - -func (x *Service) GetClusterIP() string { - if x != nil { - return x.ClusterIP - } - return "" -} - -func (x *Service) GetType() string { - if x != nil { - return x.Type - } - return "" -} - -func (x *Service) GetExternalIPs() []string { - if x != nil { - return x.ExternalIPs - } - return nil -} - -func (x *Service) GetSessionAffinity() string { - if x != nil { - return x.SessionAffinity - } - return "" -} - -func (x *Service) GetLoadBalancerIP() string { - if x != nil { - return x.LoadBalancerIP - } - return "" -} - -func (x *Service) GetLoadBalancerSourceRanges() []string { - if x != nil { - return x.LoadBalancerSourceRanges - } - return nil -} - -func (x *Service) GetExternalName() string { - if x != nil { - return x.ExternalName - } - return "" -} - -func (x *Service) GetExternalTrafficPolicy() string { - if x != nil { - return x.ExternalTrafficPolicy - } - return "" -} - -func (x *Service) GetHealthCheckNodePort() int32 { - if x != nil { - return x.HealthCheckNodePort - } - return 0 -} - -func (x *Service) GetPublishNotReadyAddresses() *wrappers.BoolValue { - if x != nil { - return x.PublishNotReadyAddresses - } - return nil -} - -func (x *Service) GetSessionAffinityConfig() *v1.SessionAffinityConfig { - if x != nil { - return x.SessionAffinityConfig - } - return nil -} - -func (x *Service) GetIpFamily() string { - if x != nil { - return x.IpFamily - } - return "" -} - -// Service describes the attributes that a user creates on a service. -type UnprotectedService struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Metadata *K8SObjectMeta `protobuf:"bytes,16,opt,name=metadata,proto3" json:"metadata,omitempty"` - // The list of ports that are exposed by this service. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +patchMergeKey=port - // +patchStrategy=merge - // +listType=map - // +listMapKey=port - // +listMapKey=protocol - Ports []*ServicePort `protobuf:"bytes,1,rep,name=ports,proto3" json:"ports,omitempty"` - // Route service traffic to pods with label keys and values matching this - // selector. If empty or not present, the service is assumed to have an - // external process managing its endpoints, which Kubernetes will not - // modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - // Ignored if type is ExternalName. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/ - // +optional - Selector map[string]string `protobuf:"bytes,2,rep,name=selector,proto3" json:"selector,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - // clusterIP is the IP address of the service and is usually assigned - // randomly by the master. If an address is specified manually and is not in - // use by others, it will be allocated to the service; otherwise, creation - // of the service will fail. This field can not be changed through updates. - // Valid values are "None", empty string (""), or a valid IP address. "None" - // can be specified for headless services when proxying is not required. - // Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if - // type is ExternalName. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +optional - ClusterIP string `protobuf:"bytes,3,opt,name=clusterIP,proto3" json:"clusterIP,omitempty"` - // type determines how the Service is exposed. Defaults to ClusterIP. Valid - // options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - // "ExternalName" maps to the specified externalName. - // "ClusterIP" allocates a cluster-internal IP address for load-balancing to - // endpoints. Endpoints are determined by the selector or if that is not - // specified, by manual construction of an Endpoints object. If clusterIP is - // "None", no virtual IP is allocated and the endpoints are published as a - // set of endpoints rather than a stable IP. - // "NodePort" builds on ClusterIP and allocates a port on every node which - // routes to the clusterIP. - // "LoadBalancer" builds on NodePort and creates an - // external load-balancer (if supported in the current cloud) which routes - // to the clusterIP. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - // +optional - // +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer - Type string `protobuf:"bytes,4,opt,name=type,proto3" json:"type,omitempty"` - // externalIPs is a list of IP addresses for which nodes in the cluster - // will also accept traffic for this service. These IPs are not managed by - // Kubernetes. The user is responsible for ensuring that traffic arrives - // at a node with this IP. A common example is external load-balancers - // that are not part of the Kubernetes system. - // +optional - ExternalIPs []string `protobuf:"bytes,5,rep,name=externalIPs,proto3" json:"externalIPs,omitempty"` - // Supports "ClientIP" and "None". Used to maintain session affinity. - // Enable client IP based session affinity. - // Must be ClientIP or None. - // Defaults to None. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +optional - SessionAffinity string `protobuf:"bytes,7,opt,name=sessionAffinity,proto3" json:"sessionAffinity,omitempty"` - // Only applies to Service Type: LoadBalancer - // LoadBalancer will get created with the IP specified in this field. - // This feature depends on whether the underlying cloud-provider supports specifying - // the loadBalancerIP when a load balancer is created. - // This field will be ignored if the cloud-provider does not support the feature. - // +optional - LoadBalancerIP string `protobuf:"bytes,8,opt,name=loadBalancerIP,proto3" json:"loadBalancerIP,omitempty"` - // If specified and supported by the platform, this will restrict traffic through the cloud-provider - // load-balancer will be restricted to the specified client IPs. This field will be ignored if the - // cloud-provider does not support the feature." - // More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - // +optional - LoadBalancerSourceRanges []string `protobuf:"bytes,9,rep,name=loadBalancerSourceRanges,proto3" json:"loadBalancerSourceRanges,omitempty"` - // externalName is the external reference that kubedns or equivalent will - // return as a CNAME record for this service. No proxying will be involved. - // Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - // and requires Type to be ExternalName. - // +optional - ExternalName string `protobuf:"bytes,10,opt,name=externalName,proto3" json:"externalName,omitempty"` - // externalTrafficPolicy denotes if this Service desires to route external - // traffic to node-local or cluster-wide endpoints. "Local" preserves the - // client source IP and avoids a second hop for LoadBalancer and Nodeport - // type services, but risks potentially imbalanced traffic spreading. - // "Cluster" obscures the client source IP and may cause a second hop to - // another node, but should have good overall load-spreading. - // +optional - ExternalTrafficPolicy string `protobuf:"bytes,11,opt,name=externalTrafficPolicy,proto3" json:"externalTrafficPolicy,omitempty"` - // healthCheckNodePort specifies the healthcheck nodePort for the service. - // If not specified, HealthCheckNodePort is created by the service api - // backend with the allocated nodePort. Will use user-specified nodePort value - // if specified by the client. Only effects when Type is set to LoadBalancer - // and ExternalTrafficPolicy is set to Local. - // +optional - HealthCheckNodePort int32 `protobuf:"varint,12,opt,name=healthCheckNodePort,proto3" json:"healthCheckNodePort,omitempty"` - // publishNotReadyAddresses, when set to true, indicates that DNS implementations - // must publish the notReadyAddresses of subsets for the Endpoints associated with - // the Service. The default value is false. - // The primary use case for setting this field is to use a StatefulSet's Headless Service - // to propagate SRV records for its Pods without respect to their readiness for purpose - // of peer discovery. - // +optional - PublishNotReadyAddresses *wrappers.BoolValue `protobuf:"bytes,13,opt,name=publishNotReadyAddresses,proto3" json:"publishNotReadyAddresses,omitempty"` - // sessionAffinityConfig contains the configurations of session affinity. - // +optional - SessionAffinityConfig *v1.SessionAffinityConfig `protobuf:"bytes,14,opt,name=sessionAffinityConfig,proto3" json:"sessionAffinityConfig,omitempty"` - // ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. - // IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is - // available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. - // Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which - // allocate external load-balancers should use the same IP family. Endpoints for this Service will be of - // this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the - // cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. - // +optional - IpFamily string `protobuf:"bytes,15,opt,name=ipFamily,proto3" json:"ipFamily,omitempty"` -} - -func (x *UnprotectedService) Reset() { - *x = UnprotectedService{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[10] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *UnprotectedService) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*UnprotectedService) ProtoMessage() {} - -func (x *UnprotectedService) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[10] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use UnprotectedService.ProtoReflect.Descriptor instead. -func (*UnprotectedService) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{10} -} - -func (x *UnprotectedService) GetMetadata() *K8SObjectMeta { - if x != nil { - return x.Metadata - } - return nil -} - -func (x *UnprotectedService) GetPorts() []*ServicePort { - if x != nil { - return x.Ports - } - return nil -} - -func (x *UnprotectedService) GetSelector() map[string]string { - if x != nil { - return x.Selector - } - return nil -} - -func (x *UnprotectedService) GetClusterIP() string { - if x != nil { - return x.ClusterIP - } - return "" -} - -func (x *UnprotectedService) GetType() string { - if x != nil { - return x.Type - } - return "" -} - -func (x *UnprotectedService) GetExternalIPs() []string { - if x != nil { - return x.ExternalIPs - } - return nil -} - -func (x *UnprotectedService) GetSessionAffinity() string { - if x != nil { - return x.SessionAffinity - } - return "" -} - -func (x *UnprotectedService) GetLoadBalancerIP() string { - if x != nil { - return x.LoadBalancerIP - } - return "" -} - -func (x *UnprotectedService) GetLoadBalancerSourceRanges() []string { - if x != nil { - return x.LoadBalancerSourceRanges - } - return nil -} - -func (x *UnprotectedService) GetExternalName() string { - if x != nil { - return x.ExternalName - } - return "" -} - -func (x *UnprotectedService) GetExternalTrafficPolicy() string { - if x != nil { - return x.ExternalTrafficPolicy - } - return "" -} - -func (x *UnprotectedService) GetHealthCheckNodePort() int32 { - if x != nil { - return x.HealthCheckNodePort - } - return 0 -} - -func (x *UnprotectedService) GetPublishNotReadyAddresses() *wrappers.BoolValue { - if x != nil { - return x.PublishNotReadyAddresses - } - return nil -} - -func (x *UnprotectedService) GetSessionAffinityConfig() *v1.SessionAffinityConfig { - if x != nil { - return x.SessionAffinityConfig - } - return nil -} - -func (x *UnprotectedService) GetIpFamily() string { - if x != nil { - return x.IpFamily - } - return "" -} - -// ServicePort contains information on service's port. -type ServicePort struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The name of this port within the service. This must be a DNS_LABEL. - // All ports within a ServiceSpec must have unique names. When considering - // the endpoints for a Service, this must match the 'name' field in the - // EndpointPort. - // if only one ServicePort is defined on this service. - // +optional - Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` - // The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - // Default is TCP. - // +optional - // +kubebuilder:default=TCP - Protocol string `protobuf:"bytes,2,opt,name=protocol,proto3" json:"protocol,omitempty"` - // The port that will be exposed by this service. - Port int32 `protobuf:"varint,3,opt,name=port,proto3" json:"port,omitempty"` - // Number or name of the port to access on the pods targeted by the service. - // Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - // If this is a string, it will be looked up as a named port in the - // target Pod's container ports. If this is not specified, the value - // of the 'port' field is used (an identity map). - // This field is ignored for services with clusterIP=None, and should be - // omitted or set equal to the 'port' field. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - // +optional - TargetPort *IntOrString `protobuf:"bytes,4,opt,name=targetPort,proto3" json:"targetPort,omitempty"` - // The port on each node on which this service is exposed when type=NodePort or LoadBalancer. - // Usually assigned by the system. If specified, it will be allocated to the service - // if unused or else creation of the service will fail. - // Default is to auto-allocate a port if the ServiceType of this Service requires one. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - // +optional - NodePort int32 `protobuf:"varint,5,opt,name=nodePort,proto3" json:"nodePort,omitempty"` -} - -func (x *ServicePort) Reset() { - *x = ServicePort{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[11] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ServicePort) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ServicePort) ProtoMessage() {} - -func (x *ServicePort) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[11] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ServicePort.ProtoReflect.Descriptor instead. -func (*ServicePort) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{11} -} - -func (x *ServicePort) GetName() string { - if x != nil { - return x.Name - } - return "" -} - -func (x *ServicePort) GetProtocol() string { - if x != nil { - return x.Protocol - } - return "" -} - -func (x *ServicePort) GetPort() int32 { - if x != nil { - return x.Port - } - return 0 -} - -func (x *ServicePort) GetTargetPort() *IntOrString { - if x != nil { - return x.TargetPort - } - return nil -} - -func (x *ServicePort) GetNodePort() int32 { - if x != nil { - return x.NodePort - } - return 0 -} - -type NamespacedName struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Name of the referenced Kubernetes resource - Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` - // Namespace of the referenced Kubernetes resource - Namespace string `protobuf:"bytes,2,opt,name=namespace,proto3" json:"namespace,omitempty"` -} - -func (x *NamespacedName) Reset() { - *x = NamespacedName{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[12] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *NamespacedName) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*NamespacedName) ProtoMessage() {} - -func (x *NamespacedName) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[12] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use NamespacedName.ProtoReflect.Descriptor instead. -func (*NamespacedName) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{12} -} - -func (x *NamespacedName) GetName() string { - if x != nil { - return x.Name - } - return "" -} - -func (x *NamespacedName) GetNamespace() string { - if x != nil { - return x.Namespace - } - return "" -} - -// ResourceRequirements describes the compute resource requirements. -type ResourceRequirements struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Limits describes the maximum amount of compute resources allowed. - // More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - // +optional - Limits map[string]*Quantity `protobuf:"bytes,1,rep,name=limits,proto3" json:"limits,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - // Requests describes the minimum amount of compute resources required. - // If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - // otherwise to an implementation-defined value. - // More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - // +optional - Requests map[string]*Quantity `protobuf:"bytes,2,rep,name=requests,proto3" json:"requests,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` -} - -func (x *ResourceRequirements) Reset() { - *x = ResourceRequirements{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[13] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ResourceRequirements) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ResourceRequirements) ProtoMessage() {} - -func (x *ResourceRequirements) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[13] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ResourceRequirements.ProtoReflect.Descriptor instead. -func (*ResourceRequirements) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{13} -} - -func (x *ResourceRequirements) GetLimits() map[string]*Quantity { - if x != nil { - return x.Limits - } - return nil -} - -func (x *ResourceRequirements) GetRequests() map[string]*Quantity { - if x != nil { - return x.Requests - } - return nil -} - -// Replicas contains pod replica configuration -type Replicas struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Standard Kubernetes replica count configuration - // +kubebuilder:validation:Minimum=0 - Count *wrappers.Int32Value `protobuf:"bytes,1,opt,name=count,proto3" json:"count,omitempty"` - // min is the lower limit for the number of replicas to which the autoscaler - // can scale down. - // min and max both need to be set the turn on autoscaling. - // +kubebuilder:validation:Minimum=0 - Min *wrappers.Int32Value `protobuf:"bytes,2,opt,name=min,proto3" json:"min,omitempty"` - // max is the upper limit for the number of replicas to which the autoscaler can scale up. - // min and max both need to be set the turn on autoscaling. - // It cannot be less than min. - // +kubebuilder:validation:Minimum=1 - Max *wrappers.Int32Value `protobuf:"bytes,3,opt,name=max,proto3" json:"max,omitempty"` - // target average CPU utilization (represented as a percentage of requested CPU) over all the pods; - // default 80% will be used if not specified. - // +optional - // +kubebuilder:validation:Minimum=0 - TargetCPUUtilizationPercentage *wrappers.Int32Value `protobuf:"bytes,4,opt,name=targetCPUUtilizationPercentage,proto3" json:"targetCPUUtilizationPercentage,omitempty"` -} - -func (x *Replicas) Reset() { - *x = Replicas{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[14] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *Replicas) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Replicas) ProtoMessage() {} - -func (x *Replicas) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[14] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Replicas.ProtoReflect.Descriptor instead. -func (*Replicas) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{14} -} - -func (x *Replicas) GetCount() *wrappers.Int32Value { - if x != nil { - return x.Count - } - return nil -} - -func (x *Replicas) GetMin() *wrappers.Int32Value { - if x != nil { - return x.Min - } - return nil -} - -func (x *Replicas) GetMax() *wrappers.Int32Value { - if x != nil { - return x.Max - } - return nil -} - -func (x *Replicas) GetTargetCPUUtilizationPercentage() *wrappers.Int32Value { - if x != nil { - return x.TargetCPUUtilizationPercentage - } - return nil -} - -type K8SResourceOverlayPatch struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - GroupVersionKind *K8SResourceOverlayPatch_GroupVersionKind `protobuf:"bytes,1,opt,name=groupVersionKind,proto3" json:"groupVersionKind,omitempty"` - ObjectKey *NamespacedName `protobuf:"bytes,2,opt,name=objectKey,proto3" json:"objectKey,omitempty"` - Patches []*K8SResourceOverlayPatch_Patch `protobuf:"bytes,3,rep,name=patches,proto3" json:"patches,omitempty"` -} - -func (x *K8SResourceOverlayPatch) Reset() { - *x = K8SResourceOverlayPatch{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[15] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *K8SResourceOverlayPatch) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*K8SResourceOverlayPatch) ProtoMessage() {} - -func (x *K8SResourceOverlayPatch) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[15] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use K8SResourceOverlayPatch.ProtoReflect.Descriptor instead. -func (*K8SResourceOverlayPatch) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{15} -} - -func (x *K8SResourceOverlayPatch) GetGroupVersionKind() *K8SResourceOverlayPatch_GroupVersionKind { - if x != nil { - return x.GroupVersionKind - } - return nil -} - -func (x *K8SResourceOverlayPatch) GetObjectKey() *NamespacedName { - if x != nil { - return x.ObjectKey - } - return nil -} - -func (x *K8SResourceOverlayPatch) GetPatches() []*K8SResourceOverlayPatch_Patch { - if x != nil { - return x.Patches - } - return nil -} - -// Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and Int64() accessors. -// +cue-gen-param:intorstring=true -// +cue-gen-param:set=pattern:^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$ - - -// IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number. -// +cue-gen-param:intorstring=true - - -type DeploymentStrategy_RollingUpdateDeployment struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - MaxUnavailable *IntOrString `protobuf:"bytes,1,opt,name=maxUnavailable,proto3" json:"maxUnavailable,omitempty"` - MaxSurge *IntOrString `protobuf:"bytes,2,opt,name=maxSurge,proto3" json:"maxSurge,omitempty"` -} - -func (x *DeploymentStrategy_RollingUpdateDeployment) Reset() { - *x = DeploymentStrategy_RollingUpdateDeployment{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[21] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *DeploymentStrategy_RollingUpdateDeployment) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*DeploymentStrategy_RollingUpdateDeployment) ProtoMessage() {} - -func (x *DeploymentStrategy_RollingUpdateDeployment) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[21] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use DeploymentStrategy_RollingUpdateDeployment.ProtoReflect.Descriptor instead. -func (*DeploymentStrategy_RollingUpdateDeployment) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{4, 0} -} - -func (x *DeploymentStrategy_RollingUpdateDeployment) GetMaxUnavailable() *IntOrString { - if x != nil { - return x.MaxUnavailable - } - return nil -} - -func (x *DeploymentStrategy_RollingUpdateDeployment) GetMaxSurge() *IntOrString { - if x != nil { - return x.MaxSurge - } - return nil -} - -type K8SResourceOverlayPatch_GroupVersionKind struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"` - Version string `protobuf:"bytes,2,opt,name=version,proto3" json:"version,omitempty"` - Group string `protobuf:"bytes,3,opt,name=group,proto3" json:"group,omitempty"` -} - -func (x *K8SResourceOverlayPatch_GroupVersionKind) Reset() { - *x = K8SResourceOverlayPatch_GroupVersionKind{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[26] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *K8SResourceOverlayPatch_GroupVersionKind) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*K8SResourceOverlayPatch_GroupVersionKind) ProtoMessage() {} - -func (x *K8SResourceOverlayPatch_GroupVersionKind) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[26] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use K8SResourceOverlayPatch_GroupVersionKind.ProtoReflect.Descriptor instead. -func (*K8SResourceOverlayPatch_GroupVersionKind) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{15, 0} -} - -func (x *K8SResourceOverlayPatch_GroupVersionKind) GetKind() string { - if x != nil { - return x.Kind - } - return "" -} - -func (x *K8SResourceOverlayPatch_GroupVersionKind) GetVersion() string { - if x != nil { - return x.Version - } - return "" -} - -func (x *K8SResourceOverlayPatch_GroupVersionKind) GetGroup() string { - if x != nil { - return x.Group - } - return "" -} - -type K8SResourceOverlayPatch_Patch struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Path string `protobuf:"bytes,1,opt,name=path,proto3" json:"path,omitempty"` - Value string `protobuf:"bytes,2,opt,name=value,proto3" json:"value,omitempty"` - ParseValue bool `protobuf:"varint,3,opt,name=parseValue,proto3" json:"parseValue,omitempty"` - Type K8SResourceOverlayPatch_Type `protobuf:"varint,4,opt,name=type,proto3,enum=istio_operator.v2.api.v1alpha1.K8SResourceOverlayPatch_Type" json:"type,omitempty"` -} - -func (x *K8SResourceOverlayPatch_Patch) Reset() { - *x = K8SResourceOverlayPatch_Patch{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_common_proto_msgTypes[27] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *K8SResourceOverlayPatch_Patch) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*K8SResourceOverlayPatch_Patch) ProtoMessage() {} - -func (x *K8SResourceOverlayPatch_Patch) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_common_proto_msgTypes[27] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use K8SResourceOverlayPatch_Patch.ProtoReflect.Descriptor instead. -func (*K8SResourceOverlayPatch_Patch) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_common_proto_rawDescGZIP(), []int{15, 1} -} - -func (x *K8SResourceOverlayPatch_Patch) GetPath() string { - if x != nil { - return x.Path - } - return "" -} - -func (x *K8SResourceOverlayPatch_Patch) GetValue() string { - if x != nil { - return x.Value - } - return "" -} - -func (x *K8SResourceOverlayPatch_Patch) GetParseValue() bool { - if x != nil { - return x.ParseValue - } - return false -} - -func (x *K8SResourceOverlayPatch_Patch) GetType() K8SResourceOverlayPatch_Type { - if x != nil { - return x.Type - } - return K8SResourceOverlayPatch_unspecified -} - -var File_api_v1alpha1_common_proto protoreflect.FileDescriptor - -var file_api_v1alpha1_common_proto_rawDesc = []byte{ - 0x0a, 0x19, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, - 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1e, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, - 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61, - 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, - 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x22, 0x6b, 0x38, - 0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x76, 0x31, - 0x2f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x1a, 0x20, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2f, 0x64, 0x65, 0x73, 0x63, 0x72, 0x69, 0x70, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x1a, 0x19, 0x61, 0x70, 0x69, 0x2f, 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2f, - 0x6f, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xbf, 0x02, - 0x0a, 0x0d, 0x4b, 0x38, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x12, - 0x51, 0x0a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x39, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, - 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0x2e, 0x4b, 0x38, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x2e, 0x4c, - 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x06, 0x6c, 0x61, 0x62, 0x65, - 0x6c, 0x73, 0x12, 0x60, 0x0a, 0x0b, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x73, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, - 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4b, 0x38, 0x73, 0x4f, 0x62, 0x6a, 0x65, - 0x63, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x2e, 0x41, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0b, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x73, 0x1a, 0x39, 0x0a, 0x0b, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, - 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x1a, - 0x3e, 0x0a, 0x10, 0x41, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x45, 0x6e, - 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, - 0xc1, 0x01, 0x0a, 0x1b, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x6d, 0x61, - 0x67, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, - 0x10, 0x0a, 0x03, 0x68, 0x75, 0x62, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x68, 0x75, - 0x62, 0x12, 0x10, 0x0a, 0x03, 0x74, 0x61, 0x67, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, - 0x74, 0x61, 0x67, 0x12, 0x28, 0x0a, 0x0f, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, - 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x69, 0x6d, - 0x61, 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x54, 0x0a, - 0x10, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, - 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, - 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x6f, 0x63, - 0x61, 0x6c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x65, 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, - 0x65, 0x52, 0x10, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, 0x53, 0x65, 0x63, 0x72, - 0x65, 0x74, 0x73, 0x22, 0xd2, 0x02, 0x0a, 0x24, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x75, 0x62, 0x65, - 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, - 0x69, 0x6d, 0x61, 0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x69, 0x6d, 0x61, - 0x67, 0x65, 0x12, 0x2c, 0x0a, 0x03, 0x65, 0x6e, 0x76, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, - 0x1a, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, - 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x52, 0x03, 0x65, 0x6e, 0x76, - 0x12, 0x52, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, - 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, - 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x71, - 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x52, 0x09, 0x72, 0x65, 0x73, 0x6f, 0x75, - 0x72, 0x63, 0x65, 0x73, 0x12, 0x4d, 0x0a, 0x0f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, - 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e, - 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, - 0x76, 0x31, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x74, 0x65, - 0x78, 0x74, 0x52, 0x0f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x74, - 0x65, 0x78, 0x74, 0x12, 0x43, 0x0a, 0x0c, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x4d, 0x6f, 0x75, - 0x6e, 0x74, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x6b, 0x38, 0x73, 0x2e, - 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x56, - 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x0c, 0x76, 0x6f, 0x6c, 0x75, - 0x6d, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x22, 0xec, 0x0c, 0x0a, 0x1c, 0x42, 0x61, 0x73, - 0x65, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, - 0x72, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x49, 0x0a, 0x08, 0x6d, 0x65, 0x74, - 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4b, 0x38, 0x73, - 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, - 0x64, 0x61, 0x74, 0x61, 0x12, 0x14, 0x0a, 0x05, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x05, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x12, 0x2c, 0x0a, 0x03, 0x65, 0x6e, - 0x76, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, - 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x76, - 0x56, 0x61, 0x72, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x12, 0x52, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x73, - 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, - 0x73, 0x52, 0x09, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x72, 0x0a, 0x0c, - 0x6e, 0x6f, 0x64, 0x65, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x05, 0x20, 0x03, - 0x28, 0x0b, 0x32, 0x4e, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, - 0x68, 0x61, 0x31, 0x2e, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, - 0x65, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x2e, 0x4e, 0x6f, 0x64, 0x65, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x74, - 0x72, 0x79, 0x52, 0x0c, 0x6e, 0x6f, 0x64, 0x65, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, - 0x12, 0x38, 0x0a, 0x08, 0x61, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x18, 0x06, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, - 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x41, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, - 0x52, 0x08, 0x61, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x12, 0x4d, 0x0a, 0x0f, 0x73, 0x65, - 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x07, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x23, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, - 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, - 0x79, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x52, 0x0f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, - 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x28, 0x0a, 0x0f, 0x69, 0x6d, 0x61, - 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x08, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0f, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, - 0x69, 0x63, 0x79, 0x12, 0x54, 0x0a, 0x10, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x75, 0x6c, 0x6c, - 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x28, 0x2e, - 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, - 0x76, 0x31, 0x2e, 0x4c, 0x6f, 0x63, 0x61, 0x6c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x52, 0x65, - 0x66, 0x65, 0x72, 0x65, 0x6e, 0x63, 0x65, 0x52, 0x10, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x50, 0x75, - 0x6c, 0x6c, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x73, 0x12, 0x2c, 0x0a, 0x11, 0x70, 0x72, 0x69, - 0x6f, 0x72, 0x69, 0x74, 0x79, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x0a, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x43, 0x6c, - 0x61, 0x73, 0x73, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x40, 0x0a, 0x0b, 0x74, 0x6f, 0x6c, 0x65, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x0b, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x6b, - 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, - 0x31, 0x2e, 0x54, 0x6f, 0x6c, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0b, 0x74, 0x6f, - 0x6c, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x12, 0x34, 0x0a, 0x07, 0x76, 0x6f, 0x6c, - 0x75, 0x6d, 0x65, 0x73, 0x18, 0x0c, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x6b, 0x38, 0x73, - 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, - 0x56, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x52, 0x07, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x73, 0x12, - 0x43, 0x0a, 0x0c, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x73, 0x18, - 0x0d, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, - 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x56, 0x6f, 0x6c, 0x75, 0x6d, - 0x65, 0x4d, 0x6f, 0x75, 0x6e, 0x74, 0x52, 0x0c, 0x76, 0x6f, 0x6c, 0x75, 0x6d, 0x65, 0x4d, 0x6f, - 0x75, 0x6e, 0x74, 0x73, 0x12, 0x44, 0x0a, 0x08, 0x72, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x73, - 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, - 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x73, - 0x52, 0x08, 0x72, 0x65, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x73, 0x12, 0x4f, 0x0a, 0x0b, 0x70, 0x6f, - 0x64, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, - 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0x2e, 0x4b, 0x38, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x52, 0x0b, - 0x70, 0x6f, 0x64, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x65, 0x0a, 0x13, 0x70, - 0x6f, 0x64, 0x44, 0x69, 0x73, 0x72, 0x75, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x75, 0x64, 0x67, - 0x65, 0x74, 0x18, 0x10, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, - 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, - 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x6f, 0x64, 0x44, 0x69, 0x73, - 0x72, 0x75, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x75, 0x64, 0x67, 0x65, 0x74, 0x52, 0x13, 0x70, - 0x6f, 0x64, 0x44, 0x69, 0x73, 0x72, 0x75, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x75, 0x64, 0x67, - 0x65, 0x74, 0x12, 0x62, 0x0a, 0x12, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, - 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x18, 0x11, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, - 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, - 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, - 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, - 0x67, 0x79, 0x52, 0x12, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, - 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x56, 0x0a, 0x12, 0x70, 0x6f, 0x64, 0x53, 0x65, 0x63, - 0x75, 0x72, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x18, 0x12, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x26, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, - 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x6f, 0x64, 0x53, 0x65, 0x63, 0x75, 0x72, - 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x52, 0x12, 0x70, 0x6f, 0x64, 0x53, - 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74, 0x12, 0x4b, - 0x0a, 0x0d, 0x6c, 0x69, 0x76, 0x65, 0x6e, 0x65, 0x73, 0x73, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x18, - 0x13, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, - 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, - 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x0d, 0x6c, 0x69, - 0x76, 0x65, 0x6e, 0x65, 0x73, 0x73, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x4d, 0x0a, 0x0e, 0x72, - 0x65, 0x61, 0x64, 0x69, 0x6e, 0x65, 0x73, 0x73, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x18, 0x14, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, - 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, - 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x52, 0x0e, 0x72, 0x65, 0x61, 0x64, - 0x69, 0x6e, 0x65, 0x73, 0x73, 0x50, 0x72, 0x6f, 0x62, 0x65, 0x12, 0x6a, 0x0a, 0x19, 0x74, 0x6f, - 0x70, 0x6f, 0x6c, 0x6f, 0x67, 0x79, 0x53, 0x70, 0x72, 0x65, 0x61, 0x64, 0x43, 0x6f, 0x6e, 0x73, - 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x73, 0x18, 0x15, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2c, 0x2e, - 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, - 0x76, 0x31, 0x2e, 0x54, 0x6f, 0x70, 0x6f, 0x6c, 0x6f, 0x67, 0x79, 0x53, 0x70, 0x72, 0x65, 0x61, - 0x64, 0x43, 0x6f, 0x6e, 0x73, 0x74, 0x72, 0x61, 0x69, 0x6e, 0x74, 0x52, 0x19, 0x74, 0x6f, 0x70, - 0x6f, 0x6c, 0x6f, 0x67, 0x79, 0x53, 0x70, 0x72, 0x65, 0x61, 0x64, 0x43, 0x6f, 0x6e, 0x73, 0x74, - 0x72, 0x61, 0x69, 0x6e, 0x74, 0x73, 0x1a, 0x3f, 0x0a, 0x11, 0x4e, 0x6f, 0x64, 0x65, 0x53, 0x65, - 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, - 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, - 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0xea, 0x02, 0x0a, 0x12, 0x44, 0x65, 0x70, 0x6c, - 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x12, 0x12, - 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, - 0x70, 0x65, 0x12, 0x70, 0x0a, 0x0d, 0x72, 0x6f, 0x6c, 0x6c, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, - 0x61, 0x74, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x4a, 0x2e, 0x69, 0x73, 0x74, 0x69, - 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, - 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x44, 0x65, 0x70, 0x6c, 0x6f, - 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x53, 0x74, 0x72, 0x61, 0x74, 0x65, 0x67, 0x79, 0x2e, 0x52, 0x6f, - 0x6c, 0x6c, 0x69, 0x6e, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x70, 0x6c, 0x6f, - 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x52, 0x0d, 0x72, 0x6f, 0x6c, 0x6c, 0x69, 0x6e, 0x67, 0x55, 0x70, - 0x64, 0x61, 0x74, 0x65, 0x1a, 0xcd, 0x01, 0x0a, 0x17, 0x52, 0x6f, 0x6c, 0x6c, 0x69, 0x6e, 0x67, - 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x44, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, - 0x12, 0x5e, 0x0a, 0x0e, 0x6d, 0x61, 0x78, 0x55, 0x6e, 0x61, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, - 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, - 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, - 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x49, 0x6e, 0x74, 0x4f, 0x72, 0x53, - 0x74, 0x72, 0x69, 0x6e, 0x67, 0x42, 0x09, 0xfa, 0x82, 0x87, 0x03, 0x04, 0x74, 0x72, 0x75, 0x65, - 0x52, 0x0e, 0x6d, 0x61, 0x78, 0x55, 0x6e, 0x61, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, - 0x12, 0x52, 0x0a, 0x08, 0x6d, 0x61, 0x78, 0x53, 0x75, 0x72, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, - 0x68, 0x61, 0x31, 0x2e, 0x49, 0x6e, 0x74, 0x4f, 0x72, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x42, - 0x09, 0xfa, 0x82, 0x87, 0x03, 0x04, 0x74, 0x72, 0x75, 0x65, 0x52, 0x08, 0x6d, 0x61, 0x78, 0x53, - 0x75, 0x72, 0x67, 0x65, 0x22, 0xd1, 0x01, 0x0a, 0x13, 0x50, 0x6f, 0x64, 0x44, 0x69, 0x73, 0x72, - 0x75, 0x70, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x75, 0x64, 0x67, 0x65, 0x74, 0x12, 0x5a, 0x0a, 0x0c, - 0x6d, 0x69, 0x6e, 0x41, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, - 0x68, 0x61, 0x31, 0x2e, 0x49, 0x6e, 0x74, 0x4f, 0x72, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x42, - 0x09, 0xfa, 0x82, 0x87, 0x03, 0x04, 0x74, 0x72, 0x75, 0x65, 0x52, 0x0c, 0x6d, 0x69, 0x6e, 0x41, - 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x12, 0x5e, 0x0a, 0x0e, 0x6d, 0x61, 0x78, 0x55, - 0x6e, 0x61, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x49, 0x6e, 0x74, 0x4f, 0x72, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x42, 0x09, 0xfa, - 0x82, 0x87, 0x03, 0x04, 0x74, 0x72, 0x75, 0x65, 0x52, 0x0e, 0x6d, 0x61, 0x78, 0x55, 0x6e, 0x61, - 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x22, 0xb8, 0x04, 0x0a, 0x05, 0x50, 0x72, 0x6f, - 0x62, 0x65, 0x12, 0x34, 0x0a, 0x04, 0x65, 0x78, 0x65, 0x63, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x1e, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, - 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x78, 0x65, 0x63, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, - 0x48, 0x00, 0x52, 0x04, 0x65, 0x78, 0x65, 0x63, 0x12, 0x49, 0x0a, 0x07, 0x68, 0x74, 0x74, 0x70, - 0x47, 0x65, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, - 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, - 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x48, 0x54, 0x54, 0x50, 0x47, - 0x65, 0x74, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x48, 0x00, 0x52, 0x07, 0x68, 0x74, 0x74, 0x70, - 0x47, 0x65, 0x74, 0x12, 0x4f, 0x0a, 0x09, 0x74, 0x63, 0x70, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, - 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, - 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x43, 0x50, 0x53, 0x6f, 0x63, 0x6b, 0x65, - 0x74, 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x48, 0x00, 0x52, 0x09, 0x74, 0x63, 0x70, 0x53, 0x6f, - 0x63, 0x6b, 0x65, 0x74, 0x12, 0x34, 0x0a, 0x04, 0x67, 0x72, 0x70, 0x63, 0x18, 0x04, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, 0x69, 0x2e, - 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x52, 0x50, 0x43, 0x41, 0x63, 0x74, 0x69, - 0x6f, 0x6e, 0x48, 0x00, 0x52, 0x04, 0x67, 0x72, 0x70, 0x63, 0x12, 0x30, 0x0a, 0x13, 0x69, 0x6e, - 0x69, 0x74, 0x69, 0x61, 0x6c, 0x44, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, - 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x13, 0x69, 0x6e, 0x69, 0x74, 0x69, 0x61, 0x6c, - 0x44, 0x65, 0x6c, 0x61, 0x79, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x12, 0x26, 0x0a, 0x0e, - 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x18, 0x06, - 0x20, 0x01, 0x28, 0x05, 0x52, 0x0e, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x53, 0x65, 0x63, - 0x6f, 0x6e, 0x64, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x70, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x53, 0x65, - 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x05, 0x52, 0x0d, 0x70, 0x65, 0x72, - 0x69, 0x6f, 0x64, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x12, 0x2a, 0x0a, 0x10, 0x73, 0x75, - 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x08, - 0x20, 0x01, 0x28, 0x05, 0x52, 0x10, 0x73, 0x75, 0x63, 0x63, 0x65, 0x73, 0x73, 0x54, 0x68, 0x72, - 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x12, 0x2a, 0x0a, 0x10, 0x66, 0x61, 0x69, 0x6c, 0x75, 0x72, - 0x65, 0x54, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, 0x6c, 0x64, 0x18, 0x09, 0x20, 0x01, 0x28, 0x05, - 0x52, 0x10, 0x66, 0x61, 0x69, 0x6c, 0x75, 0x72, 0x65, 0x54, 0x68, 0x72, 0x65, 0x73, 0x68, 0x6f, - 0x6c, 0x64, 0x12, 0x44, 0x0a, 0x1d, 0x74, 0x65, 0x72, 0x6d, 0x69, 0x6e, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x47, 0x72, 0x61, 0x63, 0x65, 0x50, 0x65, 0x72, 0x69, 0x6f, 0x64, 0x53, 0x65, 0x63, 0x6f, - 0x6e, 0x64, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x03, 0x52, 0x1d, 0x74, 0x65, 0x72, 0x6d, 0x69, - 0x6e, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x47, 0x72, 0x61, 0x63, 0x65, 0x50, 0x65, 0x72, 0x69, 0x6f, - 0x64, 0x53, 0x65, 0x63, 0x6f, 0x6e, 0x64, 0x73, 0x42, 0x09, 0x0a, 0x07, 0x68, 0x61, 0x6e, 0x64, - 0x6c, 0x65, 0x72, 0x22, 0xdd, 0x01, 0x0a, 0x0d, 0x48, 0x54, 0x54, 0x50, 0x47, 0x65, 0x74, 0x41, - 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x4a, 0x0a, 0x04, 0x70, 0x6f, 0x72, - 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, - 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x49, 0x6e, 0x74, 0x4f, 0x72, 0x53, 0x74, - 0x72, 0x69, 0x6e, 0x67, 0x42, 0x09, 0xfa, 0x82, 0x87, 0x03, 0x04, 0x74, 0x72, 0x75, 0x65, 0x52, - 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x12, 0x16, 0x0a, 0x06, 0x73, 0x63, 0x68, - 0x65, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x73, 0x63, 0x68, 0x65, 0x6d, - 0x65, 0x12, 0x40, 0x0a, 0x0b, 0x68, 0x74, 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, - 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x1e, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x48, 0x54, 0x54, 0x50, - 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x0b, 0x68, 0x74, 0x74, 0x70, 0x48, 0x65, 0x61, 0x64, - 0x65, 0x72, 0x73, 0x22, 0x71, 0x0a, 0x0f, 0x54, 0x43, 0x50, 0x53, 0x6f, 0x63, 0x6b, 0x65, 0x74, - 0x41, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x4a, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x49, 0x6e, 0x74, 0x4f, 0x72, 0x53, 0x74, 0x72, 0x69, 0x6e, - 0x67, 0x42, 0x09, 0xfa, 0x82, 0x87, 0x03, 0x04, 0x74, 0x72, 0x75, 0x65, 0x52, 0x04, 0x70, 0x6f, - 0x72, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x04, 0x68, 0x6f, 0x73, 0x74, 0x22, 0xf6, 0x06, 0x0a, 0x07, 0x53, 0x65, 0x72, 0x76, 0x69, - 0x63, 0x65, 0x12, 0x49, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x10, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4b, 0x38, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, - 0x65, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x47, 0x0a, - 0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, - 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, - 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x65, - 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x6f, 0x72, 0x74, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, - 0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x12, 0x51, 0x0a, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, - 0x6f, 0x72, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x35, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, - 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, - 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, - 0x65, 0x2e, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, - 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x6c, 0x75, - 0x73, 0x74, 0x65, 0x72, 0x49, 0x50, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x63, 0x6c, - 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x50, 0x12, 0x18, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x74, 0x79, 0x70, - 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x49, 0x50, 0x73, - 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, - 0x49, 0x50, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x66, - 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x65, - 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x12, 0x26, 0x0a, - 0x0e, 0x6c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x49, 0x50, 0x18, - 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x6c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c, 0x61, 0x6e, - 0x63, 0x65, 0x72, 0x49, 0x50, 0x12, 0x3a, 0x0a, 0x18, 0x6c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c, - 0x61, 0x6e, 0x63, 0x65, 0x72, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, - 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52, 0x18, 0x6c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c, - 0x61, 0x6e, 0x63, 0x65, 0x72, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, 0x6e, 0x67, 0x65, - 0x73, 0x12, 0x22, 0x0a, 0x0c, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x4e, 0x61, 0x6d, - 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, - 0x6c, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x34, 0x0a, 0x15, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, - 0x6c, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x0b, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x54, 0x72, - 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x30, 0x0a, 0x13, 0x68, - 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x6f, - 0x72, 0x74, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x05, 0x52, 0x13, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, - 0x43, 0x68, 0x65, 0x63, 0x6b, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x6f, 0x72, 0x74, 0x12, 0x56, 0x0a, - 0x18, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x73, 0x68, 0x4e, 0x6f, 0x74, 0x52, 0x65, 0x61, 0x64, 0x79, - 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, - 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x18, 0x70, 0x75, 0x62, - 0x6c, 0x69, 0x73, 0x68, 0x4e, 0x6f, 0x74, 0x52, 0x65, 0x61, 0x64, 0x79, 0x41, 0x64, 0x64, 0x72, - 0x65, 0x73, 0x73, 0x65, 0x73, 0x12, 0x5f, 0x0a, 0x15, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, - 0x41, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x0e, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2e, 0x61, 0x70, - 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, - 0x6e, 0x41, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, - 0x15, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, - 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x70, 0x46, 0x61, 0x6d, 0x69, - 0x6c, 0x79, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x69, 0x70, 0x46, 0x61, 0x6d, 0x69, - 0x6c, 0x79, 0x1a, 0x3b, 0x0a, 0x0d, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x45, 0x6e, - 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, - 0x80, 0x07, 0x0a, 0x12, 0x55, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x65, 0x64, 0x53, - 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x49, 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, - 0x74, 0x61, 0x18, 0x10, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, - 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, - 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4b, 0x38, 0x73, 0x4f, 0x62, 0x6a, - 0x65, 0x63, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x52, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, - 0x61, 0x12, 0x41, 0x0a, 0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x6f, 0x72, 0x74, 0x52, 0x05, 0x70, - 0x6f, 0x72, 0x74, 0x73, 0x12, 0x5c, 0x0a, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, - 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x40, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, - 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x55, 0x6e, 0x70, 0x72, 0x6f, 0x74, 0x65, 0x63, - 0x74, 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x2e, 0x53, 0x65, 0x6c, 0x65, 0x63, - 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, - 0x6f, 0x72, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x50, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x50, - 0x12, 0x12, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, - 0x74, 0x79, 0x70, 0x65, 0x12, 0x20, 0x0a, 0x0b, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, - 0x49, 0x50, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x65, 0x78, 0x74, 0x65, 0x72, - 0x6e, 0x61, 0x6c, 0x49, 0x50, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, - 0x6e, 0x41, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, - 0x12, 0x26, 0x0a, 0x0e, 0x6c, 0x6f, 0x61, 0x64, 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, - 0x49, 0x50, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0e, 0x6c, 0x6f, 0x61, 0x64, 0x42, 0x61, - 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x49, 0x50, 0x12, 0x3a, 0x0a, 0x18, 0x6c, 0x6f, 0x61, 0x64, - 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, - 0x6e, 0x67, 0x65, 0x73, 0x18, 0x09, 0x20, 0x03, 0x28, 0x09, 0x52, 0x18, 0x6c, 0x6f, 0x61, 0x64, - 0x42, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x61, - 0x6e, 0x67, 0x65, 0x73, 0x12, 0x22, 0x0a, 0x0c, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, - 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x65, 0x78, 0x74, 0x65, - 0x72, 0x6e, 0x61, 0x6c, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x34, 0x0a, 0x15, 0x65, 0x78, 0x74, 0x65, - 0x72, 0x6e, 0x61, 0x6c, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, - 0x6c, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x30, - 0x0a, 0x13, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x4e, 0x6f, 0x64, - 0x65, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x05, 0x52, 0x13, 0x68, 0x65, 0x61, - 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x4e, 0x6f, 0x64, 0x65, 0x50, 0x6f, 0x72, 0x74, - 0x12, 0x56, 0x0a, 0x18, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x73, 0x68, 0x4e, 0x6f, 0x74, 0x52, 0x65, - 0x61, 0x64, 0x79, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x18, 0x0d, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x18, - 0x70, 0x75, 0x62, 0x6c, 0x69, 0x73, 0x68, 0x4e, 0x6f, 0x74, 0x52, 0x65, 0x61, 0x64, 0x79, 0x41, - 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x12, 0x5f, 0x0a, 0x15, 0x73, 0x65, 0x73, 0x73, - 0x69, 0x6f, 0x6e, 0x41, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, - 0x67, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, - 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x53, 0x65, 0x73, - 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x66, 0x66, 0x69, 0x6e, 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x52, 0x15, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x66, 0x66, 0x69, 0x6e, - 0x69, 0x74, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x1a, 0x0a, 0x08, 0x69, 0x70, 0x46, - 0x61, 0x6d, 0x69, 0x6c, 0x79, 0x18, 0x0f, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x69, 0x70, 0x46, - 0x61, 0x6d, 0x69, 0x6c, 0x79, 0x1a, 0x3b, 0x0a, 0x0d, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, - 0x72, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, - 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, - 0x38, 0x01, 0x22, 0xcb, 0x01, 0x0a, 0x0b, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x50, 0x6f, - 0x72, 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, - 0x6f, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, - 0x6f, 0x6c, 0x12, 0x18, 0x0a, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x05, - 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x70, 0x6f, 0x72, 0x74, 0x12, 0x56, 0x0a, 0x0a, - 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x50, 0x6f, 0x72, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x49, 0x6e, 0x74, 0x4f, 0x72, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x42, 0x09, 0xfa, - 0x82, 0x87, 0x03, 0x04, 0x74, 0x72, 0x75, 0x65, 0x52, 0x0a, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, - 0x50, 0x6f, 0x72, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x6e, 0x6f, 0x64, 0x65, 0x50, 0x6f, 0x72, 0x74, - 0x18, 0x05, 0x20, 0x01, 0x28, 0x05, 0x52, 0x08, 0x6e, 0x6f, 0x64, 0x65, 0x50, 0x6f, 0x72, 0x74, - 0x22, 0x42, 0x0a, 0x0e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x64, 0x4e, 0x61, - 0x6d, 0x65, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1c, 0x0a, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, 0x70, - 0x61, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x6e, 0x61, 0x6d, 0x65, 0x73, - 0x70, 0x61, 0x63, 0x65, 0x22, 0xb0, 0x03, 0x0a, 0x14, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, - 0x65, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x12, 0x62, 0x0a, - 0x06, 0x6c, 0x69, 0x6d, 0x69, 0x74, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x40, 0x2e, - 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, - 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, - 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, - 0x6e, 0x74, 0x73, 0x2e, 0x4c, 0x69, 0x6d, 0x69, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x42, - 0x08, 0xfa, 0x82, 0x87, 0x03, 0x03, 0x6d, 0x61, 0x70, 0x52, 0x06, 0x6c, 0x69, 0x6d, 0x69, 0x74, - 0x73, 0x12, 0x68, 0x0a, 0x08, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x18, 0x02, 0x20, - 0x03, 0x28, 0x0b, 0x32, 0x42, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, - 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, - 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x71, - 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, - 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x42, 0x08, 0xfa, 0x82, 0x87, 0x03, 0x03, 0x6d, 0x61, - 0x70, 0x52, 0x08, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x1a, 0x63, 0x0a, 0x0b, 0x4c, - 0x69, 0x6d, 0x69, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, - 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x3e, 0x0a, 0x05, - 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x51, 0x75, 0x61, - 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, - 0x1a, 0x65, 0x0a, 0x0d, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x73, 0x45, 0x6e, 0x74, 0x72, - 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, - 0x6b, 0x65, 0x79, 0x12, 0x3e, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x28, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, - 0x68, 0x61, 0x31, 0x2e, 0x51, 0x75, 0x61, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x52, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x80, 0x02, 0x0a, 0x08, 0x52, 0x65, 0x70, 0x6c, - 0x69, 0x63, 0x61, 0x73, 0x12, 0x31, 0x0a, 0x05, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x52, 0x05, 0x63, 0x6f, 0x75, 0x6e, 0x74, 0x12, 0x2d, 0x0a, 0x03, 0x6d, 0x69, 0x6e, 0x18, 0x02, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, - 0x65, 0x52, 0x03, 0x6d, 0x69, 0x6e, 0x12, 0x2d, 0x0a, 0x03, 0x6d, 0x61, 0x78, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x52, 0x03, 0x6d, 0x61, 0x78, 0x12, 0x63, 0x0a, 0x1e, 0x74, 0x61, 0x72, 0x67, 0x65, 0x74, 0x43, - 0x50, 0x55, 0x55, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x50, 0x65, 0x72, - 0x63, 0x65, 0x6e, 0x74, 0x61, 0x67, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, - 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, - 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x1e, 0x74, 0x61, 0x72, 0x67, - 0x65, 0x74, 0x43, 0x50, 0x55, 0x55, 0x74, 0x69, 0x6c, 0x69, 0x7a, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x50, 0x65, 0x72, 0x63, 0x65, 0x6e, 0x74, 0x61, 0x67, 0x65, 0x22, 0xe6, 0x04, 0x0a, 0x17, 0x4b, - 0x38, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x6c, 0x61, - 0x79, 0x50, 0x61, 0x74, 0x63, 0x68, 0x12, 0x74, 0x0a, 0x10, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x56, - 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x4b, 0x69, 0x6e, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x48, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x4b, 0x38, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, - 0x72, 0x6c, 0x61, 0x79, 0x50, 0x61, 0x74, 0x63, 0x68, 0x2e, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x56, - 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x4b, 0x69, 0x6e, 0x64, 0x52, 0x10, 0x67, 0x72, 0x6f, 0x75, - 0x70, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x4b, 0x69, 0x6e, 0x64, 0x12, 0x4c, 0x0a, 0x09, - 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4b, 0x65, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x2e, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, - 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x64, 0x4e, 0x61, 0x6d, 0x65, 0x52, - 0x09, 0x6f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4b, 0x65, 0x79, 0x12, 0x57, 0x0a, 0x07, 0x70, 0x61, - 0x74, 0x63, 0x68, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3d, 0x2e, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4b, 0x38, 0x73, - 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x6c, 0x61, 0x79, 0x50, - 0x61, 0x74, 0x63, 0x68, 0x2e, 0x50, 0x61, 0x74, 0x63, 0x68, 0x52, 0x07, 0x70, 0x61, 0x74, 0x63, - 0x68, 0x65, 0x73, 0x1a, 0x56, 0x0a, 0x10, 0x47, 0x72, 0x6f, 0x75, 0x70, 0x56, 0x65, 0x72, 0x73, - 0x69, 0x6f, 0x6e, 0x4b, 0x69, 0x6e, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6b, 0x69, 0x6e, 0x64, 0x12, 0x18, 0x0a, 0x07, 0x76, - 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x76, 0x65, - 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x67, 0x72, 0x6f, 0x75, 0x70, 0x1a, 0xa3, 0x01, 0x0a, 0x05, - 0x50, 0x61, 0x74, 0x63, 0x68, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x61, 0x74, 0x68, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x61, 0x74, 0x68, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, - 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x12, - 0x1e, 0x0a, 0x0a, 0x70, 0x61, 0x72, 0x73, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x08, 0x52, 0x0a, 0x70, 0x61, 0x72, 0x73, 0x65, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x12, - 0x50, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x3c, 0x2e, - 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, - 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4b, - 0x38, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x6c, 0x61, - 0x79, 0x50, 0x61, 0x74, 0x63, 0x68, 0x2e, 0x54, 0x79, 0x70, 0x65, 0x52, 0x04, 0x74, 0x79, 0x70, - 0x65, 0x22, 0x30, 0x0a, 0x04, 0x54, 0x79, 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x75, 0x6e, 0x73, - 0x70, 0x65, 0x63, 0x69, 0x66, 0x69, 0x65, 0x64, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x72, 0x65, - 0x70, 0x6c, 0x61, 0x63, 0x65, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x76, - 0x65, 0x10, 0x02, 0x22, 0x0a, 0x0a, 0x08, 0x51, 0x75, 0x61, 0x6e, 0x74, 0x69, 0x74, 0x79, 0x22, - 0x0d, 0x0a, 0x0b, 0x49, 0x6e, 0x74, 0x4f, 0x72, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x2a, 0x6f, - 0x0a, 0x0b, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61, 0x74, 0x65, 0x12, 0x0f, 0x0a, - 0x0b, 0x55, 0x6e, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x69, 0x65, 0x64, 0x10, 0x00, 0x12, 0x0b, - 0x0a, 0x07, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x64, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x52, - 0x65, 0x63, 0x6f, 0x6e, 0x63, 0x69, 0x6c, 0x65, 0x46, 0x61, 0x69, 0x6c, 0x65, 0x64, 0x10, 0x02, - 0x12, 0x0f, 0x0a, 0x0b, 0x52, 0x65, 0x63, 0x6f, 0x6e, 0x63, 0x69, 0x6c, 0x69, 0x6e, 0x67, 0x10, - 0x03, 0x12, 0x0d, 0x0a, 0x09, 0x41, 0x76, 0x61, 0x69, 0x6c, 0x61, 0x62, 0x6c, 0x65, 0x10, 0x04, - 0x12, 0x0d, 0x0a, 0x09, 0x55, 0x6e, 0x6d, 0x61, 0x6e, 0x61, 0x67, 0x65, 0x64, 0x10, 0x05, 0x42, - 0x37, 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x62, 0x61, - 0x6e, 0x7a, 0x61, 0x69, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x2f, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2d, - 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x61, 0x70, 0x69, 0x2f, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} - -var ( - file_api_v1alpha1_common_proto_rawDescOnce sync.Once - file_api_v1alpha1_common_proto_rawDescData = file_api_v1alpha1_common_proto_rawDesc -) - -func file_api_v1alpha1_common_proto_rawDescGZIP() []byte { - file_api_v1alpha1_common_proto_rawDescOnce.Do(func() { - file_api_v1alpha1_common_proto_rawDescData = protoimpl.X.CompressGZIP(file_api_v1alpha1_common_proto_rawDescData) - }) - return file_api_v1alpha1_common_proto_rawDescData -} - -var file_api_v1alpha1_common_proto_enumTypes = make([]protoimpl.EnumInfo, 2) -var file_api_v1alpha1_common_proto_msgTypes = make([]protoimpl.MessageInfo, 28) -var file_api_v1alpha1_common_proto_goTypes = []interface{}{ - (ConfigState)(0), // 0: istio_operator.v2.api.v1alpha1.ConfigState - (K8SResourceOverlayPatch_Type)(0), // 1: istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Type - (*K8SObjectMeta)(nil), // 2: istio_operator.v2.api.v1alpha1.K8sObjectMeta - (*ContainerImageConfiguration)(nil), // 3: istio_operator.v2.api.v1alpha1.ContainerImageConfiguration - (*BaseKubernetesContainerConfiguration)(nil), // 4: istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration - (*BaseKubernetesResourceConfig)(nil), // 5: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig - (*DeploymentStrategy)(nil), // 6: istio_operator.v2.api.v1alpha1.DeploymentStrategy - (*PodDisruptionBudget)(nil), // 7: istio_operator.v2.api.v1alpha1.PodDisruptionBudget - (*Probe)(nil), // 8: istio_operator.v2.api.v1alpha1.Probe - (*HTTPGetAction)(nil), // 9: istio_operator.v2.api.v1alpha1.HTTPGetAction - (*TCPSocketAction)(nil), // 10: istio_operator.v2.api.v1alpha1.TCPSocketAction - (*Service)(nil), // 11: istio_operator.v2.api.v1alpha1.Service - (*UnprotectedService)(nil), // 12: istio_operator.v2.api.v1alpha1.UnprotectedService - (*ServicePort)(nil), // 13: istio_operator.v2.api.v1alpha1.ServicePort - (*NamespacedName)(nil), // 14: istio_operator.v2.api.v1alpha1.NamespacedName - (*ResourceRequirements)(nil), // 15: istio_operator.v2.api.v1alpha1.ResourceRequirements - (*Replicas)(nil), // 16: istio_operator.v2.api.v1alpha1.Replicas - (*K8SResourceOverlayPatch)(nil), // 17: istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch - (*Quantity)(nil), // 18: istio_operator.v2.api.v1alpha1.Quantity - (*IntOrString)(nil), // 19: istio_operator.v2.api.v1alpha1.IntOrString - nil, // 20: istio_operator.v2.api.v1alpha1.K8sObjectMeta.LabelsEntry - nil, // 21: istio_operator.v2.api.v1alpha1.K8sObjectMeta.AnnotationsEntry - nil, // 22: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.NodeSelectorEntry - (*DeploymentStrategy_RollingUpdateDeployment)(nil), // 23: istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment - nil, // 24: istio_operator.v2.api.v1alpha1.Service.SelectorEntry - nil, // 25: istio_operator.v2.api.v1alpha1.UnprotectedService.SelectorEntry - nil, // 26: istio_operator.v2.api.v1alpha1.ResourceRequirements.LimitsEntry - nil, // 27: istio_operator.v2.api.v1alpha1.ResourceRequirements.RequestsEntry - (*K8SResourceOverlayPatch_GroupVersionKind)(nil), // 28: istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.GroupVersionKind - (*K8SResourceOverlayPatch_Patch)(nil), // 29: istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch - (*v1.LocalObjectReference)(nil), // 30: k8s.io.api.core.v1.LocalObjectReference - (*v1.EnvVar)(nil), // 31: k8s.io.api.core.v1.EnvVar - (*v1.SecurityContext)(nil), // 32: k8s.io.api.core.v1.SecurityContext - (*v1.VolumeMount)(nil), // 33: k8s.io.api.core.v1.VolumeMount - (*v1.Affinity)(nil), // 34: k8s.io.api.core.v1.Affinity - (*v1.Toleration)(nil), // 35: k8s.io.api.core.v1.Toleration - (*v1.Volume)(nil), // 36: k8s.io.api.core.v1.Volume - (*v1.PodSecurityContext)(nil), // 37: k8s.io.api.core.v1.PodSecurityContext - (*v1.TopologySpreadConstraint)(nil), // 38: k8s.io.api.core.v1.TopologySpreadConstraint - (*v1.ExecAction)(nil), // 39: k8s.io.api.core.v1.ExecAction - (*v1.GRPCAction)(nil), // 40: k8s.io.api.core.v1.GRPCAction - (*v1.HTTPHeader)(nil), // 41: k8s.io.api.core.v1.HTTPHeader - (*wrappers.BoolValue)(nil), // 42: google.protobuf.BoolValue - (*v1.SessionAffinityConfig)(nil), // 43: k8s.io.api.core.v1.SessionAffinityConfig - (*wrappers.Int32Value)(nil), // 44: google.protobuf.Int32Value -} -var file_api_v1alpha1_common_proto_depIdxs = []int32{ - 20, // 0: istio_operator.v2.api.v1alpha1.K8sObjectMeta.labels:type_name -> istio_operator.v2.api.v1alpha1.K8sObjectMeta.LabelsEntry - 21, // 1: istio_operator.v2.api.v1alpha1.K8sObjectMeta.annotations:type_name -> istio_operator.v2.api.v1alpha1.K8sObjectMeta.AnnotationsEntry - 30, // 2: istio_operator.v2.api.v1alpha1.ContainerImageConfiguration.imagePullSecrets:type_name -> k8s.io.api.core.v1.LocalObjectReference - 31, // 3: istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration.env:type_name -> k8s.io.api.core.v1.EnvVar - 15, // 4: istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration.resources:type_name -> istio_operator.v2.api.v1alpha1.ResourceRequirements - 32, // 5: istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration.securityContext:type_name -> k8s.io.api.core.v1.SecurityContext - 33, // 6: istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration.volumeMounts:type_name -> k8s.io.api.core.v1.VolumeMount - 2, // 7: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.metadata:type_name -> istio_operator.v2.api.v1alpha1.K8sObjectMeta - 31, // 8: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.env:type_name -> k8s.io.api.core.v1.EnvVar - 15, // 9: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.resources:type_name -> istio_operator.v2.api.v1alpha1.ResourceRequirements - 22, // 10: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.nodeSelector:type_name -> istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.NodeSelectorEntry - 34, // 11: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.affinity:type_name -> k8s.io.api.core.v1.Affinity - 32, // 12: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.securityContext:type_name -> k8s.io.api.core.v1.SecurityContext - 30, // 13: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.imagePullSecrets:type_name -> k8s.io.api.core.v1.LocalObjectReference - 35, // 14: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.tolerations:type_name -> k8s.io.api.core.v1.Toleration - 36, // 15: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.volumes:type_name -> k8s.io.api.core.v1.Volume - 33, // 16: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.volumeMounts:type_name -> k8s.io.api.core.v1.VolumeMount - 16, // 17: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.replicas:type_name -> istio_operator.v2.api.v1alpha1.Replicas - 2, // 18: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.podMetadata:type_name -> istio_operator.v2.api.v1alpha1.K8sObjectMeta - 7, // 19: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.podDisruptionBudget:type_name -> istio_operator.v2.api.v1alpha1.PodDisruptionBudget - 6, // 20: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.deploymentStrategy:type_name -> istio_operator.v2.api.v1alpha1.DeploymentStrategy - 37, // 21: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.podSecurityContext:type_name -> k8s.io.api.core.v1.PodSecurityContext - 8, // 22: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.livenessProbe:type_name -> istio_operator.v2.api.v1alpha1.Probe - 8, // 23: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.readinessProbe:type_name -> istio_operator.v2.api.v1alpha1.Probe - 38, // 24: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig.topologySpreadConstraints:type_name -> k8s.io.api.core.v1.TopologySpreadConstraint - 23, // 25: istio_operator.v2.api.v1alpha1.DeploymentStrategy.rollingUpdate:type_name -> istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment - 19, // 26: istio_operator.v2.api.v1alpha1.PodDisruptionBudget.minAvailable:type_name -> istio_operator.v2.api.v1alpha1.IntOrString - 19, // 27: istio_operator.v2.api.v1alpha1.PodDisruptionBudget.maxUnavailable:type_name -> istio_operator.v2.api.v1alpha1.IntOrString - 39, // 28: istio_operator.v2.api.v1alpha1.Probe.exec:type_name -> k8s.io.api.core.v1.ExecAction - 9, // 29: istio_operator.v2.api.v1alpha1.Probe.httpGet:type_name -> istio_operator.v2.api.v1alpha1.HTTPGetAction - 10, // 30: istio_operator.v2.api.v1alpha1.Probe.tcpSocket:type_name -> istio_operator.v2.api.v1alpha1.TCPSocketAction - 40, // 31: istio_operator.v2.api.v1alpha1.Probe.grpc:type_name -> k8s.io.api.core.v1.GRPCAction - 19, // 32: istio_operator.v2.api.v1alpha1.HTTPGetAction.port:type_name -> istio_operator.v2.api.v1alpha1.IntOrString - 41, // 33: istio_operator.v2.api.v1alpha1.HTTPGetAction.httpHeaders:type_name -> k8s.io.api.core.v1.HTTPHeader - 19, // 34: istio_operator.v2.api.v1alpha1.TCPSocketAction.port:type_name -> istio_operator.v2.api.v1alpha1.IntOrString - 2, // 35: istio_operator.v2.api.v1alpha1.Service.metadata:type_name -> istio_operator.v2.api.v1alpha1.K8sObjectMeta - 13, // 36: istio_operator.v2.api.v1alpha1.Service.ports:type_name -> istio_operator.v2.api.v1alpha1.ServicePort - 24, // 37: istio_operator.v2.api.v1alpha1.Service.selector:type_name -> istio_operator.v2.api.v1alpha1.Service.SelectorEntry - 42, // 38: istio_operator.v2.api.v1alpha1.Service.publishNotReadyAddresses:type_name -> google.protobuf.BoolValue - 43, // 39: istio_operator.v2.api.v1alpha1.Service.sessionAffinityConfig:type_name -> k8s.io.api.core.v1.SessionAffinityConfig - 2, // 40: istio_operator.v2.api.v1alpha1.UnprotectedService.metadata:type_name -> istio_operator.v2.api.v1alpha1.K8sObjectMeta - 13, // 41: istio_operator.v2.api.v1alpha1.UnprotectedService.ports:type_name -> istio_operator.v2.api.v1alpha1.ServicePort - 25, // 42: istio_operator.v2.api.v1alpha1.UnprotectedService.selector:type_name -> istio_operator.v2.api.v1alpha1.UnprotectedService.SelectorEntry - 42, // 43: istio_operator.v2.api.v1alpha1.UnprotectedService.publishNotReadyAddresses:type_name -> google.protobuf.BoolValue - 43, // 44: istio_operator.v2.api.v1alpha1.UnprotectedService.sessionAffinityConfig:type_name -> k8s.io.api.core.v1.SessionAffinityConfig - 19, // 45: istio_operator.v2.api.v1alpha1.ServicePort.targetPort:type_name -> istio_operator.v2.api.v1alpha1.IntOrString - 26, // 46: istio_operator.v2.api.v1alpha1.ResourceRequirements.limits:type_name -> istio_operator.v2.api.v1alpha1.ResourceRequirements.LimitsEntry - 27, // 47: istio_operator.v2.api.v1alpha1.ResourceRequirements.requests:type_name -> istio_operator.v2.api.v1alpha1.ResourceRequirements.RequestsEntry - 44, // 48: istio_operator.v2.api.v1alpha1.Replicas.count:type_name -> google.protobuf.Int32Value - 44, // 49: istio_operator.v2.api.v1alpha1.Replicas.min:type_name -> google.protobuf.Int32Value - 44, // 50: istio_operator.v2.api.v1alpha1.Replicas.max:type_name -> google.protobuf.Int32Value - 44, // 51: istio_operator.v2.api.v1alpha1.Replicas.targetCPUUtilizationPercentage:type_name -> google.protobuf.Int32Value - 28, // 52: istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.groupVersionKind:type_name -> istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.GroupVersionKind - 14, // 53: istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.objectKey:type_name -> istio_operator.v2.api.v1alpha1.NamespacedName - 29, // 54: istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.patches:type_name -> istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch - 19, // 55: istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment.maxUnavailable:type_name -> istio_operator.v2.api.v1alpha1.IntOrString - 19, // 56: istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment.maxSurge:type_name -> istio_operator.v2.api.v1alpha1.IntOrString - 18, // 57: istio_operator.v2.api.v1alpha1.ResourceRequirements.LimitsEntry.value:type_name -> istio_operator.v2.api.v1alpha1.Quantity - 18, // 58: istio_operator.v2.api.v1alpha1.ResourceRequirements.RequestsEntry.value:type_name -> istio_operator.v2.api.v1alpha1.Quantity - 1, // 59: istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch.type:type_name -> istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Type - 60, // [60:60] is the sub-list for method output_type - 60, // [60:60] is the sub-list for method input_type - 60, // [60:60] is the sub-list for extension type_name - 60, // [60:60] is the sub-list for extension extendee - 0, // [0:60] is the sub-list for field type_name -} - -func init() { file_api_v1alpha1_common_proto_init() } -func file_api_v1alpha1_common_proto_init() { - if File_api_v1alpha1_common_proto != nil { - return - } - if !protoimpl.UnsafeEnabled { - file_api_v1alpha1_common_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*K8SObjectMeta); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ContainerImageConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*BaseKubernetesContainerConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*BaseKubernetesResourceConfig); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DeploymentStrategy); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*PodDisruptionBudget); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*Probe); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*HTTPGetAction); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*TCPSocketAction); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*Service); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*UnprotectedService); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ServicePort); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*NamespacedName); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ResourceRequirements); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*Replicas); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*K8SResourceOverlayPatch); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[21].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*DeploymentStrategy_RollingUpdateDeployment); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[26].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*K8SResourceOverlayPatch_GroupVersionKind); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_common_proto_msgTypes[27].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*K8SResourceOverlayPatch_Patch); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - file_api_v1alpha1_common_proto_msgTypes[6].OneofWrappers = []interface{}{ - (*Probe_Exec)(nil), - (*Probe_HttpGet)(nil), - (*Probe_TcpSocket)(nil), - (*Probe_Grpc)(nil), - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_api_v1alpha1_common_proto_rawDesc, - NumEnums: 2, - NumMessages: 28, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_api_v1alpha1_common_proto_goTypes, - DependencyIndexes: file_api_v1alpha1_common_proto_depIdxs, - EnumInfos: file_api_v1alpha1_common_proto_enumTypes, - MessageInfos: file_api_v1alpha1_common_proto_msgTypes, - }.Build() - File_api_v1alpha1_common_proto = out.File - file_api_v1alpha1_common_proto_rawDesc = nil - file_api_v1alpha1_common_proto_goTypes = nil - file_api_v1alpha1_common_proto_depIdxs = nil -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.pb.html b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.pb.html deleted file mode 100644 index 289195ea6..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.pb.html +++ /dev/null @@ -1,2855 +0,0 @@ ---- -title: istio_operator.v2.api.v1alpha1 -layout: protoc-gen-docs -generator: protoc-gen-docs -number_of_entries: 36 ---- -

K8sObjectMeta

-
-

Generic k8s resource metadata

- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
labelsmap<string, string> -

Map of string keys and values that can be used to organize and categorize -(scope and select) objects. May match selectors of replication controllers -and services. -More info: http://kubernetes.io/docs/user-guide/labels -+optional

- -		 -No -
annotationsmap<string, string> -

Annotations is an unstructured key value map stored with a resource that may be -set by external tools to store and retrieve arbitrary metadata. They are not -queryable and should be preserved when modifying objects. -More info: http://kubernetes.io/docs/user-guide/annotations -+optional

- -		 -No -
-
-

ContainerImageConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
hubstring -

Default hub for container images.

- -		 -No -
tagstring -

Default tag for container images.

- -		 -No -
imagePullPolicystring -

Image pull policy. -One of Always, Never, IfNotPresent. -Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. -+optional -+kubebuilder:validation:Enum=Always;Never;IfNotPresent

- -		 -No -
imagePullSecretsLocalObjectReference[] -

ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. -+optional

- -		 -No -
-
-

BaseKubernetesContainerConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
imagestring -

Standard Kubernetes container image configuration

- -		 -No -
envEnvVar[] -

If present will be appended to the environment variables of the container

- -		 -No -
resourcesResourceRequirements -

Standard Kubernetes resource configuration, memory and CPU resource requirements

- -		 -No -
securityContextSecurityContext -

Standard Kubernetes security context configuration

- -		 -No -
volumeMountsVolumeMount[] -

Pod volumes to mount into the container’s filesystem. -Cannot be updated. -+optional -+patchMergeKey=mountPath -+patchStrategy=merge

- -		 -No -
-
-

BaseKubernetesResourceConfig

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
metadataK8sObjectMeta -

Generic k8s resource metadata

- -		 -No -
imagestring -

Standard Kubernetes container image configuration

- -		 -No -
envEnvVar[] -

If present will be appended to the environment variables of the container

- -		 -No -
resourcesResourceRequirements -

Standard Kubernetes resource configuration, memory and CPU resource requirements

- -		 -No -
nodeSelectormap<string, string> -

Standard Kubernetes node selector configuration

- -		 -No -
affinityAffinity -

Standard Kubernetes affinity configuration

- -		 -No -
securityContextSecurityContext -

Standard Kubernetes security context configuration

- -		 -No -
imagePullPolicystring -

Image pull policy. -One of Always, Never, IfNotPresent. -Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. -+optional

- -		 -No -
imagePullSecretsLocalObjectReference[] -

ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. -+optional

- -		 -No -
priorityClassNamestring -

If specified, indicates the pod’s priority. “system-node-critical” and -“system-cluster-critical” are two special keywords which indicate the -highest priorities with the former being the highest priority. Any other -name must be defined by creating a PriorityClass object with that name. -If not specified, the pod priority will be default or zero if there is no -default. -+optional

- -		 -No -
tolerationsToleration[] -

If specified, the pod’s tolerations. -+optional

- -		 -No -
volumesVolume[] -

List of volumes that can be mounted by containers belonging to the pod. -More info: https://kubernetes.io/docs/concepts/storage/volumes -+optional -+patchMergeKey=name -+patchStrategy=merge,retainKeys

- -		 -No -
volumeMountsVolumeMount[] -

Pod volumes to mount into the container’s filesystem. -Cannot be updated. -+optional -+patchMergeKey=mountPath -+patchStrategy=merge

- -		 -No -
replicasReplicas -

Replica configuration

- -		 -No -
podMetadataK8sObjectMeta -

Standard Kubernetes pod annotation and label configuration

- -		 -No -
podDisruptionBudgetPodDisruptionBudget -

PodDisruptionBudget configuration

- -		 -No -
deploymentStrategyDeploymentStrategy -

DeploymentStrategy configuration

- -		 -No -
podSecurityContextPodSecurityContext -

Standard Kubernetes pod security context configuration

- -		 -No -
livenessProbeProbe -

Periodic probe of container liveness. -Container will be restarted if the probe fails. -Cannot be updated. -More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes -+optional

- -		 -No -
readinessProbeProbe -

Periodic probe of container service readiness. -Container will be removed from service endpoints if the probe fails. -Cannot be updated. -More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes -+optional

- -		 -No -
topologySpreadConstraintsTopologySpreadConstraint[] -

Used to control how Pods are spread across a cluster among failure-domains. -This can help to achieve high availability as well as efficient resource utilization. -More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints -+optional

- -		 -No -
-
-

DeploymentStrategy

-
- - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
typestring -

Type of deployment. Can be “Recreate” or “RollingUpdate”. Default is RollingUpdate. -+optional

- -		 -No -
rollingUpdateRollingUpdateDeployment -

Rolling update config params. Present only if DeploymentStrategyType = -RollingUpdate. -+optional

- -		 -No -
-
-

PodDisruptionBudget

-
-

PodDisruptionBudget is a description of a PodDisruptionBudget

- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
minAvailableIntOrString -

An eviction is allowed if at least “minAvailable” pods selected by -“selector” will still be available after the eviction, i.e. even in the -absence of the evicted pod. So for example you can prevent all voluntary -evictions by specifying “100%”. -+optional

- -		 -No -
maxUnavailableIntOrString -

An eviction is allowed if at most “maxUnavailable” pods selected by -“selector” are unavailable after the eviction, i.e. even in absence of -the evicted pod. For example, one can prevent all voluntary evictions -by specifying 0. This is a mutually exclusive setting with “minAvailable”. -+optional

- -		 -No -
-
-

Probe

-
-

Probe describes a health check to be performed against a container to determine whether it is -alive or ready to receive traffic.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
execExecAction (oneof) -

Exec specifies the action to take. -+optional

- -		 -No -
httpGetHTTPGetAction (oneof) -

HTTPGet specifies the http request to perform. -+optional

- -		 -No -
tcpSocketTCPSocketAction (oneof) -

TCPSocket specifies an action involving a TCP port. -+optional

- -		 -No -
grpcGRPCAction (oneof) -

GRPC specifies an action involving a GRPC port. -This is a beta field and requires enabling GRPCContainerProbe feature gate. -+featureGate=GRPCContainerProbe -+optional

- -		 -No -
initialDelaySecondsint32 -

Number of seconds after the container has started before liveness probes are initiated. -More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes -+optional

- -		 -No -
timeoutSecondsint32 -

Number of seconds after which the probe times out. -Defaults to 1 second. Minimum value is 1. -More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes -+optional

- -		 -No -
periodSecondsint32 -

How often (in seconds) to perform the probe. -Default to 10 seconds. Minimum value is 1. -+optional

- -		 -No -
successThresholdint32 -

Minimum consecutive successes for the probe to be considered successful after having failed. -Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. -+optional

- -		 -No -
failureThresholdint32 -

Minimum consecutive failures for the probe to be considered failed after having succeeded. -Defaults to 3. Minimum value is 1. -+optional

- -		 -No -
terminationGracePeriodSecondsint64 -

Optional duration in seconds the pod needs to terminate gracefully upon probe failure. -The grace period is the duration in seconds after the processes running in the pod are sent -a termination signal and the time when the processes are forcibly halted with a kill signal. -Set this value longer than the expected cleanup time for your process. -If this value is nil, the pod’s terminationGracePeriodSeconds will be used. Otherwise, this -value overrides the value provided by the pod spec. -Value must be non-negative integer. The value zero indicates stop immediately via -the kill signal (no opportunity to shut down). -This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. -Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. -+optional

- -		 -No -
-
-

HTTPGetAction

-
-

HTTPGetAction describes an action based on HTTP Get requests.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
pathstring -

Path to access on the HTTP server. -+optional

- -		 -No -
portIntOrString -

Name or number of the port to access on the container. -Number must be in the range 1 to 65535. -Name must be an IANA_SVC_NAME.

- -		 -No -
hoststring -

Host name to connect to, defaults to the pod IP. You probably want to set -“Host” in httpHeaders instead. -+optional

- -		 -No -
schemestring -

Scheme to use for connecting to the host. -Defaults to HTTP. -+optional

- -		 -No -
httpHeadersHTTPHeader[] -

Custom headers to set in the request. HTTP allows repeated headers. -+optional

- -		 -No -
-
-

TCPSocketAction

-
-

TCPSocketAction describes an action based on opening a socket

- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
portIntOrString -

Number or name of the port to access on the container. -Number must be in the range 1 to 65535. -Name must be an IANA_SVC_NAME.

- -		 -No -
hoststring -

Optional: Host name to connect to, defaults to the pod IP. -+optional

- -		 -No -
-
-

Service

-
-

Service describes the attributes that a user creates on a service.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
metadataK8sObjectMeta - -No -
portsServicePort[] -

The list of ports that are exposed by this service. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+patchMergeKey=port -+patchStrategy=merge -+listType=map -+listMapKey=port -+listMapKey=protocol -+kubebuilder:validation:MinItems=1

- -		 -Yes -
selectormap<string, string> -

Route service traffic to pods with label keys and values matching this -selector. If empty or not present, the service is assumed to have an -external process managing its endpoints, which Kubernetes will not -modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. -Ignored if type is ExternalName. -More info: https://kubernetes.io/docs/concepts/services-networking/service/ -+optional

- -		 -No -
clusterIPstring -

clusterIP is the IP address of the service and is usually assigned -randomly by the master. If an address is specified manually and is not in -use by others, it will be allocated to the service; otherwise, creation -of the service will fail. This field can not be changed through updates. -Valid values are “None”, empty string (“”), or a valid IP address. “None” -can be specified for headless services when proxying is not required. -Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if -type is ExternalName. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+optional

- -		 -No -
typestring -

type determines how the Service is exposed. Defaults to ClusterIP. Valid -options are ExternalName, ClusterIP, NodePort, and LoadBalancer. -“ExternalName” maps to the specified externalName. -“ClusterIP” allocates a cluster-internal IP address for load-balancing to -endpoints. Endpoints are determined by the selector or if that is not -specified, by manual construction of an Endpoints object. If clusterIP is -“None”, no virtual IP is allocated and the endpoints are published as a -set of endpoints rather than a stable IP. -“NodePort” builds on ClusterIP and allocates a port on every node which -routes to the clusterIP. -“LoadBalancer” builds on NodePort and creates an -external load-balancer (if supported in the current cloud) which routes -to the clusterIP. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types -+optional -+kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer

- -		 -Yes -
externalIPsstring[] -

externalIPs is a list of IP addresses for which nodes in the cluster -will also accept traffic for this service. These IPs are not managed by -Kubernetes. The user is responsible for ensuring that traffic arrives -at a node with this IP. A common example is external load-balancers -that are not part of the Kubernetes system. -+optional

- -		 -No -
sessionAffinitystring -

Supports “ClientIP” and “None”. Used to maintain session affinity. -Enable client IP based session affinity. -Must be ClientIP or None. -Defaults to None. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+optional

- -		 -No -
loadBalancerIPstring -

Only applies to Service Type: LoadBalancer -LoadBalancer will get created with the IP specified in this field. -This feature depends on whether the underlying cloud-provider supports specifying -the loadBalancerIP when a load balancer is created. -This field will be ignored if the cloud-provider does not support the feature. -+optional

- -		 -No -
loadBalancerSourceRangesstring[] -

If specified and supported by the platform, this will restrict traffic through the cloud-provider -load-balancer will be restricted to the specified client IPs. This field will be ignored if the -cloud-provider does not support the feature.” -More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ -+optional

- -		 -No -
externalNamestring -

externalName is the external reference that kubedns or equivalent will -return as a CNAME record for this service. No proxying will be involved. -Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) -and requires Type to be ExternalName. -+optional

- -		 -No -
externalTrafficPolicystring -

externalTrafficPolicy denotes if this Service desires to route external -traffic to node-local or cluster-wide endpoints. “Local” preserves the -client source IP and avoids a second hop for LoadBalancer and Nodeport -type services, but risks potentially imbalanced traffic spreading. -“Cluster” obscures the client source IP and may cause a second hop to -another node, but should have good overall load-spreading. -+optional

- -		 -No -
healthCheckNodePortint32 -

healthCheckNodePort specifies the healthcheck nodePort for the service. -If not specified, HealthCheckNodePort is created by the service api -backend with the allocated nodePort. Will use user-specified nodePort value -if specified by the client. Only effects when Type is set to LoadBalancer -and ExternalTrafficPolicy is set to Local. -+optional

- -		 -No -
publishNotReadyAddressesBoolValue -

publishNotReadyAddresses, when set to true, indicates that DNS implementations -must publish the notReadyAddresses of subsets for the Endpoints associated with -the Service. The default value is false. -The primary use case for setting this field is to use a StatefulSet’s Headless Service -to propagate SRV records for its Pods without respect to their readiness for purpose -of peer discovery. -+optional

- -		 -No -
sessionAffinityConfigSessionAffinityConfig -

sessionAffinityConfig contains the configurations of session affinity. -+optional

- -		 -No -
ipFamilystring -

ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. -IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is -available in the cluster. If no IP family is requested, the cluster’s primary IP family will be used. -Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which -allocate external load-balancers should use the same IP family. Endpoints for this Service will be of -this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the -cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. -+optional

- -		 -No -
-
-

UnprotectedService

-
-

Service describes the attributes that a user creates on a service.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
metadataK8sObjectMeta - -No -
portsServicePort[] -

The list of ports that are exposed by this service. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+patchMergeKey=port -+patchStrategy=merge -+listType=map -+listMapKey=port -+listMapKey=protocol

- -		 -No -
selectormap<string, string> -

Route service traffic to pods with label keys and values matching this -selector. If empty or not present, the service is assumed to have an -external process managing its endpoints, which Kubernetes will not -modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. -Ignored if type is ExternalName. -More info: https://kubernetes.io/docs/concepts/services-networking/service/ -+optional

- -		 -No -
clusterIPstring -

clusterIP is the IP address of the service and is usually assigned -randomly by the master. If an address is specified manually and is not in -use by others, it will be allocated to the service; otherwise, creation -of the service will fail. This field can not be changed through updates. -Valid values are “None”, empty string (“”), or a valid IP address. “None” -can be specified for headless services when proxying is not required. -Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if -type is ExternalName. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+optional

- -		 -No -
typestring -

type determines how the Service is exposed. Defaults to ClusterIP. Valid -options are ExternalName, ClusterIP, NodePort, and LoadBalancer. -“ExternalName” maps to the specified externalName. -“ClusterIP” allocates a cluster-internal IP address for load-balancing to -endpoints. Endpoints are determined by the selector or if that is not -specified, by manual construction of an Endpoints object. If clusterIP is -“None”, no virtual IP is allocated and the endpoints are published as a -set of endpoints rather than a stable IP. -“NodePort” builds on ClusterIP and allocates a port on every node which -routes to the clusterIP. -“LoadBalancer” builds on NodePort and creates an -external load-balancer (if supported in the current cloud) which routes -to the clusterIP. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types -+optional -+kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer

- -		 -No -
externalIPsstring[] -

externalIPs is a list of IP addresses for which nodes in the cluster -will also accept traffic for this service. These IPs are not managed by -Kubernetes. The user is responsible for ensuring that traffic arrives -at a node with this IP. A common example is external load-balancers -that are not part of the Kubernetes system. -+optional

- -		 -No -
sessionAffinitystring -

Supports “ClientIP” and “None”. Used to maintain session affinity. -Enable client IP based session affinity. -Must be ClientIP or None. -Defaults to None. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+optional

- -		 -No -
loadBalancerIPstring -

Only applies to Service Type: LoadBalancer -LoadBalancer will get created with the IP specified in this field. -This feature depends on whether the underlying cloud-provider supports specifying -the loadBalancerIP when a load balancer is created. -This field will be ignored if the cloud-provider does not support the feature. -+optional

- -		 -No -
loadBalancerSourceRangesstring[] -

If specified and supported by the platform, this will restrict traffic through the cloud-provider -load-balancer will be restricted to the specified client IPs. This field will be ignored if the -cloud-provider does not support the feature.” -More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ -+optional

- -		 -No -
externalNamestring -

externalName is the external reference that kubedns or equivalent will -return as a CNAME record for this service. No proxying will be involved. -Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) -and requires Type to be ExternalName. -+optional

- -		 -No -
externalTrafficPolicystring -

externalTrafficPolicy denotes if this Service desires to route external -traffic to node-local or cluster-wide endpoints. “Local” preserves the -client source IP and avoids a second hop for LoadBalancer and Nodeport -type services, but risks potentially imbalanced traffic spreading. -“Cluster” obscures the client source IP and may cause a second hop to -another node, but should have good overall load-spreading. -+optional

- -		 -No -
healthCheckNodePortint32 -

healthCheckNodePort specifies the healthcheck nodePort for the service. -If not specified, HealthCheckNodePort is created by the service api -backend with the allocated nodePort. Will use user-specified nodePort value -if specified by the client. Only effects when Type is set to LoadBalancer -and ExternalTrafficPolicy is set to Local. -+optional

- -		 -No -
publishNotReadyAddressesBoolValue -

publishNotReadyAddresses, when set to true, indicates that DNS implementations -must publish the notReadyAddresses of subsets for the Endpoints associated with -the Service. The default value is false. -The primary use case for setting this field is to use a StatefulSet’s Headless Service -to propagate SRV records for its Pods without respect to their readiness for purpose -of peer discovery. -+optional

- -		 -No -
sessionAffinityConfigSessionAffinityConfig -

sessionAffinityConfig contains the configurations of session affinity. -+optional

- -		 -No -
ipFamilystring -

ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. -IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is -available in the cluster. If no IP family is requested, the cluster’s primary IP family will be used. -Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which -allocate external load-balancers should use the same IP family. Endpoints for this Service will be of -this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the -cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. -+optional

- -		 -No -
-
-

ServicePort

-
-

ServicePort contains information on service’s port.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring -

The name of this port within the service. This must be a DNS_LABEL. -All ports within a ServiceSpec must have unique names. When considering -the endpoints for a Service, this must match the ‘name’ field in the -EndpointPort. -if only one ServicePort is defined on this service. -+optional

- -		 -No -
protocolstring -

The IP protocol for this port. Supports “TCP”, “UDP”, and “SCTP”. -Default is TCP. -+optional -+kubebuilder:default=TCP

- -		 -No -
portint32 -

The port that will be exposed by this service.

- -		 -Yes -
targetPortIntOrString -

Number or name of the port to access on the pods targeted by the service. -Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. -If this is a string, it will be looked up as a named port in the -target Pod’s container ports. If this is not specified, the value -of the ‘port’ field is used (an identity map). -This field is ignored for services with clusterIP=None, and should be -omitted or set equal to the ‘port’ field. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service -+optional

- -		 -No -
nodePortint32 -

The port on each node on which this service is exposed when type=NodePort or LoadBalancer. -Usually assigned by the system. If specified, it will be allocated to the service -if unused or else creation of the service will fail. -Default is to auto-allocate a port if the ServiceType of this Service requires one. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport -+optional

- -		 -No -
-
-

NamespacedName

-
- - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring -

Name of the referenced Kubernetes resource

- -		 -No -
namespacestring -

Namespace of the referenced Kubernetes resource

- -		 -No -
-
-

ResourceRequirements

-
-

ResourceRequirements describes the compute resource requirements.

- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
limitsmap<string, Quantity> -

Limits describes the maximum amount of compute resources allowed. -More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -+optional

- -		 -No -
requestsmap<string, Quantity> -

Requests describes the minimum amount of compute resources required. -If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, -otherwise to an implementation-defined value. -More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -+optional

- -		 -No -
-
-

Replicas

-
-

Replicas contains pod replica configuration

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
countInt32Value -

Standard Kubernetes replica count configuration -+kubebuilder:validation:Minimum=0

- -		 -No -
minInt32Value -

min is the lower limit for the number of replicas to which the autoscaler -can scale down. -min and max both need to be set the turn on autoscaling. -+kubebuilder:validation:Minimum=0

- -		 -No -
maxInt32Value -

max is the upper limit for the number of replicas to which the autoscaler can scale up. -min and max both need to be set the turn on autoscaling. -It cannot be less than min. -+kubebuilder:validation:Minimum=1

- -		 -No -
targetCPUUtilizationPercentageInt32Value -

target average CPU utilization (represented as a percentage of requested CPU) over all the pods; -default 80% will be used if not specified. -+optional -+kubebuilder:validation:Minimum=0

- -		 -No -
-
-

K8sResourceOverlayPatch

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
groupVersionKindGroupVersionKind - -No -
objectKeyNamespacedName - -No -
patchesPatch[] - -No -
-
-

Quantity

-
-

Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and Int64() accessors. -+cue-gen-param:intorstring=true -+cue-gen-param:set=pattern:^(\+|-)?(([0-9]+(\.[0-9])?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|(eE?(([0-9]+(\.[0-9])?)|(\.[0-9]+))))?$ -GOTYPE: *Quantity

- -
-

IntOrString

-
-

IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number. -+cue-gen-param:intorstring=true -GOTYPE: *IntOrString

- -
-

DeploymentStrategy.RollingUpdateDeployment

-
- - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
maxUnavailableIntOrString - -No -
maxSurgeIntOrString - -No -
-
-

K8sResourceOverlayPatch.GroupVersionKind

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
kindstring - -No -
versionstring - -No -
groupstring - -No -
-
-

K8sResourceOverlayPatch.Patch

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
pathstring - -No -
valuestring - -No -
parseValuebool - -No -
typeType - -No -
-
-

k8s.io.api.core.v1.LocalObjectReference

-
-

LocalObjectReference contains enough information to let you locate the -referenced object inside the same namespace. -+structType=atomic

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring -

Name of the referent. -More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names -TODO: Add other useful fields. apiVersion, kind, uid? -+optional

- -		 -No -
-
-

k8s.io.api.core.v1.EnvVar

-
-

EnvVar represents an environment variable present in a Container.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring -

Name of the environment variable. Must be a C_IDENTIFIER.

- -		 -No -
valuestring -

Variable references $(VAR_NAME) are expanded -using the previously defined environment variables in the container and -any service environment variables. If a variable cannot be resolved, -the reference in the input string will be unchanged. Double $$ are reduced -to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. -“$$(VAR_NAME)” will produce the string literal “$(VAR_NAME)”. -Escaped references will never be expanded, regardless of whether the variable -exists or not. -Defaults to “”. -+optional

- -		 -No -
valueFromEnvVarSource -

Source for the environment variable’s value. Cannot be used if value is not empty. -+optional

- -		 -No -
-
-

k8s.io.api.core.v1.SecurityContext

-
-

SecurityContext holds security configuration that will be applied to a container. -Some fields are present in both SecurityContext and PodSecurityContext. When both -are set, the values in SecurityContext take precedence.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
capabilitiesCapabilities -

The capabilities to add/drop when running containers. -Defaults to the default set of capabilities granted by the container runtime. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
privilegedbool -

Run container in privileged mode. -Processes in privileged containers are essentially equivalent to root on the host. -Defaults to false. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
seLinuxOptionsSELinuxOptions -

The SELinux context to be applied to the container. -If unspecified, the container runtime will allocate a random SELinux context for each -container. May also be set in PodSecurityContext. If set in both SecurityContext and -PodSecurityContext, the value specified in SecurityContext takes precedence. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
windowsOptionsWindowsSecurityContextOptions -

The Windows specific settings applied to all containers. -If unspecified, the options from the PodSecurityContext will be used. -If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. -Note that this field cannot be set when spec.os.name is linux. -+optional

- -		 -No -
runAsUserint64 -

The UID to run the entrypoint of the container process. -Defaults to user specified in image metadata if unspecified. -May also be set in PodSecurityContext. If set in both SecurityContext and -PodSecurityContext, the value specified in SecurityContext takes precedence. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
runAsGroupint64 -

The GID to run the entrypoint of the container process. -Uses runtime default if unset. -May also be set in PodSecurityContext. If set in both SecurityContext and -PodSecurityContext, the value specified in SecurityContext takes precedence. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
runAsNonRootbool -

Indicates that the container must run as a non-root user. -If true, the Kubelet will validate the image at runtime to ensure that it -does not run as UID 0 (root) and fail to start the container if it does. -If unset or false, no such validation will be performed. -May also be set in PodSecurityContext. If set in both SecurityContext and -PodSecurityContext, the value specified in SecurityContext takes precedence. -+optional

- -		 -No -
readOnlyRootFilesystembool -

Whether this container has a read-only root filesystem. -Default is false. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
allowPrivilegeEscalationbool -

AllowPrivilegeEscalation controls whether a process can gain more -privileges than its parent process. This bool directly controls if -the no_new_privs flag will be set on the container process. -AllowPrivilegeEscalation is true always when the container is: -1) run as Privileged -2) has CAP_SYS_ADMIN -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
procMountstring -

procMount denotes the type of proc mount to use for the containers. -The default is DefaultProcMount which uses the container runtime defaults for -readonly paths and masked paths. -This requires the ProcMountType feature flag to be enabled. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
seccompProfileSeccompProfile -

The seccomp options to use by this container. If seccomp options are -provided at both the pod & container level, the container options -override the pod options. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
-
-

k8s.io.api.core.v1.VolumeMount

-
-

VolumeMount describes a mounting of a Volume within a container.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring -

This must match the Name of a Volume.

- -		 -No -
readOnlybool -

Mounted read-only if true, read-write otherwise (false or unspecified). -Defaults to false. -+optional

- -		 -No -
mountPathstring -

Path within the container at which the volume should be mounted. Must -not contain ‘:’.

- -		 -No -
subPathstring -

Path within the volume from which the container’s volume should be mounted. -Defaults to “” (volume’s root). -+optional

- -		 -No -
mountPropagationstring -

mountPropagation determines how mounts are propagated from the host -to container and the other way around. -When not set, MountPropagationNone is used. -This field is beta in 1.10. -+optional

- -		 -No -
subPathExprstring -

Expanded path within the volume from which the container’s volume should be mounted. -Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container’s environment. -Defaults to “” (volume’s root). -SubPathExpr and SubPath are mutually exclusive. -+optional

- -		 -No -
-
-

k8s.io.api.core.v1.Affinity

-
-

Affinity is a group of affinity scheduling rules.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
nodeAffinityNodeAffinity -

Describes node affinity scheduling rules for the pod. -+optional

- -		 -No -
podAffinityPodAffinity -

Describes pod affinity scheduling rules (e.g. co-locate this pod in the same node, zone, etc. as some other pod(s)). -+optional

- -		 -No -
podAntiAffinityPodAntiAffinity -

Describes pod anti-affinity scheduling rules (e.g. avoid putting this pod in the same node, zone, etc. as some other pod(s)). -+optional

- -		 -No -
-
-

k8s.io.api.core.v1.Toleration

-
-

The pod this Toleration is attached to tolerates any taint that matches -the triple using the matching operator .

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
keystring -

Key is the taint key that the toleration applies to. Empty means match all taint keys. -If the key is empty, operator must be Exists; this combination means to match all values and all keys. -+optional

- -		 -No -
operatorstring -

Operator represents a key’s relationship to the value. -Valid operators are Exists and Equal. Defaults to Equal. -Exists is equivalent to wildcard for value, so that a pod can -tolerate all taints of a particular category. -+optional

- -		 -No -
valuestring -

Value is the taint value the toleration matches to. -If the operator is Exists, the value should be empty, otherwise just a regular string. -+optional

- -		 -No -
effectstring -

Effect indicates the taint effect to match. Empty means match all taint effects. -When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. -+optional

- -		 -No -
tolerationSecondsint64 -

TolerationSeconds represents the period of time the toleration (which must be -of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, -it is not set, which means tolerate the taint forever (do not evict). Zero and -negative values will be treated as 0 (evict immediately) by the system. -+optional

- -		 -No -
-
-

k8s.io.api.core.v1.Volume

-
-

Volume represents a named volume in a pod that may be accessed by any container in the pod.

- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring -

name of the volume. -Must be a DNS_LABEL and unique within the pod. -More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

- -		 -No -
volumeSourceVolumeSource -

volumeSource represents the location and type of the mounted volume. -If not specified, the Volume is implied to be an EmptyDir. -This implied behavior is deprecated and will be removed in a future version.

- -		 -No -
-
-

k8s.io.api.core.v1.PodSecurityContext

-
-

PodSecurityContext holds pod-level security attributes and common container settings. -Some fields are also present in container.securityContext. Field values of -container.securityContext take precedence over field values of PodSecurityContext.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
seLinuxOptionsSELinuxOptions -

The SELinux context to be applied to all containers. -If unspecified, the container runtime will allocate a random SELinux context for each -container. May also be set in SecurityContext. If set in -both SecurityContext and PodSecurityContext, the value specified in SecurityContext -takes precedence for that container. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
windowsOptionsWindowsSecurityContextOptions -

The Windows specific settings applied to all containers. -If unspecified, the options within a container’s SecurityContext will be used. -If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. -Note that this field cannot be set when spec.os.name is linux. -+optional

- -		 -No -
runAsUserint64 -

The UID to run the entrypoint of the container process. -Defaults to user specified in image metadata if unspecified. -May also be set in SecurityContext. If set in both SecurityContext and -PodSecurityContext, the value specified in SecurityContext takes precedence -for that container. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
runAsGroupint64 -

The GID to run the entrypoint of the container process. -Uses runtime default if unset. -May also be set in SecurityContext. If set in both SecurityContext and -PodSecurityContext, the value specified in SecurityContext takes precedence -for that container. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
runAsNonRootbool -

Indicates that the container must run as a non-root user. -If true, the Kubelet will validate the image at runtime to ensure that it -does not run as UID 0 (root) and fail to start the container if it does. -If unset or false, no such validation will be performed. -May also be set in SecurityContext. If set in both SecurityContext and -PodSecurityContext, the value specified in SecurityContext takes precedence. -+optional

- -		 -No -
supplementalGroupsint64[] -

A list of groups applied to the first process run in each container, in addition -to the container’s primary GID. If unspecified, no groups will be added to -any container. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
fsGroupint64 -

A special supplemental group that applies to all containers in a pod. -Some volume types allow the Kubelet to change the ownership of that volume -to be owned by the pod:

- -
    -
  1. The owning GID will be the FSGroup
    2. -
  2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
    3. -
  3. The permission bits are OR’d with rw-rw—-
    4. -
- -

If unset, the Kubelet will not modify the ownership and permissions of any volume. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
sysctlsSysctl[] -

Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported -sysctls (by the container runtime) might fail to launch. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
fsGroupChangePolicystring -

fsGroupChangePolicy defines behavior of changing ownership and permission of the volume -before being exposed inside Pod. This field will only apply to -volume types which support fsGroup based ownership(and permissions). -It will have no effect on ephemeral volume types such as: secret, configmaps -and emptydir. -Valid values are “OnRootMismatch” and “Always”. If not specified, “Always” is used. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
seccompProfileSeccompProfile -

The seccomp options to use by the containers in this pod. -Note that this field cannot be set when spec.os.name is windows. -+optional

- -		 -No -
-
-

k8s.io.api.core.v1.TopologySpreadConstraint

-
-

TopologySpreadConstraint specifies how to spread matching pods among the given topology.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
maxSkewint32 -

MaxSkew describes the degree to which pods may be unevenly distributed. -When whenUnsatisfiable=DoNotSchedule, it is the maximum permitted difference -between the number of matching pods in the target topology and the global minimum. -For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same -labelSelector spread as 1/1/0: -+——-+——-+——-+ -| zone1 | zone2 | zone3 | -+——-+——-+——-+ -| P | P | | -+——-+——-+——-+ -- if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; -scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) -violate MaxSkew(1). -- if MaxSkew is 2, incoming pod can be scheduled onto any zone. -When whenUnsatisfiable=ScheduleAnyway, it is used to give higher precedence -to topologies that satisfy it. -It’s a required field. Default value is 1 and 0 is not allowed.

- -		 -No -
topologyKeystring -

TopologyKey is the key of node labels. Nodes that have a label with this key -and identical values are considered to be in the same topology. -We consider each as a “bucket”, and try to put balanced number -of pods into each bucket. -It’s a required field.

- -		 -No -
whenUnsatisfiablestring -

WhenUnsatisfiable indicates how to deal with a pod if it doesn’t satisfy -the spread constraint. -- DoNotSchedule (default) tells the scheduler not to schedule it. -- ScheduleAnyway tells the scheduler to schedule the pod in any location, - but giving higher precedence to topologies that would help reduce the - skew. -A constraint is considered “Unsatisfiable” for an incoming pod -if and only if every possible node assignment for that pod would violate -“MaxSkew” on some topology. -For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same -labelSelector spread as 3/1/1: -+——-+——-+——-+ -| zone1 | zone2 | zone3 | -+——-+——-+——-+ -| P P P | P | P | -+——-+——-+——-+ -If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled -to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies -MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler -won’t make it more imbalanced. -It’s a required field.

- -		 -No -
labelSelectorLabelSelector -

LabelSelector is used to find matching pods. -Pods that match this label selector are counted to determine the number of pods -in their corresponding topology domain. -+optional

- -		 -No -
-
-

k8s.io.api.core.v1.ExecAction

-
-

ExecAction describes a “run in container” action.

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
commandstring[] -

Command is the command line to execute inside the container, the working directory for the -command is root (‘/’) in the container’s filesystem. The command is simply exec’d, it is -not run inside a shell, so traditional shell instructions (‘|’, etc) won’t work. To use -a shell, you need to explicitly call out to that shell. -Exit status of 0 is treated as live/healthy and non-zero is unhealthy. -+optional

- -		 -No -
-
-

k8s.io.api.core.v1.GRPCAction

-
- - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
portint32 -

Port number of the gRPC service. Number must be in the range 1 to 65535.

- -		 -No -
servicestring -

Service is the name of the service to place in the gRPC HealthCheckRequest -(see https://github.com/grpc/grpc/blob/master/doc/health-checking.md).

- -

If this is not specified, the default behavior is defined by gRPC. -+optional -+default=“”

- -		 -No -
-
-

k8s.io.api.core.v1.HTTPHeader

-
-

HTTPHeader describes a custom header to be used in HTTP probes

- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring -

The header field name

- -		 -No -
valuestring -

The header field value

- -		 -No -
-
-

k8s.io.api.core.v1.SessionAffinityConfig

-
-

SessionAffinityConfig represents the configurations of session affinity.

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
clientIPClientIPConfig -

clientIP contains the configurations of Client IP based session affinity. -+optional

- -		 -No -
-
-

K8sResourceOverlayPatch.Type

-
- - - - - - - - - - - - - - - - - - - - - -
NameDescription
unspecified -
replace -
remove -
-
-

ConfigState

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameDescription
Unspecified -
Created -
ReconcileFailed -
Reconciling -
Available -
Unmanaged -
-
diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.proto b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.proto deleted file mode 100644 index 80065b146..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common.proto +++ /dev/null @@ -1,707 +0,0 @@ -// Copyright 2021 Cisco Systems, Inc. and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -import "google/protobuf/wrappers.proto"; -import "google/api/field_behavior.proto"; -import "k8s.io/api/core/v1/generated.proto"; -import "google/protobuf/descriptor.proto"; -import "api/options/options.proto"; - -package istio_operator.v2.api.v1alpha1; - -option go_package = "github.com/banzaicloud/istio-operator/v2/api/v1alpha1"; - -// Generic k8s resource metadata -message K8sObjectMeta { - // Map of string keys and values that can be used to organize and categorize - // (scope and select) objects. May match selectors of replication controllers - // and services. - // More info: http://kubernetes.io/docs/user-guide/labels - // +optional - map labels = 11; - - // Annotations is an unstructured key value map stored with a resource that may be - // set by external tools to store and retrieve arbitrary metadata. They are not - // queryable and should be preserved when modifying objects. - // More info: http://kubernetes.io/docs/user-guide/annotations - // +optional - map annotations = 12; -} - -message ContainerImageConfiguration { - // Default hub for container images. - string hub = 1; - - // Default tag for container images. - string tag = 2; - - // Image pull policy. - // One of Always, Never, IfNotPresent. - // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - // +optional - // +kubebuilder:validation:Enum=Always;Never;IfNotPresent - string imagePullPolicy = 3; - - // ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. - // +optional - repeated k8s.io.api.core.v1.LocalObjectReference imagePullSecrets = 4; -} - -message BaseKubernetesContainerConfiguration { - // Standard Kubernetes container image configuration - string image = 1; - - // If present will be appended to the environment variables of the container - repeated k8s.io.api.core.v1.EnvVar env = 2; - - // Standard Kubernetes resource configuration, memory and CPU resource requirements - ResourceRequirements resources = 3; - - // Standard Kubernetes security context configuration - k8s.io.api.core.v1.SecurityContext securityContext = 4; - - // Pod volumes to mount into the container's filesystem. - // Cannot be updated. - // +optional - // +patchMergeKey=mountPath - // +patchStrategy=merge - repeated k8s.io.api.core.v1.VolumeMount volumeMounts = 5; -} - -message BaseKubernetesResourceConfig { - // Generic k8s resource metadata - K8sObjectMeta metadata = 1; - - // Standard Kubernetes container image configuration - string image = 2; - - // If present will be appended to the environment variables of the container - repeated k8s.io.api.core.v1.EnvVar env = 3; - - // Standard Kubernetes resource configuration, memory and CPU resource requirements - ResourceRequirements resources = 4; - - // Standard Kubernetes node selector configuration - map nodeSelector = 5; - - // Standard Kubernetes affinity configuration - k8s.io.api.core.v1.Affinity affinity = 6; - - // Standard Kubernetes security context configuration - k8s.io.api.core.v1.SecurityContext securityContext = 7; - - // Image pull policy. - // One of Always, Never, IfNotPresent. - // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. - // +optional - string imagePullPolicy = 8; - - // ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. - // +optional - repeated k8s.io.api.core.v1.LocalObjectReference imagePullSecrets = 9; - - // If specified, indicates the pod's priority. "system-node-critical" and - // "system-cluster-critical" are two special keywords which indicate the - // highest priorities with the former being the highest priority. Any other - // name must be defined by creating a PriorityClass object with that name. - // If not specified, the pod priority will be default or zero if there is no - // default. - // +optional - string priorityClassName = 10; - - // If specified, the pod's tolerations. - // +optional - repeated k8s.io.api.core.v1.Toleration tolerations = 11; - - // List of volumes that can be mounted by containers belonging to the pod. - // More info: https://kubernetes.io/docs/concepts/storage/volumes - // +optional - // +patchMergeKey=name - // +patchStrategy=merge,retainKeys - repeated k8s.io.api.core.v1.Volume volumes = 12; - - // Pod volumes to mount into the container's filesystem. - // Cannot be updated. - // +optional - // +patchMergeKey=mountPath - // +patchStrategy=merge - repeated k8s.io.api.core.v1.VolumeMount volumeMounts = 13; - - // Replica configuration - Replicas replicas = 14; - - // Standard Kubernetes pod annotation and label configuration - K8sObjectMeta podMetadata = 15; - - // PodDisruptionBudget configuration - PodDisruptionBudget podDisruptionBudget = 16; - - // DeploymentStrategy configuration - DeploymentStrategy deploymentStrategy = 17; - - // Standard Kubernetes pod security context configuration - k8s.io.api.core.v1.PodSecurityContext podSecurityContext = 18; - - // Periodic probe of container liveness. - // Container will be restarted if the probe fails. - // Cannot be updated. - // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - // +optional - Probe livenessProbe = 19; - - // Periodic probe of container service readiness. - // Container will be removed from service endpoints if the probe fails. - // Cannot be updated. - // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - // +optional - Probe readinessProbe = 20; - - // Used to control how Pods are spread across a cluster among failure-domains. - // This can help to achieve high availability as well as efficient resource utilization. - // More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints - // +optional - repeated k8s.io.api.core.v1.TopologySpreadConstraint topologySpreadConstraints = 21; -} - -message DeploymentStrategy { - message RollingUpdateDeployment { - IntOrString maxUnavailable = 1 [(options.intorstring) = "true"]; - IntOrString maxSurge = 2 [(options.intorstring) = "true"]; - } - - // Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate. - // +optional - string type = 1; - - // Rolling update config params. Present only if DeploymentStrategyType = - // RollingUpdate. - // +optional - RollingUpdateDeployment rollingUpdate = 2; -} - -// PodDisruptionBudget is a description of a PodDisruptionBudget -message PodDisruptionBudget { - // An eviction is allowed if at least "minAvailable" pods selected by - // "selector" will still be available after the eviction, i.e. even in the - // absence of the evicted pod. So for example you can prevent all voluntary - // evictions by specifying "100%". - // +optional - IntOrString minAvailable = 1 [(options.intorstring) = "true"]; - - // An eviction is allowed if at most "maxUnavailable" pods selected by - // "selector" are unavailable after the eviction, i.e. even in absence of - // the evicted pod. For example, one can prevent all voluntary evictions - // by specifying 0. This is a mutually exclusive setting with "minAvailable". - // +optional - IntOrString maxUnavailable = 2 [(options.intorstring) = "true"]; -} - -// Probe describes a health check to be performed against a container to determine whether it is -// alive or ready to receive traffic. -message Probe { - // The action taken to determine the health of a container - oneof handler { - // Exec specifies the action to take. - // +optional - k8s.io.api.core.v1.ExecAction exec = 1; - - // HTTPGet specifies the http request to perform. - // +optional - HTTPGetAction httpGet = 2; - - // TCPSocket specifies an action involving a TCP port. - // +optional - TCPSocketAction tcpSocket = 3; - - // GRPC specifies an action involving a GRPC port. - // This is a beta field and requires enabling GRPCContainerProbe feature gate. - // +featureGate=GRPCContainerProbe - // +optional - k8s.io.api.core.v1.GRPCAction grpc = 4; - } - - // Number of seconds after the container has started before liveness probes are initiated. - // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - // +optional - int32 initialDelaySeconds = 5; - - // Number of seconds after which the probe times out. - // Defaults to 1 second. Minimum value is 1. - // More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes - // +optional - int32 timeoutSeconds = 6; - - // How often (in seconds) to perform the probe. - // Default to 10 seconds. Minimum value is 1. - // +optional - int32 periodSeconds = 7; - - // Minimum consecutive successes for the probe to be considered successful after having failed. - // Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. - // +optional - int32 successThreshold = 8; - - // Minimum consecutive failures for the probe to be considered failed after having succeeded. - // Defaults to 3. Minimum value is 1. - // +optional - int32 failureThreshold = 9; - - // Optional duration in seconds the pod needs to terminate gracefully upon probe failure. - // The grace period is the duration in seconds after the processes running in the pod are sent - // a termination signal and the time when the processes are forcibly halted with a kill signal. - // Set this value longer than the expected cleanup time for your process. - // If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this - // value overrides the value provided by the pod spec. - // Value must be non-negative integer. The value zero indicates stop immediately via - // the kill signal (no opportunity to shut down). - // This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. - // Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. - // +optional - int64 terminationGracePeriodSeconds = 10; -} - -// HTTPGetAction describes an action based on HTTP Get requests. -message HTTPGetAction { - // Path to access on the HTTP server. - // +optional - string path = 1; - - // Name or number of the port to access on the container. - // Number must be in the range 1 to 65535. - // Name must be an IANA_SVC_NAME. - IntOrString port = 2 [(options.intorstring) = "true"]; - - // Host name to connect to, defaults to the pod IP. You probably want to set - // "Host" in httpHeaders instead. - // +optional - string host = 3; - - // Scheme to use for connecting to the host. - // Defaults to HTTP. - // +optional - string scheme = 4; - - // Custom headers to set in the request. HTTP allows repeated headers. - // +optional - repeated k8s.io.api.core.v1.HTTPHeader httpHeaders = 5; -} - -// TCPSocketAction describes an action based on opening a socket -message TCPSocketAction { - // Number or name of the port to access on the container. - // Number must be in the range 1 to 65535. - // Name must be an IANA_SVC_NAME. - IntOrString port = 1 [(options.intorstring) = "true"]; - - // Optional: Host name to connect to, defaults to the pod IP. - // +optional - string host = 2; -} - -// Service describes the attributes that a user creates on a service. -message Service { - K8sObjectMeta metadata = 16; - - // The list of ports that are exposed by this service. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +patchMergeKey=port - // +patchStrategy=merge - // +listType=map - // +listMapKey=port - // +listMapKey=protocol - // +kubebuilder:validation:MinItems=1 - repeated ServicePort ports = 1 [(google.api.field_behavior) = REQUIRED]; - - // Route service traffic to pods with label keys and values matching this - // selector. If empty or not present, the service is assumed to have an - // external process managing its endpoints, which Kubernetes will not - // modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - // Ignored if type is ExternalName. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/ - // +optional - map selector = 2; - - // clusterIP is the IP address of the service and is usually assigned - // randomly by the master. If an address is specified manually and is not in - // use by others, it will be allocated to the service; otherwise, creation - // of the service will fail. This field can not be changed through updates. - // Valid values are "None", empty string (""), or a valid IP address. "None" - // can be specified for headless services when proxying is not required. - // Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if - // type is ExternalName. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +optional - string clusterIP = 3; - - // type determines how the Service is exposed. Defaults to ClusterIP. Valid - // options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - // "ExternalName" maps to the specified externalName. - // "ClusterIP" allocates a cluster-internal IP address for load-balancing to - // endpoints. Endpoints are determined by the selector or if that is not - // specified, by manual construction of an Endpoints object. If clusterIP is - // "None", no virtual IP is allocated and the endpoints are published as a - // set of endpoints rather than a stable IP. - // "NodePort" builds on ClusterIP and allocates a port on every node which - // routes to the clusterIP. - // "LoadBalancer" builds on NodePort and creates an - // external load-balancer (if supported in the current cloud) which routes - // to the clusterIP. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - // +optional - // +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer - string type = 4 [(google.api.field_behavior) = REQUIRED]; - - // externalIPs is a list of IP addresses for which nodes in the cluster - // will also accept traffic for this service. These IPs are not managed by - // Kubernetes. The user is responsible for ensuring that traffic arrives - // at a node with this IP. A common example is external load-balancers - // that are not part of the Kubernetes system. - // +optional - repeated string externalIPs = 5; - - // Supports "ClientIP" and "None". Used to maintain session affinity. - // Enable client IP based session affinity. - // Must be ClientIP or None. - // Defaults to None. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +optional - string sessionAffinity = 7; - - // Only applies to Service Type: LoadBalancer - // LoadBalancer will get created with the IP specified in this field. - // This feature depends on whether the underlying cloud-provider supports specifying - // the loadBalancerIP when a load balancer is created. - // This field will be ignored if the cloud-provider does not support the feature. - // +optional - string loadBalancerIP = 8; - - // If specified and supported by the platform, this will restrict traffic through the cloud-provider - // load-balancer will be restricted to the specified client IPs. This field will be ignored if the - // cloud-provider does not support the feature." - // More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - // +optional - repeated string loadBalancerSourceRanges = 9; - - // externalName is the external reference that kubedns or equivalent will - // return as a CNAME record for this service. No proxying will be involved. - // Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - // and requires Type to be ExternalName. - // +optional - string externalName = 10; - - // externalTrafficPolicy denotes if this Service desires to route external - // traffic to node-local or cluster-wide endpoints. "Local" preserves the - // client source IP and avoids a second hop for LoadBalancer and Nodeport - // type services, but risks potentially imbalanced traffic spreading. - // "Cluster" obscures the client source IP and may cause a second hop to - // another node, but should have good overall load-spreading. - // +optional - string externalTrafficPolicy = 11; - - // healthCheckNodePort specifies the healthcheck nodePort for the service. - // If not specified, HealthCheckNodePort is created by the service api - // backend with the allocated nodePort. Will use user-specified nodePort value - // if specified by the client. Only effects when Type is set to LoadBalancer - // and ExternalTrafficPolicy is set to Local. - // +optional - int32 healthCheckNodePort = 12; - - // publishNotReadyAddresses, when set to true, indicates that DNS implementations - // must publish the notReadyAddresses of subsets for the Endpoints associated with - // the Service. The default value is false. - // The primary use case for setting this field is to use a StatefulSet's Headless Service - // to propagate SRV records for its Pods without respect to their readiness for purpose - // of peer discovery. - // +optional - google.protobuf.BoolValue publishNotReadyAddresses = 13; - - // sessionAffinityConfig contains the configurations of session affinity. - // +optional - k8s.io.api.core.v1.SessionAffinityConfig sessionAffinityConfig = 14; - - // ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. - // IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is - // available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. - // Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which - // allocate external load-balancers should use the same IP family. Endpoints for this Service will be of - // this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the - // cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. - // +optional - string ipFamily = 15; -} - -// Service describes the attributes that a user creates on a service. -message UnprotectedService { - K8sObjectMeta metadata = 16; - - // The list of ports that are exposed by this service. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +patchMergeKey=port - // +patchStrategy=merge - // +listType=map - // +listMapKey=port - // +listMapKey=protocol - repeated ServicePort ports = 1; - - // Route service traffic to pods with label keys and values matching this - // selector. If empty or not present, the service is assumed to have an - // external process managing its endpoints, which Kubernetes will not - // modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. - // Ignored if type is ExternalName. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/ - // +optional - map selector = 2; - - // clusterIP is the IP address of the service and is usually assigned - // randomly by the master. If an address is specified manually and is not in - // use by others, it will be allocated to the service; otherwise, creation - // of the service will fail. This field can not be changed through updates. - // Valid values are "None", empty string (""), or a valid IP address. "None" - // can be specified for headless services when proxying is not required. - // Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if - // type is ExternalName. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +optional - string clusterIP = 3; - - // type determines how the Service is exposed. Defaults to ClusterIP. Valid - // options are ExternalName, ClusterIP, NodePort, and LoadBalancer. - // "ExternalName" maps to the specified externalName. - // "ClusterIP" allocates a cluster-internal IP address for load-balancing to - // endpoints. Endpoints are determined by the selector or if that is not - // specified, by manual construction of an Endpoints object. If clusterIP is - // "None", no virtual IP is allocated and the endpoints are published as a - // set of endpoints rather than a stable IP. - // "NodePort" builds on ClusterIP and allocates a port on every node which - // routes to the clusterIP. - // "LoadBalancer" builds on NodePort and creates an - // external load-balancer (if supported in the current cloud) which routes - // to the clusterIP. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types - // +optional - // +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer - string type = 4; - - // externalIPs is a list of IP addresses for which nodes in the cluster - // will also accept traffic for this service. These IPs are not managed by - // Kubernetes. The user is responsible for ensuring that traffic arrives - // at a node with this IP. A common example is external load-balancers - // that are not part of the Kubernetes system. - // +optional - repeated string externalIPs = 5; - - // Supports "ClientIP" and "None". Used to maintain session affinity. - // Enable client IP based session affinity. - // Must be ClientIP or None. - // Defaults to None. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies - // +optional - string sessionAffinity = 7; - - // Only applies to Service Type: LoadBalancer - // LoadBalancer will get created with the IP specified in this field. - // This feature depends on whether the underlying cloud-provider supports specifying - // the loadBalancerIP when a load balancer is created. - // This field will be ignored if the cloud-provider does not support the feature. - // +optional - string loadBalancerIP = 8; - - // If specified and supported by the platform, this will restrict traffic through the cloud-provider - // load-balancer will be restricted to the specified client IPs. This field will be ignored if the - // cloud-provider does not support the feature." - // More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ - // +optional - repeated string loadBalancerSourceRanges = 9; - - // externalName is the external reference that kubedns or equivalent will - // return as a CNAME record for this service. No proxying will be involved. - // Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) - // and requires Type to be ExternalName. - // +optional - string externalName = 10; - - // externalTrafficPolicy denotes if this Service desires to route external - // traffic to node-local or cluster-wide endpoints. "Local" preserves the - // client source IP and avoids a second hop for LoadBalancer and Nodeport - // type services, but risks potentially imbalanced traffic spreading. - // "Cluster" obscures the client source IP and may cause a second hop to - // another node, but should have good overall load-spreading. - // +optional - string externalTrafficPolicy = 11; - - // healthCheckNodePort specifies the healthcheck nodePort for the service. - // If not specified, HealthCheckNodePort is created by the service api - // backend with the allocated nodePort. Will use user-specified nodePort value - // if specified by the client. Only effects when Type is set to LoadBalancer - // and ExternalTrafficPolicy is set to Local. - // +optional - int32 healthCheckNodePort = 12; - - // publishNotReadyAddresses, when set to true, indicates that DNS implementations - // must publish the notReadyAddresses of subsets for the Endpoints associated with - // the Service. The default value is false. - // The primary use case for setting this field is to use a StatefulSet's Headless Service - // to propagate SRV records for its Pods without respect to their readiness for purpose - // of peer discovery. - // +optional - google.protobuf.BoolValue publishNotReadyAddresses = 13; - - // sessionAffinityConfig contains the configurations of session affinity. - // +optional - k8s.io.api.core.v1.SessionAffinityConfig sessionAffinityConfig = 14; - - // ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. - // IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is - // available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. - // Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which - // allocate external load-balancers should use the same IP family. Endpoints for this Service will be of - // this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the - // cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. - // +optional - string ipFamily = 15; -} - -// ServicePort contains information on service's port. -message ServicePort { - // The name of this port within the service. This must be a DNS_LABEL. - // All ports within a ServiceSpec must have unique names. When considering - // the endpoints for a Service, this must match the 'name' field in the - // EndpointPort. - // if only one ServicePort is defined on this service. - // +optional - string name = 1; - - // The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". - // Default is TCP. - // +optional - // +kubebuilder:default=TCP - string protocol = 2; - - // The port that will be exposed by this service. - int32 port = 3 [(google.api.field_behavior) = REQUIRED]; - - // Number or name of the port to access on the pods targeted by the service. - // Number must be in the range 1 to 65535. Name must be an IANA_SVC_NAME. - // If this is a string, it will be looked up as a named port in the - // target Pod's container ports. If this is not specified, the value - // of the 'port' field is used (an identity map). - // This field is ignored for services with clusterIP=None, and should be - // omitted or set equal to the 'port' field. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#defining-a-service - // +optional - IntOrString targetPort = 4 [(options.intorstring) = "true"]; - - // The port on each node on which this service is exposed when type=NodePort or LoadBalancer. - // Usually assigned by the system. If specified, it will be allocated to the service - // if unused or else creation of the service will fail. - // Default is to auto-allocate a port if the ServiceType of this Service requires one. - // More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport - // +optional - int32 nodePort = 5; -} - -message NamespacedName { - // Name of the referenced Kubernetes resource - string name = 1; - - // Namespace of the referenced Kubernetes resource - string namespace = 2; -} - -// ResourceRequirements describes the compute resource requirements. -message ResourceRequirements { - // Limits describes the maximum amount of compute resources allowed. - // More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - // +optional - map limits = 1 [(options.intorstring)="map"]; - - // Requests describes the minimum amount of compute resources required. - // If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, - // otherwise to an implementation-defined value. - // More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ - // +optional - map requests = 2 [(options.intorstring)="map"]; -} - -// Replicas contains pod replica configuration -message Replicas { - // Standard Kubernetes replica count configuration - // +kubebuilder:validation:Minimum=0 - google.protobuf.Int32Value count = 1; - - // min is the lower limit for the number of replicas to which the autoscaler - // can scale down. - // min and max both need to be set the turn on autoscaling. - // +kubebuilder:validation:Minimum=0 - google.protobuf.Int32Value min = 2; - - // max is the upper limit for the number of replicas to which the autoscaler can scale up. - // min and max both need to be set the turn on autoscaling. - // It cannot be less than min. - // +kubebuilder:validation:Minimum=1 - google.protobuf.Int32Value max = 3; - - // target average CPU utilization (represented as a percentage of requested CPU) over all the pods; - // default 80% will be used if not specified. - // +optional - // +kubebuilder:validation:Minimum=0 - google.protobuf.Int32Value targetCPUUtilizationPercentage = 4; -} - -message K8sResourceOverlayPatch { - message GroupVersionKind { - string kind = 1; - string version = 2; - string group = 3; - } - - enum Type { - unspecified = 0; - replace = 1; - remove = 2; - } - - message Patch { - string path = 1; - string value = 2; - bool parseValue = 3; - Type type = 4; - } - - GroupVersionKind groupVersionKind = 1; - NamespacedName objectKey = 2; - repeated Patch patches = 3; -} - -enum ConfigState { - Unspecified = 0; - Created = 1; - ReconcileFailed = 2; - Reconciling = 3; - Available = 4; - Unmanaged = 5; -} - -// Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and Int64() accessors. -// +cue-gen-param:intorstring=true -// +cue-gen-param:set=pattern:^(\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\+|-)?(([0-9]+(\\.[0-9]*)?)|(\\.[0-9]+))))?$ -// GOTYPE: *Quantity -message Quantity {} - -// IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number. -// +cue-gen-param:intorstring=true -// GOTYPE: *IntOrString -message IntOrString {} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common_deepcopy.gen.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common_deepcopy.gen.go deleted file mode 100644 index 5dda82cf6..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common_deepcopy.gen.go +++ /dev/null @@ -1,447 +0,0 @@ -// Code generated by protoc-gen-deepcopy. DO NOT EDIT. -package v1alpha1 - -import ( - proto "github.com/golang/protobuf/proto" -) - -// DeepCopyInto supports using K8SObjectMeta within kubernetes types, where deepcopy-gen is used. -func (in *K8SObjectMeta) DeepCopyInto(out *K8SObjectMeta) { - p := proto.Clone(in).(*K8SObjectMeta) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new K8SObjectMeta. Required by controller-gen. -func (in *K8SObjectMeta) DeepCopy() *K8SObjectMeta { - if in == nil { - return nil - } - out := new(K8SObjectMeta) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new K8SObjectMeta. Required by controller-gen. -func (in *K8SObjectMeta) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using ContainerImageConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *ContainerImageConfiguration) DeepCopyInto(out *ContainerImageConfiguration) { - p := proto.Clone(in).(*ContainerImageConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerImageConfiguration. Required by controller-gen. -func (in *ContainerImageConfiguration) DeepCopy() *ContainerImageConfiguration { - if in == nil { - return nil - } - out := new(ContainerImageConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ContainerImageConfiguration. Required by controller-gen. -func (in *ContainerImageConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using BaseKubernetesContainerConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *BaseKubernetesContainerConfiguration) DeepCopyInto(out *BaseKubernetesContainerConfiguration) { - p := proto.Clone(in).(*BaseKubernetesContainerConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaseKubernetesContainerConfiguration. Required by controller-gen. -func (in *BaseKubernetesContainerConfiguration) DeepCopy() *BaseKubernetesContainerConfiguration { - if in == nil { - return nil - } - out := new(BaseKubernetesContainerConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new BaseKubernetesContainerConfiguration. Required by controller-gen. -func (in *BaseKubernetesContainerConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using BaseKubernetesResourceConfig within kubernetes types, where deepcopy-gen is used. -func (in *BaseKubernetesResourceConfig) DeepCopyInto(out *BaseKubernetesResourceConfig) { - p := proto.Clone(in).(*BaseKubernetesResourceConfig) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaseKubernetesResourceConfig. Required by controller-gen. -func (in *BaseKubernetesResourceConfig) DeepCopy() *BaseKubernetesResourceConfig { - if in == nil { - return nil - } - out := new(BaseKubernetesResourceConfig) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new BaseKubernetesResourceConfig. Required by controller-gen. -func (in *BaseKubernetesResourceConfig) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using DeploymentStrategy within kubernetes types, where deepcopy-gen is used. -func (in *DeploymentStrategy) DeepCopyInto(out *DeploymentStrategy) { - p := proto.Clone(in).(*DeploymentStrategy) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStrategy. Required by controller-gen. -func (in *DeploymentStrategy) DeepCopy() *DeploymentStrategy { - if in == nil { - return nil - } - out := new(DeploymentStrategy) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStrategy. Required by controller-gen. -func (in *DeploymentStrategy) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using DeploymentStrategy_RollingUpdateDeployment within kubernetes types, where deepcopy-gen is used. -func (in *DeploymentStrategy_RollingUpdateDeployment) DeepCopyInto(out *DeploymentStrategy_RollingUpdateDeployment) { - p := proto.Clone(in).(*DeploymentStrategy_RollingUpdateDeployment) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStrategy_RollingUpdateDeployment. Required by controller-gen. -func (in *DeploymentStrategy_RollingUpdateDeployment) DeepCopy() *DeploymentStrategy_RollingUpdateDeployment { - if in == nil { - return nil - } - out := new(DeploymentStrategy_RollingUpdateDeployment) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStrategy_RollingUpdateDeployment. Required by controller-gen. -func (in *DeploymentStrategy_RollingUpdateDeployment) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using PodDisruptionBudget within kubernetes types, where deepcopy-gen is used. -func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget) { - p := proto.Clone(in).(*PodDisruptionBudget) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudget. Required by controller-gen. -func (in *PodDisruptionBudget) DeepCopy() *PodDisruptionBudget { - if in == nil { - return nil - } - out := new(PodDisruptionBudget) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudget. Required by controller-gen. -func (in *PodDisruptionBudget) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using Probe within kubernetes types, where deepcopy-gen is used. -func (in *Probe) DeepCopyInto(out *Probe) { - p := proto.Clone(in).(*Probe) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Probe. Required by controller-gen. -func (in *Probe) DeepCopy() *Probe { - if in == nil { - return nil - } - out := new(Probe) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Probe. Required by controller-gen. -func (in *Probe) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using HTTPGetAction within kubernetes types, where deepcopy-gen is used. -func (in *HTTPGetAction) DeepCopyInto(out *HTTPGetAction) { - p := proto.Clone(in).(*HTTPGetAction) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPGetAction. Required by controller-gen. -func (in *HTTPGetAction) DeepCopy() *HTTPGetAction { - if in == nil { - return nil - } - out := new(HTTPGetAction) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new HTTPGetAction. Required by controller-gen. -func (in *HTTPGetAction) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using TCPSocketAction within kubernetes types, where deepcopy-gen is used. -func (in *TCPSocketAction) DeepCopyInto(out *TCPSocketAction) { - p := proto.Clone(in).(*TCPSocketAction) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPSocketAction. Required by controller-gen. -func (in *TCPSocketAction) DeepCopy() *TCPSocketAction { - if in == nil { - return nil - } - out := new(TCPSocketAction) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new TCPSocketAction. Required by controller-gen. -func (in *TCPSocketAction) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using Service within kubernetes types, where deepcopy-gen is used. -func (in *Service) DeepCopyInto(out *Service) { - p := proto.Clone(in).(*Service) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Service. Required by controller-gen. -func (in *Service) DeepCopy() *Service { - if in == nil { - return nil - } - out := new(Service) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Service. Required by controller-gen. -func (in *Service) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using UnprotectedService within kubernetes types, where deepcopy-gen is used. -func (in *UnprotectedService) DeepCopyInto(out *UnprotectedService) { - p := proto.Clone(in).(*UnprotectedService) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UnprotectedService. Required by controller-gen. -func (in *UnprotectedService) DeepCopy() *UnprotectedService { - if in == nil { - return nil - } - out := new(UnprotectedService) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new UnprotectedService. Required by controller-gen. -func (in *UnprotectedService) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using ServicePort within kubernetes types, where deepcopy-gen is used. -func (in *ServicePort) DeepCopyInto(out *ServicePort) { - p := proto.Clone(in).(*ServicePort) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicePort. Required by controller-gen. -func (in *ServicePort) DeepCopy() *ServicePort { - if in == nil { - return nil - } - out := new(ServicePort) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ServicePort. Required by controller-gen. -func (in *ServicePort) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using NamespacedName within kubernetes types, where deepcopy-gen is used. -func (in *NamespacedName) DeepCopyInto(out *NamespacedName) { - p := proto.Clone(in).(*NamespacedName) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespacedName. Required by controller-gen. -func (in *NamespacedName) DeepCopy() *NamespacedName { - if in == nil { - return nil - } - out := new(NamespacedName) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new NamespacedName. Required by controller-gen. -func (in *NamespacedName) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using ResourceRequirements within kubernetes types, where deepcopy-gen is used. -func (in *ResourceRequirements) DeepCopyInto(out *ResourceRequirements) { - p := proto.Clone(in).(*ResourceRequirements) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRequirements. Required by controller-gen. -func (in *ResourceRequirements) DeepCopy() *ResourceRequirements { - if in == nil { - return nil - } - out := new(ResourceRequirements) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRequirements. Required by controller-gen. -func (in *ResourceRequirements) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using Replicas within kubernetes types, where deepcopy-gen is used. -func (in *Replicas) DeepCopyInto(out *Replicas) { - p := proto.Clone(in).(*Replicas) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Replicas. Required by controller-gen. -func (in *Replicas) DeepCopy() *Replicas { - if in == nil { - return nil - } - out := new(Replicas) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Replicas. Required by controller-gen. -func (in *Replicas) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using K8SResourceOverlayPatch within kubernetes types, where deepcopy-gen is used. -func (in *K8SResourceOverlayPatch) DeepCopyInto(out *K8SResourceOverlayPatch) { - p := proto.Clone(in).(*K8SResourceOverlayPatch) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new K8SResourceOverlayPatch. Required by controller-gen. -func (in *K8SResourceOverlayPatch) DeepCopy() *K8SResourceOverlayPatch { - if in == nil { - return nil - } - out := new(K8SResourceOverlayPatch) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new K8SResourceOverlayPatch. Required by controller-gen. -func (in *K8SResourceOverlayPatch) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using K8SResourceOverlayPatch_GroupVersionKind within kubernetes types, where deepcopy-gen is used. -func (in *K8SResourceOverlayPatch_GroupVersionKind) DeepCopyInto(out *K8SResourceOverlayPatch_GroupVersionKind) { - p := proto.Clone(in).(*K8SResourceOverlayPatch_GroupVersionKind) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new K8SResourceOverlayPatch_GroupVersionKind. Required by controller-gen. -func (in *K8SResourceOverlayPatch_GroupVersionKind) DeepCopy() *K8SResourceOverlayPatch_GroupVersionKind { - if in == nil { - return nil - } - out := new(K8SResourceOverlayPatch_GroupVersionKind) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new K8SResourceOverlayPatch_GroupVersionKind. Required by controller-gen. -func (in *K8SResourceOverlayPatch_GroupVersionKind) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using K8SResourceOverlayPatch_Patch within kubernetes types, where deepcopy-gen is used. -func (in *K8SResourceOverlayPatch_Patch) DeepCopyInto(out *K8SResourceOverlayPatch_Patch) { - p := proto.Clone(in).(*K8SResourceOverlayPatch_Patch) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new K8SResourceOverlayPatch_Patch. Required by controller-gen. -func (in *K8SResourceOverlayPatch_Patch) DeepCopy() *K8SResourceOverlayPatch_Patch { - if in == nil { - return nil - } - out := new(K8SResourceOverlayPatch_Patch) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new K8SResourceOverlayPatch_Patch. Required by controller-gen. -func (in *K8SResourceOverlayPatch_Patch) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using Quantity within kubernetes types, where deepcopy-gen is used. -func (in *Quantity) DeepCopyInto(out *Quantity) { - p := proto.Clone(in).(*Quantity) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Quantity. Required by controller-gen. -func (in *Quantity) DeepCopy() *Quantity { - if in == nil { - return nil - } - out := new(Quantity) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Quantity. Required by controller-gen. -func (in *Quantity) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using IntOrString within kubernetes types, where deepcopy-gen is used. -func (in *IntOrString) DeepCopyInto(out *IntOrString) { - p := proto.Clone(in).(*IntOrString) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntOrString. Required by controller-gen. -func (in *IntOrString) DeepCopy() *IntOrString { - if in == nil { - return nil - } - out := new(IntOrString) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IntOrString. Required by controller-gen. -func (in *IntOrString) DeepCopyInterface() interface{} { - return in.DeepCopy() -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common_json.gen.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common_json.gen.go deleted file mode 100644 index e611f6efb..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/common_json.gen.go +++ /dev/null @@ -1,243 +0,0 @@ -// Code generated by protoc-gen-jsonshim. DO NOT EDIT. -package v1alpha1 - -import ( - bytes "bytes" - jsonpb "github.com/golang/protobuf/jsonpb" -) - -// MarshalJSON is a custom marshaler for K8SObjectMeta -func (this *K8SObjectMeta) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for K8SObjectMeta -func (this *K8SObjectMeta) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for ContainerImageConfiguration -func (this *ContainerImageConfiguration) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for ContainerImageConfiguration -func (this *ContainerImageConfiguration) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for BaseKubernetesContainerConfiguration -func (this *BaseKubernetesContainerConfiguration) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for BaseKubernetesContainerConfiguration -func (this *BaseKubernetesContainerConfiguration) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for BaseKubernetesResourceConfig -func (this *BaseKubernetesResourceConfig) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for BaseKubernetesResourceConfig -func (this *BaseKubernetesResourceConfig) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for DeploymentStrategy -func (this *DeploymentStrategy) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for DeploymentStrategy -func (this *DeploymentStrategy) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for DeploymentStrategy_RollingUpdateDeployment -func (this *DeploymentStrategy_RollingUpdateDeployment) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for DeploymentStrategy_RollingUpdateDeployment -func (this *DeploymentStrategy_RollingUpdateDeployment) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for PodDisruptionBudget -func (this *PodDisruptionBudget) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for PodDisruptionBudget -func (this *PodDisruptionBudget) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for Probe -func (this *Probe) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for Probe -func (this *Probe) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for HTTPGetAction -func (this *HTTPGetAction) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for HTTPGetAction -func (this *HTTPGetAction) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for TCPSocketAction -func (this *TCPSocketAction) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for TCPSocketAction -func (this *TCPSocketAction) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for Service -func (this *Service) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for Service -func (this *Service) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for UnprotectedService -func (this *UnprotectedService) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for UnprotectedService -func (this *UnprotectedService) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for ServicePort -func (this *ServicePort) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for ServicePort -func (this *ServicePort) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for NamespacedName -func (this *NamespacedName) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for NamespacedName -func (this *NamespacedName) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for ResourceRequirements -func (this *ResourceRequirements) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for ResourceRequirements -func (this *ResourceRequirements) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for Replicas -func (this *Replicas) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for Replicas -func (this *Replicas) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for K8SResourceOverlayPatch -func (this *K8SResourceOverlayPatch) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for K8SResourceOverlayPatch -func (this *K8SResourceOverlayPatch) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for K8SResourceOverlayPatch_GroupVersionKind -func (this *K8SResourceOverlayPatch_GroupVersionKind) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for K8SResourceOverlayPatch_GroupVersionKind -func (this *K8SResourceOverlayPatch_GroupVersionKind) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for K8SResourceOverlayPatch_Patch -func (this *K8SResourceOverlayPatch_Patch) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for K8SResourceOverlayPatch_Patch -func (this *K8SResourceOverlayPatch_Patch) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for Quantity -func (this *Quantity) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for Quantity -func (this *Quantity) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for IntOrString -func (this *IntOrString) MarshalJSON() ([]byte, error) { - str, err := CommonMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for IntOrString -func (this *IntOrString) UnmarshalJSON(b []byte) error { - return CommonUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -var ( - CommonMarshaler = &jsonpb.Marshaler{} - CommonUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} -) diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/groupversion_info.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/groupversion_info.go deleted file mode 100644 index ac2478fb2..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/groupversion_info.go +++ /dev/null @@ -1,36 +0,0 @@ -/* -Copyright 2021 Cisco Systems, Inc. and/or its affiliates. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Package v1alpha1 contains API Schema definitions for the servicemesh v1alpha1 API group -// +kubebuilder:object:generate=true -// +groupName=servicemesh.cisco.com -package v1alpha1 - -import ( - "k8s.io/apimachinery/pkg/runtime/schema" - "sigs.k8s.io/controller-runtime/pkg/scheme" -) - -var ( - // GroupVersion is group version used to register these objects - GroupVersion = schema.GroupVersion{Group: "servicemesh.cisco.com", Version: "v1alpha1"} - - // SchemeBuilder is used to add go types to the GroupVersionKind scheme - SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} - - // AddToScheme adds the types in this group-version to the given scheme. - AddToScheme = SchemeBuilder.AddToScheme -) diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istio-operator.gen.json b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istio-operator.gen.json deleted file mode 100644 index 21b671e83..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istio-operator.gen.json +++ /dev/null @@ -1,4347 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "OpenAPI descriptor for Istio operator types", - "version": "v1alpha1" - }, - "components": { - "schemas": { - "istio.mesh.v1alpha1.AuthenticationPolicy": { - "description": "AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation. Mesh policy cannot be INHERIT.", - "type": "string", - "enum": [ - "NONE", - "MUTUAL_TLS", - "INHERIT" - ] - }, - "istio.mesh.v1alpha1.Certificate": { - "description": "Certificate configures the provision of a certificate and its key. Example 1: key and cert stored in a secret ``` { secretName: galley-cert secretNamespace: istio-system dnsNames: - galley.istio-system.svc - galley.mydomain.com } ``` Example 2: key and cert stored in a directory ``` { dnsNames: - pilot.istio-system - pilot.istio-system.svc - pilot.mydomain.com } ```", - "type": "object", - "properties": { - "secretName": { - "description": "Name of the secret the certificate and its key will be stored into. If it is empty, it will not be stored into a secret. Instead, the certificate and its key will be stored into a hard-coded directory.", - "type": "string" - }, - "dnsNames": { - "description": "The DNS names for the certificate. A certificate may contain multiple DNS names.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.mesh.v1alpha1.ConfigSource": { - "description": "ConfigSource describes information about a configuration store inside a mesh. A single control plane instance can interact with one or more data sources.", - "type": "object", - "properties": { - "address": { - "description": "Address of the server implementing the Istio Mesh Configuration protocol (MCP). Can be IP address or a fully qualified DNS name. Use fs:/// to specify a file-based backend with absolute path to the directory.", - "type": "string" - }, - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - }, - "subscribedResources": { - "description": "Describes the source of configuration, if nothing is specified default is MCP", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Resource" - } - } - } - }, - "istio.mesh.v1alpha1.MeshConfig": { - "description": "MeshConfig defines mesh-wide settings for the Istio service mesh.", - "type": "object", - "properties": { - "localityLbSetting": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.LocalityLoadBalancerSetting" - }, - "connectTimeout": { - "description": "Connection timeout used by Envoy. (MUST BE \u003e=1ms) Default timeout is 10s.", - "type": "string" - }, - "tcpKeepalive": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive" - }, - "h2UpgradePolicy": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicy" - }, - "caCertificates": { - "description": "The extra root certificates for workload-to-workload communication. The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.CertificateData" - } - }, - "proxyListenPort": { - "description": "Port on which Envoy should listen for incoming connections from other services. Default port is 15001.", - "type": "integer", - "format": "int32" - }, - "proxyHttpPort": { - "description": "Port on which Envoy should listen for HTTP PROXY requests if set.", - "type": "integer", - "format": "int32" - }, - "protocolDetectionTimeout": { - "description": "Automatic protocol detection uses a set of heuristics to determine whether the connection is using TLS or not (on the server side), as well as the application protocol being used (e.g., http vs tcp). These heuristics rely on the client sending the first bits of data. For server first protocols like MySQL, MongoDB, etc. Envoy will timeout on the protocol detection after the specified period, defaulting to non mTLS plain TCP traffic. Set this field to tweak the period that Envoy will wait for the client to send the first bits of data. (MUST BE \u003e=1ms or 0s to disable). Default detection timeout is 5s.", - "type": "string" - }, - "ingressClass": { - "description": "Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of `kubernetes.io/ingress.class` annotation.", - "type": "string" - }, - "ingressService": { - "description": "Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value `istio-ingressgateway` is used.", - "type": "string" - }, - "ingressControllerMode": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.IngressControllerMode" - }, - "ingressSelector": { - "description": "Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. It is recommended that this is the same value as ingress_service.", - "type": "string" - }, - "enableTracing": { - "description": "Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration.", - "type": "boolean" - }, - "accessLogFile": { - "description": "File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging.", - "type": "string" - }, - "accessLogFormat": { - "description": "Format for the proxy access log Empty value results in proxy's default access log format", - "type": "string" - }, - "accessLogEncoding": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.AccessLogEncoding" - }, - "enableEnvoyAccessLogService": { - "description": "This flag enables Envoy's gRPC Access Log Service. See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto) for details about Envoy's gRPC Access Log Service API. Default value is `false`.", - "type": "boolean" - }, - "disableEnvoyListenerLog": { - "description": "This flag disables Envoy Listener logs. See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log) Istio Enables Envoy's listener access logs on \"NoRoute\" response flag. Default value is `false`.", - "type": "boolean" - }, - "defaultConfig": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig" - }, - "outboundTrafficPolicy": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy" - }, - "configSources": { - "description": "ConfigSource describes a source of configuration data for networking rules, and other Istio configuration artifacts. Multiple data sources can be configured for a single control plane.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ConfigSource" - } - }, - "enableAutoMtls": { - "description": "This flag is used to enable mutual `TLS` automatically for service to service communication within the mesh, default true. If set to true, and a given service does not have a corresponding `DestinationRule` configured, or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side TLS configuration appropriately. More specifically, If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate for mutual `TLS` to connect to upstream. If upstream service is in plain text mode, use plain text. If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead.", - "type": "boolean", - "nullable": true - }, - "trustDomain": { - "description": "The trust domain corresponds to the trust root of a system. Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain)", - "type": "string" - }, - "trustDomainAliases": { - "description": "The trust domain aliases represent the aliases of `trust_domain`. For example, if we have ```yaml trustDomain: td1 trustDomainAliases: [\"td2\", \"td3\"] ``` Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh.", - "type": "array", - "items": { - "type": "string" - } - }, - "defaultServiceExportTo": { - "description": "The default value for the ServiceEntry.export_to field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use \"*\" as the default value which implies that services are exported to all namespaces.", - "type": "array", - "items": { - "type": "string" - } - }, - "defaultVirtualServiceExportTo": { - "description": "The default value for the VirtualService.export_to field. Has the same syntax as `default_service_export_to`.", - "type": "array", - "items": { - "type": "string" - } - }, - "defaultDestinationRuleExportTo": { - "description": "The default value for the `DestinationRule.export_to` field. Has the same syntax as `default_service_export_to`.", - "type": "array", - "items": { - "type": "string" - } - }, - "rootNamespace": { - "description": "The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace.", - "type": "string" - }, - "dnsRefreshRate": { - "description": "Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` Default refresh rate is `5s`.", - "type": "string" - }, - "inboundClusterStatName": { - "description": "Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern `inbound|\u003cport\u003e|\u003cport-name\u003e|\u003cservice-FQDN\u003e`. For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern.", - "type": "string" - }, - "outboundClusterStatName": { - "description": "Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern `outbound|\u003cport\u003e|\u003csubsetname\u003e|\u003cservice-FQDN\u003e`. For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern.", - "type": "string" - }, - "certificates": { - "description": "Configure the provision of certificates.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Certificate" - } - }, - "thriftConfig": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ThriftConfig" - }, - "serviceSettings": { - "description": "Settings to be applied to select services.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ServiceSettings" - } - }, - "enablePrometheusMerge": { - "description": "If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and `prometheus.io/path` annotations. If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. In this case, it is recommended to disable aggregation on that deployment with the `prometheus.istio.io/merge-metrics: \"false\"` annotation. If not specified, this will be enabled by default.", - "type": "boolean", - "nullable": true - }, - "verifyCertificateAtClient": { - "description": "`VerifyCertificateAtClient` sets the mesh global default for peer certificate validation at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination modes are used. This setting can be overridden at the host level via DestinationRule API. By default, `VerifyCertificateAtClient` is `true`.", - "type": "boolean", - "nullable": true - }, - "ca": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.CA" - }, - "extensionProviders": { - "description": "Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy can be used with an extension provider to delegate the authorization decision to a custom authorization system.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider" - } - }, - "defaultProviders": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.DefaultProviders" - }, - "discoverySelectors": { - "description": "A list of Kubernetes selectors that specify the set of namespaces that Istio considers when computing configuration updates for sidecars. This can be used to reduce Istio's computational load by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. If omitted, Istio will use the default behavior of processing all namespaces in the cluster. Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. The following example selects any namespace that matches either below: 1. The namespace has both of these labels: `env: prod` and `region: us-east1` 2. The namespace has label `app` equal to `cassandra` or `spark`. ```yaml discoverySelectors: - matchLabels: env: prod region: us-east1 - matchExpressions: - key: app operator: In values: - cassandra - spark ``` Refer to the [kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for additional detail on selector semantics.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - } - }, - "pathNormalization": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.AccessLogEncoding": { - "type": "string", - "enum": [ - "TEXT", - "JSON" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.AuthPolicy": { - "type": "string", - "enum": [ - "NONE", - "MUTUAL_TLS" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.CA": { - "type": "object", - "properties": { - "address": { - "description": "REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000", - "type": "string" - }, - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - }, - "requestTimeout": { - "description": "timeout for forward CSR requests from Istiod to External CA Default: 10s", - "type": "string" - }, - "istiodSide": { - "description": "Use istiod_side to specify CA Server integrate to Istiod side or Agent side Default: true", - "type": "boolean" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.CertificateData": { - "type": "object", - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "pem" - ], - "properties": { - "pem": { - "description": "The PEM data of the certificate.", - "type": "string" - } - } - }, - { - "required": [ - "spiffeBundleUrl" - ], - "properties": { - "spiffeBundleUrl": { - "description": "The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint.", - "type": "string" - } - } - } - ] - } - }, - { - "required": [ - "pem" - ], - "properties": { - "pem": { - "description": "The PEM data of the certificate.", - "type": "string" - } - } - }, - { - "required": [ - "spiffeBundleUrl" - ], - "properties": { - "spiffeBundleUrl": { - "description": "The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint.", - "type": "string" - } - } - } - ] - }, - "istio.mesh.v1alpha1.MeshConfig.DefaultProviders": { - "description": "Holds the name references to the providers that will be used by default in other Istio configuration resources if the provider is not specified.", - "type": "object", - "properties": { - "tracing": { - "description": "Name of the default provider(s) for tracing.", - "type": "array", - "items": { - "type": "string" - } - }, - "metrics": { - "description": "Name of the default provider(s) for metrics.", - "type": "array", - "items": { - "type": "string" - } - }, - "accessLogging": { - "description": "Name of the default provider(s) for access logging.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider": { - "type": "object", - "properties": { - "name": { - "description": "REQUIRED. A unique name identifying the extension provider.", - "type": "string" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "envoyExtAuthzHttp" - ], - "properties": { - "envoyExtAuthzHttp": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - } - } - }, - { - "required": [ - "envoyExtAuthzGrpc" - ], - "properties": { - "envoyExtAuthzGrpc": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - } - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider" - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - } - } - }, - { - "required": [ - "opencensus" - ], - "properties": { - "opencensus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - } - } - }, - { - "required": [ - "skywalking" - ], - "properties": { - "skywalking": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - } - } - }, - { - "required": [ - "prometheus" - ], - "properties": { - "prometheus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - } - } - }, - { - "required": [ - "envoyFileAccessLog" - ], - "properties": { - "envoyFileAccessLog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - } - } - } - ] - } - }, - { - "required": [ - "envoyExtAuthzHttp" - ], - "properties": { - "envoyExtAuthzHttp": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - } - } - }, - { - "required": [ - "envoyExtAuthzGrpc" - ], - "properties": { - "envoyExtAuthzGrpc": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - } - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider" - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - } - } - }, - { - "required": [ - "opencensus" - ], - "properties": { - "opencensus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - } - } - }, - { - "required": [ - "skywalking" - ], - "properties": { - "skywalking": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - } - } - }, - { - "required": [ - "prometheus" - ], - "properties": { - "prometheus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - } - } - }, - { - "required": [ - "envoyFileAccessLog" - ], - "properties": { - "envoyFileAccessLog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - } - } - } - ] - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationRequestBody": { - "type": "object", - "properties": { - "maxRequestBytes": { - "description": "Sets the maximum size of a message body that the ext-authz filter will hold in memory. If max_request_bytes is reached, and allow_partial_message is false, Envoy will return a 413 (Payload Too Large). Otherwise the request will be sent to the provider with a partial message. Note that this setting will have precedence over the fail_open field, the 413 will be returned even when the fail_open is set to true.", - "type": "integer" - }, - "allowPartialMessage": { - "description": "When this field is true, ext-authz filter will buffer the message until max_request_bytes is reached. The authorization request will be dispatched and no 413 HTTP error will be returned by the filter. A \"x-envoy-auth-partial-body: false|true\" metadata header will be added to the authorization request message indicating if the body data is partial.", - "type": "boolean" - }, - "packAsBytes": { - "description": "If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes in the raw_body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153). Otherwise, it will be filled with UTF-8 string in the body field (https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147). This field only works with the envoy_ext_authz_grpc provider and has no effect for the envoy_ext_authz_http provider.", - "type": "boolean" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider.TraceContext": { - "description": "TraceContext selects the context propagation headers used for distributed tracing.", - "type": "string", - "enum": [ - "UNSPECIFIED", - "W3C_TRACE_CONTEXT", - "GRPC_BIN", - "CLOUD_TRACE_CONTEXT", - "B3" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicy": { - "description": "Default Policy for upgrading http1.1 connections to http2.", - "type": "string", - "enum": [ - "DO_NOT_UPGRADE", - "UPGRADE" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.IngressControllerMode": { - "type": "string", - "enum": [ - "UNSPECIFIED", - "OFF", - "DEFAULT", - "STRICT" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy": { - "type": "object", - "properties": { - "mode": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.Mode" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.Mode": { - "type": "string", - "enum": [ - "REGISTRY_ONLY", - "ALLOW_ANY" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization": { - "type": "object", - "properties": { - "normalization": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization.NormalizationType" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization.NormalizationType": { - "type": "string", - "enum": [ - "DEFAULT", - "NONE", - "BASE", - "MERGE_SLASHES", - "DECODE_AND_MERGE_SLASHES" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.ServiceSettings": { - "description": "Settings to be applied to select services.", - "type": "object", - "properties": { - "hosts": { - "description": "The services to which the Settings should be applied. Services are selected using the hostname matching rules used by DestinationRule.", - "type": "array", - "items": { - "type": "string" - } - }, - "settings": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ServiceSettings.Settings" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ServiceSettings.Settings": { - "description": "Settings for the selected services.", - "type": "object", - "properties": { - "clusterLocal": { - "description": "If true, specifies that the client and service endpoints must reside in the same cluster. By default, in multi-cluster deployments, the Istio control plane assumes all service endpoints to be reachable from any client in any of the clusters which are part of the mesh. This configuration option limits the set of service endpoints visible to a client to be cluster scoped.", - "type": "boolean" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ThriftConfig": { - "type": "object", - "properties": { - "rateLimitUrl": { - "description": "Specify thrift rate limit service URL. If pilot has thrift protocol support enabled, this will enable the rate limit service for destinations that have matching rate limit configurations.", - "type": "string" - }, - "rateLimitTimeout": { - "description": "Specify thrift rate limit service timeout, in milliseconds. Default is `50ms`", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.ProxyConfig": { - "description": "ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis as well as by the mesh-wide defaults. To set the mesh wide defaults, configure the `defaultConfig` section of `meshConfig`. For example: ``` meshConfig: defaultConfig: discoveryAddress: istiod:15012 ```", - "type": "object", - "properties": { - "readinessProbe": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ReadinessProbe" - }, - "tracing": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing" - }, - "configPath": { - "description": "Path to the generated configuration file directory. Proxy agent generates the actual configuration and stores it in this directory.", - "type": "string" - }, - "binaryPath": { - "description": "Path to the proxy binary", - "type": "string" - }, - "serviceCluster": { - "description": "Service cluster defines the name for the `service_cluster` that is shared by all Envoy instances. This setting corresponds to `--service-cluster` flag in Envoy. In a typical Envoy deployment, the `service-cluster` flag is used to identify the caller, for source-based routing scenarios.", - "type": "string" - }, - "drainDuration": { - "description": "The time in seconds that Envoy will drain connections during a hot restart. MUST be \u003e=1s (e.g., _1s/1m/1h_) Default drain duration is `45s`.", - "type": "string" - }, - "parentShutdownDuration": { - "description": "The time in seconds that Envoy will wait before shutting down the parent process during a hot restart. MUST be \u003e=1s (e.g., `1s/1m/1h`). MUST BE greater than `drain_duration` parameter. Default shutdown duration is `60s`.", - "type": "string" - }, - "discoveryAddress": { - "description": "Address of the discovery service exposing xDS with mTLS connection. The inject configuration may override this value.", - "type": "string" - }, - "discoveryRefreshDelay": { - "type": "string", - "deprecated": true - }, - "zipkinAddress": { - "description": "Address of the Zipkin service (e.g. _zipkin:9411_). DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.", - "type": "string", - "deprecated": true - }, - "statsdUdpAddress": { - "description": "IP Address and Port of a statsd UDP listener (e.g. `10.75.241.127:9125`).", - "type": "string" - }, - "envoyMetricsServiceAddress": { - "type": "string", - "deprecated": true - }, - "proxyAdminPort": { - "description": "Port on which Envoy should listen for administrative commands. Default port is `15000`.", - "type": "integer", - "format": "int32" - }, - "availabilityZone": { - "type": "string", - "deprecated": true - }, - "controlPlaneAuthPolicy": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.AuthenticationPolicy" - }, - "customConfigFile": { - "description": "File path of custom proxy configuration, currently used by proxies in front of Mixer and Pilot.", - "type": "string" - }, - "statNameLength": { - "description": "Maximum length of name field in Envoy's metrics. The length of the name field is determined by the length of a name field in a service and the set of labels that comprise a particular version of the service. The default value is set to 189 characters. Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. Increase the value of this field if you find that the metrics from Envoys are truncated.", - "type": "integer", - "format": "int32" - }, - "concurrency": { - "description": "The number of worker threads to run. If unset, this will be automatically determined based on CPU requests/limits. If set to 0, all cores on the machine will be used. Default is 2 worker threads.", - "type": "integer", - "nullable": true - }, - "proxyBootstrapTemplatePath": { - "description": "Path to the proxy bootstrap template file", - "type": "string" - }, - "interceptionMode": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.InboundInterceptionMode" - }, - "sds": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.SDS" - }, - "envoyAccessLogService": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.RemoteService" - }, - "envoyMetricsService": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.RemoteService" - }, - "proxyMetadata": { - "description": "Additional environment variables for the proxy. Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "statusPort": { - "description": "Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port `15020`.", - "type": "integer", - "format": "int32" - }, - "extraStatTags": { - "description": "An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be added by configuring the telemetry extension. Each additional tag needs to be present in this list. Extra tags emitted by the telemetry extensions must be listed here so that they can be processed and exposed as Prometheus metrics.", - "type": "array", - "items": { - "type": "string" - } - }, - "gatewayTopology": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Topology" - }, - "terminationDrainDuration": { - "description": "The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied.", - "type": "string" - }, - "meshId": { - "description": "The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) All control planes running in the same service mesh should specify the same mesh ID. Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.", - "type": "string" - }, - "proxyStatsMatcher": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.ProxyStatsMatcher" - }, - "holdApplicationUntilProxyStarts": { - "description": "Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. This feature adds hooks to delay application startup until the pod proxy is ready to accept traffic, mitigating some startup race conditions. Default value is 'false'.", - "type": "boolean", - "nullable": true - }, - "caCertificatesPem": { - "description": "The PEM data of the extra root certificates for workload-to-workload communication. This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) are added automatically by Istiod.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.mesh.v1alpha1.ProxyConfig.InboundInterceptionMode": { - "description": "The mode used to redirect inbound traffic to Envoy. This setting has no effect on outbound traffic: iptables `REDIRECT` is always used for outbound connections.", - "type": "string", - "enum": [ - "REDIRECT", - "TPROXY" - ] - }, - "istio.mesh.v1alpha1.ProxyConfig.ProxyStatsMatcher": { - "description": "Proxy stats name matchers for stats creation. Note this is in addition to the minimum Envoy stats that Istio generates by default.", - "type": "object", - "properties": { - "inclusionPrefixes": { - "description": "Proxy stats name prefix matcher for inclusion.", - "type": "array", - "items": { - "type": "string" - } - }, - "inclusionSuffixes": { - "description": "Proxy stats name suffix matcher for inclusion.", - "type": "array", - "items": { - "type": "string" - } - }, - "inclusionRegexps": { - "description": "Proxy stats name regexps matcher for inclusion.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.mesh.v1alpha1.RemoteService": { - "type": "object", - "properties": { - "address": { - "description": "Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name.", - "type": "string" - }, - "tcpKeepalive": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive" - }, - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - } - } - }, - "istio.mesh.v1alpha1.Resource": { - "description": "Resource describes the source of configuration", - "type": "string", - "enum": [ - "SERVICE_REGISTRY" - ] - }, - "istio.mesh.v1alpha1.SDS": { - "description": "SDS defines secret discovery service(SDS) configuration to be used by the proxy. For workload, its values are set in sidecar injector(passed as arguments to istio-proxy container). For pilot/mixer, it's passed as arguments to istio-proxy container in pilot/mixer deployment yaml files directly.", - "type": "object", - "properties": { - "enabled": { - "description": "True if SDS is enabled.", - "type": "boolean" - }, - "k8sSaJwtPath": { - "description": "Path of k8s service account JWT path.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Topology": { - "description": "Topology describes the configuration for relative location of a proxy with respect to intermediate trusted proxies and the client. These settings control how the client attributes are retrieved from the incoming traffic by the gateway proxy and propagated to the upstream services in the cluster.", - "type": "object", - "properties": { - "numTrustedProxies": { - "description": "Number of trusted proxies deployed in front of the Istio gateway proxy. When this option is set to value N greater than zero, the trusted client address is assumed to be the Nth address from the right end of the X-Forwarded-For (XFF) header from the incoming request. If the X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the gateway proxy falls back to using the immediate downstream connection's source address as the trusted client address. Note that the gateway proxy will append the downstream connection's source address to the X-Forwarded-For (XFF) address and set the X-Envoy-External-Address header to the trusted client address before forwarding it to the upstream services in the cluster. The default value of num_trusted_proxies is 0. See [Envoy XFF] (https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for) header handling for more details.", - "type": "integer" - }, - "forwardClientCertDetails": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Topology.ForwardClientCertDetails" - } - } - }, - "istio.mesh.v1alpha1.Topology.ForwardClientCertDetails": { - "description": "ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC) header is handled by the gateway proxy. See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#envoy-api-enum-config-filter-network-http-connection-manager-v2-httpconnectionmanager-forwardclientcertdetails) header handling for more details.", - "type": "string", - "enum": [ - "UNDEFINED", - "SANITIZE", - "FORWARD_ONLY", - "APPEND_FORWARD", - "SANITIZE_SET", - "ALWAYS_FORWARD_ONLY" - ] - }, - "istio.mesh.v1alpha1.Tracing": { - "description": "Tracing defines configuration for the tracing performed by Envoy instances.", - "type": "object", - "properties": { - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - }, - "customTags": { - "description": "Configures the custom tags to be added to active span by all proxies (i.e. sidecars and gateways). The key represents the name of the tag. Ex: ```yaml custom_tags: new_tag_name: header: name: custom-http-header-name default_value: defaulted-value-from-custom-header ``` $hide_from_docs", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.CustomTag" - } - }, - "maxPathTagLength": { - "description": "Configures the maximum length of the request path to extract and include in the HttpUrl tag. Used to truncate length request paths to meet the needs of tracing backend. If not set, then a length of 256 will be used. $hide_from_docs", - "type": "integer" - }, - "sampling": { - "description": "The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0.", - "type": "number", - "format": "double" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Zipkin" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Lightstep" - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Datadog" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Stackdriver" - } - } - }, - { - "required": [ - "openCensusAgent" - ], - "properties": { - "openCensusAgent": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.OpenCensusAgent" - } - } - } - ] - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Zipkin" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Lightstep" - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Datadog" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Stackdriver" - } - } - }, - { - "required": [ - "openCensusAgent" - ], - "properties": { - "openCensusAgent": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.OpenCensusAgent" - } - } - } - ] - }, - "istio.mesh.v1alpha1.Tracing.CustomTag": { - "description": "Configure custom tags that will be added to any active span. Tags can be generated via literals, environment variables or an incoming request header. $hide_from_docs", - "type": "object", - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "literal" - ], - "properties": { - "literal": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Literal" - } - } - }, - { - "required": [ - "environment" - ], - "properties": { - "environment": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Environment" - } - } - }, - { - "required": [ - "header" - ], - "properties": { - "header": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.RequestHeader" - } - } - } - ] - } - }, - { - "required": [ - "literal" - ], - "properties": { - "literal": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Literal" - } - } - }, - { - "required": [ - "environment" - ], - "properties": { - "environment": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Environment" - } - } - }, - { - "required": [ - "header" - ], - "properties": { - "header": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.RequestHeader" - } - } - } - ] - }, - "istio.mesh.v1alpha1.Tracing.Datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Datadog" - }, - "istio.mesh.v1alpha1.Tracing.Environment": { - "description": "Environment is the proxy's environment variable to be used for populating the custom span tag. $hide_from_docs", - "type": "object", - "properties": { - "name": { - "description": "Name of the environment variable used to populate the tag's value", - "type": "string" - }, - "defaultValue": { - "description": "When the environment variable is not found, the tag's value will be populated with this default value if specified, otherwise the tag will not be populated.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Tracing.Lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Lightstep" - }, - "istio.mesh.v1alpha1.Tracing.Literal": { - "description": "Literal type represents a static value. $hide_from_docs", - "type": "object", - "properties": { - "value": { - "description": "Static literal value used to populate the tag value.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Tracing.OpenCensusAgent": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.OpenCensusAgent" - }, - "istio.mesh.v1alpha1.Tracing.OpenCensusAgent.TraceContext": { - "description": "TraceContext selects the context propagation headers used for distributed tracing.", - "type": "string", - "enum": [ - "UNSPECIFIED", - "W3C_TRACE_CONTEXT", - "GRPC_BIN", - "CLOUD_TRACE_CONTEXT", - "B3" - ] - }, - "istio.mesh.v1alpha1.Tracing.RequestHeader": { - "description": "RequestHeader is the HTTP request header which will be used to populate the span tag. A default value can be configured if the header does not exist. $hide_from_docs", - "type": "object", - "properties": { - "name": { - "description": "HTTP header name used to obtain the value from to populate the tag value.", - "type": "string" - }, - "defaultValue": { - "description": "Default value to be used for the tag when the named HTTP header does not exist. The tag will be skipped if no default value is provided.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Tracing.Stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Stackdriver" - }, - "istio.mesh.v1alpha1.Tracing.Zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Zipkin" - }, - "istio.networking.v1alpha3.ClientTLSSettings": { - "description": "SSL/TLS related settings for upstream connections. See Envoy's [TLS context](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto.html#common-tls-configuration) for more details. These settings are common to both HTTP and TCP upstreams.", - "type": "object", - "properties": { - "mode": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings.TLSmode" - }, - "clientCertificate": { - "description": "REQUIRED if mode is `MUTUAL`. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is `ISTIO_MUTUAL`.", - "type": "string" - }, - "privateKey": { - "description": "REQUIRED if mode is `MUTUAL`. The path to the file holding the client's private key. Should be empty if mode is `ISTIO_MUTUAL`.", - "type": "string" - }, - "caCertificates": { - "description": "OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will not verify the server's certificate. Should be empty if mode is `ISTIO_MUTUAL`.", - "type": "string" - }, - "credentialName": { - "description": "The name of the secret that holds the TLS certs for the client including the CA certificates. Secret must exist in the same namespace with the proxy using the certificates. The secret (of type `generic`)should contain the following keys and values: `key: \u003cprivateKey\u003e`, `cert: \u003cserverCert\u003e`, `cacert: \u003cCACertificate\u003e`. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. Only one of client certificates and CA certificate or credentialName can be specified.", - "type": "string" - }, - "subjectAltNames": { - "description": "A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry.", - "type": "array", - "items": { - "type": "string" - } - }, - "sni": { - "description": "SNI string to present to the server during TLS handshake.", - "type": "string" - } - } - }, - "istio.networking.v1alpha3.ClientTLSSettings.TLSmode": { - "description": "TLS connection mode", - "type": "string", - "enum": [ - "DISABLE", - "SIMPLE", - "MUTUAL", - "ISTIO_MUTUAL" - ] - }, - "istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive": { - "description": "TCP keepalive.", - "type": "object", - "properties": { - "time": { - "description": "The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)", - "type": "string" - }, - "probes": { - "description": "Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)", - "type": "integer" - }, - "interval": { - "description": "The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)", - "type": "string" - } - } - }, - "istio.networking.v1alpha3.ExecHealthCheckConfig": { - "type": "object", - "properties": { - "command": { - "description": "Command to run. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.networking.v1alpha3.HTTPHeader": { - "type": "object", - "properties": { - "name": { - "description": "The header field name", - "type": "string" - }, - "value": { - "description": "The header field value", - "type": "string" - } - } - }, - "istio.networking.v1alpha3.HTTPHealthCheckConfig": { - "type": "object", - "properties": { - "path": { - "description": "Path to access on the HTTP server.", - "type": "string" - }, - "port": { - "description": "Port on which the endpoint lives.", - "type": "integer" - }, - "host": { - "description": "Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.", - "type": "string" - }, - "scheme": { - "description": "HTTP or HTTPS, defaults to HTTP", - "type": "string" - }, - "httpHeaders": { - "description": "Headers the proxy will pass on to make the request. Allows repeated headers.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPHeader" - } - } - } - }, - "istio.networking.v1alpha3.LocalityLoadBalancerSetting": { - "description": "Locality-weighted load balancing allows administrators to control the distribution of traffic to endpoints based on the localities of where the traffic originates and where it will terminate. These localities are specified using arbitrary labels that designate a hierarchy of localities in {region}/{zone}/{sub-zone} form. For additional detail refer to [Locality Weight](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) The following example shows how to setup locality weights mesh-wide.", - "type": "object", - "properties": { - "distribute": { - "description": "Optional: only one of distribute or failover can be set. Explicitly specify loadbalancing weight across different zones and geographical locations. Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) If empty, the locality weight is set according to the endpoints number within it.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute" - } - }, - "failover": { - "description": "Optional: only failover or distribute can be set. Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.LocalityLoadBalancerSetting.Failover" - } - }, - "enabled": { - "description": "enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.", - "type": "boolean", - "nullable": true - } - } - }, - "istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute": { - "description": "Describes how traffic originating in the 'from' zone or sub-zone is distributed over a set of 'to' zones. Syntax for specifying a zone is {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any segment of the specification. Examples: `*` - matches all localities", - "type": "object", - "properties": { - "from": { - "description": "Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.", - "type": "string" - }, - "to": { - "description": "Map of upstream localities to traffic distribution weights. The sum of all weights should be 100. Any locality not present will receive no traffic.", - "type": "object", - "additionalProperties": { - "type": "integer" - } - } - } - }, - "istio.networking.v1alpha3.LocalityLoadBalancerSetting.Failover": { - "description": "Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.", - "type": "object", - "properties": { - "from": { - "description": "Originating region.", - "type": "string" - }, - "to": { - "description": "Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy.", - "type": "string" - } - } - }, - "istio.networking.v1alpha3.ReadinessProbe": { - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 second.", - "type": "integer", - "format": "int32" - }, - "initialDelaySeconds": { - "description": "Number of seconds after the container has started before readiness probes are initiated.", - "type": "integer", - "format": "int32" - }, - "periodSeconds": { - "description": "How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1 second.", - "type": "integer", - "format": "int32" - }, - "successThreshold": { - "description": "Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1 second.", - "type": "integer", - "format": "int32" - }, - "failureThreshold": { - "description": "Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3 seconds.", - "type": "integer", - "format": "int32" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPHealthCheckConfig" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.TCPHealthCheckConfig" - } - } - }, - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ExecHealthCheckConfig" - } - } - } - ] - } - }, - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPHealthCheckConfig" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.TCPHealthCheckConfig" - } - } - }, - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ExecHealthCheckConfig" - } - } - } - ] - }, - "istio.networking.v1alpha3.TCPHealthCheckConfig": { - "type": "object", - "properties": { - "port": { - "description": "Port of host", - "type": "integer" - }, - "host": { - "description": "Host to connect to, defaults to localhost", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration": { - "type": "object", - "properties": { - "env": { - "description": "If present will be appended to the environment variables of the container", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVar" - } - }, - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "image": { - "description": "Standard Kubernetes container image configuration", - "type": "string" - }, - "volumeMounts": { - "description": "Pod volumes to mount into the container's filesystem. Cannot be updated. +optional +patchMergeKey=mountPath +patchStrategy=merge", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeMount" - } - }, - "securityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecurityContext" - } - } - }, - "istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig": { - "type": "object", - "properties": { - "env": { - "description": "If present will be appended to the environment variables of the container", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVar" - } - }, - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "image": { - "description": "Standard Kubernetes container image configuration", - "type": "string" - }, - "volumeMounts": { - "description": "Pod volumes to mount into the container's filesystem. Cannot be updated. +optional +patchMergeKey=mountPath +patchStrategy=merge", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeMount" - } - }, - "livenessProbe": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Probe" - }, - "readinessProbe": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Probe" - }, - "imagePullPolicy": { - "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. +optional", - "type": "string" - }, - "securityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecurityContext" - }, - "volumes": { - "description": "List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes +optional +patchMergeKey=name +patchStrategy=merge,retainKeys", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Volume" - } - }, - "nodeSelector": { - "description": "Standard Kubernetes node selector configuration", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "imagePullSecrets": { - "description": "ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - }, - "affinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Affinity" - }, - "tolerations": { - "description": "google.protobuf.Int32Value replicaCount = 1 [(gogoproto.wktpointer) = true]; If specified, the pod's tolerations. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Toleration" - } - }, - "priorityClassName": { - "description": "If specified, indicates the pod's priority. \"system-node-critical\" and \"system-cluster-critical\" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. +optional", - "type": "string" - }, - "replicas": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Replicas" - }, - "podMetadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "podDisruptionBudget": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.PodDisruptionBudget" - }, - "deploymentStrategy": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.DeploymentStrategy" - }, - "podSecurityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodSecurityContext" - } - } - }, - "istio_operator.v2.api.v1alpha1.CNIConfiguration": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - }, - "logLevel": { - "type": "string" - }, - "chained": { - "type": "boolean", - "nullable": true - }, - "binDir": { - "type": "string" - }, - "confDir": { - "type": "string" - }, - "excludeNamespaces": { - "type": "array", - "items": { - "type": "string" - } - }, - "includeNamespaces": { - "type": "array", - "items": { - "type": "string" - } - }, - "confFileName": { - "type": "string" - }, - "pspClusterRoleName": { - "type": "string" - }, - "repair": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.CNIConfiguration.RepairConfiguration" - }, - "taint": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.CNIConfiguration.TaintConfiguration" - }, - "resourceQuotas": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.CNIConfiguration.ResourceQuotas" - }, - "daemonset": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig" - } - } - }, - "istio_operator.v2.api.v1alpha1.CNIConfiguration.RepairConfiguration": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - }, - "labelPods": { - "type": "boolean", - "nullable": true - }, - "deletePods": { - "type": "boolean", - "nullable": true - }, - "initContainerName": { - "type": "string" - }, - "brokenPodLabelKey": { - "type": "string" - }, - "brokenPodLabelValue": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.CNIConfiguration.ResourceQuotas": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - }, - "pods": { - "type": "string" - }, - "priorityClasses": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.CNIConfiguration.TaintConfiguration": { - "type": "object", - "properties": { - "container": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration" - }, - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.ConfigState": { - "type": "string", - "enum": [ - "Unspecified", - "Created", - "ReconcileFailed", - "Reconciling", - "Available", - "Unmanaged" - ] - }, - "istio_operator.v2.api.v1alpha1.ContainerImageConfiguration": { - "type": "object", - "properties": { - "imagePullPolicy": { - "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. +optional +kubebuilder:validation:Enum=Always;Never;IfNotPresent", - "type": "string" - }, - "imagePullSecrets": { - "description": "ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - }, - "hub": { - "description": "Default hub for container images.", - "type": "string" - }, - "tag": { - "description": "Default tag for container images.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.DeploymentStrategy": { - "type": "object", - "properties": { - "type": { - "description": "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate. +optional", - "type": "string" - }, - "rollingUpdate": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment" - } - } - }, - "istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment": { - "type": "object", - "properties": { - "maxUnavailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "maxSurge": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - } - } - }, - "istio_operator.v2.api.v1alpha1.ExternalIstiodConfiguration": { - "description": "ExternalIstiodConfiguration defines settings for local istiod to control remote clusters as well", - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.GatewayType": { - "type": "string", - "enum": [ - "unspecified", - "ingress", - "egress" - ] - }, - "istio_operator.v2.api.v1alpha1.HTTPProxyEnvsConfiguration": { - "type": "object", - "properties": { - "httpProxy": { - "type": "string" - }, - "httpsProxy": { - "type": "string" - }, - "noProxy": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.IntOrString": { - "description": "Synthetic type for generating Go structs. GOTYPE: *IntOrString", - "type": "object" - }, - "istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec": { - "description": "IstioControlPlane defines an Istio control plane", - "type": "object", - "properties": { - "version": { - "description": "Contains the intended version for the Istio control plane. +kubebuilder:validation:Pattern=^1.", - "type": "string" - }, - "mode": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ModeType" - }, - "sds": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.SDSConfiguration" - }, - "logging": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.LoggingConfiguration" - }, - "mountMtlsCerts": { - "description": "Use the user-specified, secret volume mounted key and certs for Pilot and workloads.", - "type": "boolean", - "nullable": true - }, - "istiod": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IstiodConfiguration" - }, - "proxy": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ProxyConfiguration" - }, - "proxyInit": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ProxyInitConfiguration" - }, - "telemetryV2": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.TelemetryV2Configuration" - }, - "proxyWasm": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ProxyWasmConfiguration" - }, - "watchOneNamespace": { - "description": "Whether to restrict the applications namespace the controller manages. If not set, controller watches all namespaces", - "type": "boolean", - "nullable": true - }, - "jwtPolicy": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.JWTPolicyType" - }, - "caAddress": { - "description": "The customized CA address to retrieve certificates for the pods in the cluster. CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.", - "type": "string" - }, - "distribution": { - "description": "Contains the intended distribution for the Istio control plane. The official distribution is used by default unless special preserved distribution value is set. The only preserved distribution is \"cisco\" as of now.", - "type": "string" - }, - "httpProxyEnvs": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.HTTPProxyEnvsConfiguration" - }, - "meshConfig": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig" - }, - "k8sResourceOverlays": { - "description": "K8s resource overlay patches", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch" - } - }, - "meshID": { - "description": "Name of the Mesh to which this control plane belongs.", - "type": "string" - }, - "containerImageConfiguration": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ContainerImageConfiguration" - }, - "meshExpansion": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration" - }, - "clusterID": { - "description": "Cluster ID", - "type": "string" - }, - "networkName": { - "description": "Network defines the network this cluster belongs to. This name corresponds to the networks in the map of mesh networks. +default=network1", - "type": "string" - }, - "sidecarInjector": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.SidecarInjectorConfiguration" - } - } - }, - "istio_operator.v2.api.v1alpha1.IstioControlPlaneStatus": { - "description": "\u003c!-- go code generation tags +genclient +k8s:deepcopy-gen=true --\u003e", - "type": "object", - "properties": { - "status": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ConfigState" - }, - "meshConfig": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig" - }, - "clusterID": { - "description": "Cluster ID", - "type": "string" - }, - "istioControlPlaneName": { - "description": "Name of the IstioControlPlane resource It is used on remote clusters in the PeerIstioControlPlane resource status to identify the original Istio control plane", - "type": "string" - }, - "gatewayAddress": { - "description": "Current addresses for the corresponding gateways", - "type": "array", - "items": { - "type": "string" - } - }, - "istiodAddresses": { - "description": "Current addresses for the corresponding istiod pods", - "type": "array", - "items": { - "type": "string" - } - }, - "injectionNamespaces": { - "description": "Namespaces which are set for injection for this control plane", - "type": "array", - "items": { - "type": "string" - } - }, - "caRootCertificate": { - "description": "Istio CA root certificate", - "type": "string" - }, - "errorMessage": { - "description": "Reconciliation error message if any", - "type": "string" - }, - "checksums": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.StatusChecksums" - } - } - }, - "istio_operator.v2.api.v1alpha1.IstioMeshGatewaySpec": { - "description": "IstioMeshGateway defines an Istio ingress or egress gateway", - "type": "object", - "properties": { - "type": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.GatewayType" - }, - "service": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Service" - }, - "k8sResourceOverlays": { - "description": "K8s resource overlay patches", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch" - } - }, - "deployment": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig" - }, - "runAsRoot": { - "description": "Whether to run the gateway in a privileged container", - "type": "boolean", - "nullable": true - }, - "istioControlPlane": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.NamespacedName" - } - } - }, - "istio_operator.v2.api.v1alpha1.IstioMeshGatewayStatus": { - "description": "\u003c!-- go code generation tags +genclient +k8s:deepcopy-gen=true --\u003e", - "type": "object", - "properties": { - "Status": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ConfigState" - }, - "GatewayAddress": { - "description": "Current address for the gateway", - "type": "array", - "items": { - "type": "string" - } - }, - "ErrorMessage": { - "description": "Reconciliation error message if any", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.IstioMeshSpec": { - "description": "Mesh defines an Istio service mesh", - "type": "object", - "properties": { - "config": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig" - } - } - }, - "istio_operator.v2.api.v1alpha1.IstioMeshStatus": { - "description": "\u003c!-- go code generation tags +genclient +k8s:deepcopy-gen=true --\u003e", - "type": "object", - "properties": { - "status": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ConfigState" - }, - "errorMessage": { - "description": "Reconciliation error message if any", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.IstiodConfiguration": { - "description": "IstiodConfiguration defines config options for Istiod", - "type": "object", - "properties": { - "deployment": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig" - }, - "enableAnalysis": { - "description": "If enabled, pilot will run Istio analyzers and write analysis errors to the Status field of any Istio Resources", - "type": "boolean", - "nullable": true - }, - "enableStatus": { - "description": "If enabled, pilot will update the CRD Status field of all Istio resources with reconciliation status", - "type": "boolean", - "nullable": true - }, - "externalIstiod": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ExternalIstiodConfiguration" - }, - "traceSampling": { - "type": "number", - "nullable": true - }, - "enableProtocolSniffingOutbound": { - "description": "If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported", - "type": "boolean", - "nullable": true - }, - "enableProtocolSniffingInbound": { - "description": "If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported", - "type": "boolean", - "nullable": true - }, - "certProvider": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.PilotCertProviderType" - }, - "spiffe": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.SPIFFEConfiguration" - } - } - }, - "istio_operator.v2.api.v1alpha1.JWTPolicyType": { - "type": "string", - "enum": [ - "UNSPECIFIED", - "THIRD_PARTY_JWT", - "FIRST_PARTY_JWT" - ] - }, - "istio_operator.v2.api.v1alpha1.K8sObjectMeta": { - "description": "Generic k8s resource metadata", - "type": "object", - "properties": { - "labels": { - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels +optional", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations +optional", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch": { - "type": "object", - "properties": { - "groupVersionKind": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.GroupVersionKind" - }, - "objectKey": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.NamespacedName" - }, - "patches": { - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.GroupVersionKind": { - "type": "object", - "properties": { - "kind": { - "type": "string" - }, - "group": { - "type": "string" - }, - "version": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch": { - "type": "object", - "properties": { - "path": { - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Type" - }, - "value": { - "type": "string" - }, - "parseValue": { - "type": "boolean" - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Type": { - "type": "string", - "enum": [ - "unspecified", - "replace", - "remove" - ] - }, - "istio_operator.v2.api.v1alpha1.LoggingConfiguration": { - "description": "Comma-separated minimum per-scope logging level of messages to output, in the form of \u003cscope\u003e:\u003clevel\u003e,\u003cscope\u003e:\u003clevel\u003e The control plane has different scopes depending on component, but can configure default log level across all components If empty, default scope and level will be used as configured in code", - "type": "object", - "properties": { - "level": { - "description": "+kubebuilder:validation:Pattern=`^([a-zA-Z]+:[a-zA-Z]+,?)+$`", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration": { - "type": "object", - "properties": { - "gateway": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration" - }, - "enabled": { - "type": "boolean", - "nullable": true - }, - "istiod": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Istiod" - }, - "webhook": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Webhook" - }, - "clusterServices": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.ClusterServices" - } - } - }, - "istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.ClusterServices": { - "type": "object", - "properties": { - "expose": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration": { - "type": "object", - "properties": { - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "service": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.UnprotectedService" - }, - "k8sResourceOverlays": { - "description": "K8s resource overlay patches", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch" - } - }, - "deployment": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig" - }, - "runAsRoot": { - "description": "Whether to run the gateway in a privileged container", - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Istiod": { - "type": "object", - "properties": { - "expose": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Webhook": { - "type": "object", - "properties": { - "expose": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.ModeType": { - "type": "string", - "enum": [ - "UNSPECIFIED", - "ACTIVE", - "PASSIVE" - ] - }, - "istio_operator.v2.api.v1alpha1.NamespacedName": { - "type": "object", - "properties": { - "name": { - "description": "Name of the referenced Kubernetes resource", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced Kubernetes resource", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.OperatorEndpointsConfiguration": { - "description": "OperatorEndpointsConfiguration defines config options for automatic SPIFFE endpoints", - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.PDBConfiguration": { - "description": "PDBConfiguration holds Pod Disruption Budget related config options", - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.PilotCertProviderType": { - "type": "string", - "enum": [ - "UNSPECIFIED", - "KUBERNETES", - "ISTIOD" - ] - }, - "istio_operator.v2.api.v1alpha1.PodDisruptionBudget": { - "description": "PodDisruptionBudget is a description of a PodDisruptionBudget", - "type": "object", - "properties": { - "maxUnavailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "minAvailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - } - } - }, - "istio_operator.v2.api.v1alpha1.Properties": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.ProxyConfiguration": { - "description": "ProxyConfiguration defines config options for Proxy", - "type": "object", - "properties": { - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "image": { - "type": "string" - }, - "lifecycle": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Lifecycle" - }, - "privileged": { - "description": "If set to true, istio-proxy container will have privileged securityContext", - "type": "boolean", - "nullable": true - }, - "holdApplicationUntilProxyStarts": { - "description": "Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready Default value is 'false'.", - "type": "boolean", - "nullable": true - }, - "enableCoreDump": { - "description": "If set, newly injected sidecars will have core dumps enabled.", - "type": "boolean", - "nullable": true - }, - "logLevel": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ProxyLogLevel" - }, - "componentLogLevel": { - "description": "Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the \"LogLevel\" will be used. If left empty, \"misc:error\" is used.", - "type": "string" - }, - "clusterDomain": { - "description": "cluster domain. Default value is \"cluster.local\"", - "type": "string" - }, - "includeIPRanges": { - "description": "IncludeIPRanges the range where to capture egress traffic", - "type": "string" - }, - "excludeIPRanges": { - "description": "ExcludeIPRanges the range where not to capture egress traffic", - "type": "string" - }, - "excludeInboundPorts": { - "description": "ExcludeInboundPorts the comma separated list of inbound ports to be excluded from redirection to Envoy", - "type": "string" - }, - "excludeOutboundPorts": { - "description": "ExcludeOutboundPorts the comma separated list of outbound ports to be excluded from redirection to Envoy", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.ProxyInitConfiguration": { - "description": "ProxyInitConfiguration defines config options for Proxy Init containers", - "type": "object", - "properties": { - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "image": { - "type": "string" - }, - "cni": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.CNIConfiguration" - } - } - }, - "istio_operator.v2.api.v1alpha1.ProxyLogLevel": { - "type": "string", - "enum": [ - "UNSPECIFIED", - "TRACE", - "DEBUG", - "INFO", - "WARNING", - "ERROR", - "CRITICAL", - "OFF" - ] - }, - "istio_operator.v2.api.v1alpha1.ProxyWasmConfiguration": { - "description": "ProxyWasmConfiguration defines config options for Envoy wasm", - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.Quantity": { - "description": "Synthetic type for generating Go structs. GOTYPE: *Quantity", - "type": "object" - }, - "istio_operator.v2.api.v1alpha1.Replicas": { - "description": "Replicas contains pod replica configuration", - "type": "object", - "properties": { - "count": { - "description": "Standard Kubernetes replica count configuration +kubebuilder:validation:Minimum=0", - "type": "integer", - "nullable": true - }, - "max": { - "description": "Standard Kubernetes maximum replicas configuration +kubebuilder:validation:Minimum=0", - "type": "integer", - "nullable": true - }, - "min": { - "description": "Standard Kubernetes minimum replicas configuration +kubebuilder:validation:Minimum=0", - "type": "integer", - "nullable": true - }, - "targetCPUUtilizationPercentage": { - "description": "target average CPU utilization (represented as a percentage of requested CPU) over all the pods; if not specified the default autoscaling policy will be used. +optional +kubebuilder:validation:Minimum=0", - "type": "integer", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.ResourceRequirements": { - "description": "ResourceRequirements describes the compute resource requirements.", - "type": "object", - "properties": { - "limits": { - "description": "Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +optional", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Quantity" - } - }, - "requests": { - "description": "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ +optional", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Quantity" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.SDSConfiguration": { - "description": "SDSConfiguration defines Secret Discovery Service config options", - "type": "object", - "properties": { - "tokenAudience": { - "description": "The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the JWT is intended for the CA.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.SPIFFEConfiguration": { - "description": "SPIFFEConfiguration is for SPIFFE configuration of Pilot", - "type": "object", - "properties": { - "operatorEndpoints": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.OperatorEndpointsConfiguration" - } - } - }, - "istio_operator.v2.api.v1alpha1.Service": { - "description": "Service describes the attributes that a user creates on a service.", - "type": "object", - "properties": { - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "type": { - "description": "type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ExternalName\" maps to the specified externalName. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a stable IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types +optional +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer", - "type": "string" - }, - "ports": { - "description": "The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies +patchMergeKey=port +patchStrategy=merge +listType=map +listMapKey=port +listMapKey=protocol +kubebuilder:validation:MinItems=1", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ServicePort" - } - }, - "selector": { - "description": "Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/ +optional", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "clusterIP": { - "description": "clusterIP is the IP address of the service and is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. This field can not be changed through updates. Valid values are \"None\", empty string (\"\"), or a valid IP address. \"None\" can be specified for headless services when proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies +optional", - "type": "string" - }, - "externalIPs": { - "description": "externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system. +optional", - "type": "array", - "items": { - "type": "string" - } - }, - "sessionAffinity": { - "description": "Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies +optional", - "type": "string" - }, - "loadBalancerIP": { - "description": "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. +optional", - "type": "string" - }, - "loadBalancerSourceRanges": { - "description": "If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ +optional", - "type": "array", - "items": { - "type": "string" - } - }, - "externalName": { - "description": "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires Type to be ExternalName. +optional", - "type": "string" - }, - "externalTrafficPolicy": { - "description": "externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. \"Local\" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. \"Cluster\" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. +optional", - "type": "string" - }, - "healthCheckNodePort": { - "description": "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local. +optional", - "type": "integer", - "format": "int32" - }, - "publishNotReadyAddresses": { - "description": "publishNotReadyAddresses, when set to true, indicates that DNS implementations must publish the notReadyAddresses of subsets for the Endpoints associated with the Service. The default value is false. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate SRV records for its Pods without respect to their readiness for purpose of peer discovery. +optional", - "type": "boolean", - "nullable": true - }, - "sessionAffinityConfig": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SessionAffinityConfig" - }, - "ipFamily": { - "description": "ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which allocate external load-balancers should use the same IP family. Endpoints for this Service will be of this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. +optional", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.ServicePort": { - "description": "ServicePort contains information on service's port.", - "type": "object", - "properties": { - "name": { - "description": "The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. if only one ServicePort is defined on this service. +optional", - "type": "string" - }, - "protocol": { - "description": "The IP protocol for this port. Supports \"TCP\", \"UDP\", and \"SCTP\". Default is TCP. +optional +kubebuilder:default=TCP", - "type": "string" - }, - "port": { - "description": "The port that will be exposed by this service.", - "type": "integer", - "format": "int32" - }, - "targetPort": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "nodePort": { - "description": "The port on each node on which this service is exposed when type=NodePort or LoadBalancer. Usually assigned by the system. If specified, it will be allocated to the service if unused or else creation of the service will fail. Default is to auto-allocate a port if the ServiceType of this Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport +optional", - "type": "integer", - "format": "int32" - } - } - }, - "istio_operator.v2.api.v1alpha1.SidecarInjectorConfiguration": { - "type": "object", - "properties": { - "service": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Service" - }, - "deployment": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig" - } - } - }, - "istio_operator.v2.api.v1alpha1.StatusChecksums": { - "description": "\u003c!-- go code generation tags +genclient +k8s:deepcopy-gen=true --\u003e", - "type": "object", - "properties": { - "meshConfig": { - "type": "string" - }, - "sidecarInjector": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.TelemetryV2Configuration": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.UnprotectedService": { - "description": "Service describes the attributes that a user creates on a service.", - "type": "object", - "properties": { - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "type": { - "description": "type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ExternalName\" maps to the specified externalName. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a stable IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types +optional +kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer", - "type": "string" - }, - "ports": { - "description": "The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies +patchMergeKey=port +patchStrategy=merge +listType=map +listMapKey=port +listMapKey=protocol", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ServicePort" - } - }, - "selector": { - "description": "Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/ +optional", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "clusterIP": { - "description": "clusterIP is the IP address of the service and is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. This field can not be changed through updates. Valid values are \"None\", empty string (\"\"), or a valid IP address. \"None\" can be specified for headless services when proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies +optional", - "type": "string" - }, - "externalIPs": { - "description": "externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system. +optional", - "type": "array", - "items": { - "type": "string" - } - }, - "sessionAffinity": { - "description": "Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies +optional", - "type": "string" - }, - "loadBalancerIP": { - "description": "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature. +optional", - "type": "string" - }, - "loadBalancerSourceRanges": { - "description": "If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ +optional", - "type": "array", - "items": { - "type": "string" - } - }, - "externalName": { - "description": "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires Type to be ExternalName. +optional", - "type": "string" - }, - "externalTrafficPolicy": { - "description": "externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. \"Local\" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. \"Cluster\" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading. +optional", - "type": "string" - }, - "healthCheckNodePort": { - "description": "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local. +optional", - "type": "integer", - "format": "int32" - }, - "publishNotReadyAddresses": { - "description": "publishNotReadyAddresses, when set to true, indicates that DNS implementations must publish the notReadyAddresses of subsets for the Endpoints associated with the Service. The default value is false. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate SRV records for its Pods without respect to their readiness for purpose of peer discovery. +optional", - "type": "boolean", - "nullable": true - }, - "sessionAffinityConfig": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SessionAffinityConfig" - }, - "ipFamily": { - "description": "ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which allocate external load-balancers should use the same IP family. Endpoints for this Service will be of this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource": { - "description": "Represents a Persistent Disk resource in AWS.", - "type": "object", - "properties": { - "volumeID": { - "description": "Unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore", - "type": "string" - }, - "fsType": { - "description": "Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine +optional", - "type": "string" - }, - "partition": { - "description": "The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty). +optional", - "type": "integer", - "format": "int32" - }, - "readOnly": { - "description": "Specify \"true\" to force and set the ReadOnly property in VolumeMounts to \"true\". If omitted, the default is \"false\". More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore +optional", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.Affinity": { - "description": "Affinity is a group of affinity scheduling rules.", - "type": "object", - "properties": { - "nodeAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeAffinity" - }, - "podAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinity" - }, - "podAntiAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAntiAffinity" - } - } - }, - "k8s.io.api.core.v1.AzureDiskVolumeSource": { - "description": "AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.", - "type": "object", - "properties": { - "kind": { - "description": "Expected values Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared", - "type": "string" - }, - "fsType": { - "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. +optional", - "type": "string" - }, - "readOnly": { - "description": "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. +optional", - "type": "boolean" - }, - "diskName": { - "description": "The Name of the data disk in the blob storage", - "type": "string" - }, - "diskURI": { - "description": "The URI the data disk in the blob storage", - "type": "string" - }, - "cachingMode": { - "description": "Host Caching mode: None, Read Only, Read Write. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.AzureFileVolumeSource": { - "description": "AzureFile represents an Azure File Service mount on the host and bind mount to the pod.", - "type": "object", - "properties": { - "readOnly": { - "description": "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. +optional", - "type": "boolean" - }, - "secretName": { - "description": "the name of secret that contains Azure Storage Account Name and Key", - "type": "string" - }, - "shareName": { - "description": "Share Name", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.CSIVolumeSource": { - "description": "Represents a source location of a volume to mount, managed by an external CSI driver", - "type": "object", - "properties": { - "fsType": { - "description": "Filesystem type to mount. Ex. \"ext4\", \"xfs\", \"ntfs\". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply. +optional", - "type": "string" - }, - "readOnly": { - "description": "Specifies a read-only configuration for the volume. Defaults to false (read/write). +optional", - "type": "boolean" - }, - "driver": { - "description": "Driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.", - "type": "string" - }, - "volumeAttributes": { - "description": "VolumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values. +optional", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "nodePublishSecretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.Capabilities": { - "description": "Adds and removes POSIX capabilities from running containers.", - "type": "object", - "properties": { - "add": { - "description": "Added capabilities +optional", - "type": "array", - "items": { - "type": "string" - } - }, - "drop": { - "description": "Removed capabilities +optional", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.CephFSVolumeSource": { - "description": "Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "Optional: Used as the mounted root, rather than the full Ceph tree, default is / +optional", - "type": "string" - }, - "readOnly": { - "description": "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it +optional", - "type": "boolean" - }, - "monitors": { - "description": "Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "array", - "items": { - "type": "string" - } - }, - "user": { - "description": "Optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it +optional", - "type": "string" - }, - "secretFile": { - "description": "Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it +optional", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.CinderVolumeSource": { - "description": "Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "volumeID": { - "description": "volume id used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md", - "type": "string" - }, - "fsType": { - "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md +optional", - "type": "string" - }, - "readOnly": { - "description": "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md +optional", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.ClientIPConfig": { - "description": "ClientIPConfig represents the configurations of Client IP based session affinity.", - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be \u003e0 \u0026\u0026 \u003c=86400(for 1 day) if ServiceAffinity == \"ClientIP\". Default value is 10800(for 3 hours). +optional", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.ConfigMapKeySelector": { - "description": "Selects a key from a ConfigMap.", - "type": "object", - "properties": { - "key": { - "description": "The key to select.", - "type": "string" - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the ConfigMap or its key must be defined +optional", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.ConfigMapProjection": { - "description": "Adapts a ConfigMap into a projected volume.", - "type": "object", - "properties": { - "items": { - "description": "If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the ConfigMap or its keys must be defined +optional", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.ConfigMapVolumeSource": { - "description": "Adapts a ConfigMap into a volume.", - "type": "object", - "properties": { - "items": { - "description": "If unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the ConfigMap or its keys must be defined +optional", - "type": "boolean" - }, - "defaultMode": { - "description": "Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. +optional", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.DownwardAPIProjection": { - "description": "Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.", - "type": "object", - "properties": { - "items": { - "description": "Items is a list of DownwardAPIVolume file +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeFile" - } - } - } - }, - "k8s.io.api.core.v1.DownwardAPIVolumeFile": { - "description": "DownwardAPIVolumeFile represents information to create the file containing the pod field", - "type": "object", - "properties": { - "path": { - "description": "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'", - "type": "string" - }, - "fieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ObjectFieldSelector" - }, - "resourceFieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceFieldSelector" - }, - "mode": { - "description": "Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. +optional", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.DownwardAPIVolumeSource": { - "description": "DownwardAPIVolumeSource represents a volume containing downward API info. Downward API volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "items": { - "description": "Items is a list of downward API volume file +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeFile" - } - }, - "defaultMode": { - "description": "Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. +optional", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.EmptyDirVolumeSource": { - "description": "Represents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "medium": { - "description": "What type of storage medium should back this directory. The default is \"\" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir +optional", - "type": "string" - }, - "sizeLimit": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - }, - "k8s.io.api.core.v1.EnvVar": { - "description": "EnvVar represents an environment variable present in a Container.", - "type": "object", - "properties": { - "name": { - "description": "Name of the environment variable. Must be a C_IDENTIFIER.", - "type": "string" - }, - "value": { - "description": "Variable references $(VAR_NAME) are expanded using the previous defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. The $(VAR_NAME) syntax can be escaped with a double $$, ie: $$(VAR_NAME). Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\". +optional", - "type": "string" - }, - "valueFrom": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVarSource" - } - } - }, - "k8s.io.api.core.v1.EnvVarSource": { - "description": "EnvVarSource represents a source for the value of an EnvVar.", - "type": "object", - "properties": { - "fieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ObjectFieldSelector" - }, - "resourceFieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceFieldSelector" - }, - "configMapKeyRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapKeySelector" - }, - "secretKeyRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretKeySelector" - } - } - }, - "k8s.io.api.core.v1.ExecAction": { - "description": "ExecAction describes a \"run in container\" action.", - "type": "object", - "properties": { - "command": { - "description": "Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy. +optional", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FCVolumeSource": { - "description": "Represents a Fibre Channel volume. Fibre Channel volumes can only be mounted as read/write once. Fibre Channel volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. TODO: how do we prevent errors in the filesystem from compromising the machine +optional", - "type": "string" - }, - "readOnly": { - "description": "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. +optional", - "type": "boolean" - }, - "targetWWNs": { - "description": "Optional: FC target worldwide names (WWNs) +optional", - "type": "array", - "items": { - "type": "string" - } - }, - "lun": { - "description": "Optional: FC target lun number +optional", - "type": "integer", - "format": "int32" - }, - "wwids": { - "description": "Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously. +optional", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FlexVolumeSource": { - "description": "FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.", - "type": "object", - "properties": { - "fsType": { - "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script. +optional", - "type": "string" - }, - "readOnly": { - "description": "Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. +optional", - "type": "boolean" - }, - "driver": { - "description": "Driver is the name of the driver to use for this volume.", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "options": { - "description": "Optional: Extra command options if any. +optional", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FlockerVolumeSource": { - "description": "Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "datasetName": { - "description": "Name of the dataset stored as metadata -\u003e name on the dataset for Flocker should be considered as deprecated +optional", - "type": "string" - }, - "datasetUUID": { - "description": "UUID of the dataset. This is unique identifier of a Flocker dataset +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GCEPersistentDiskVolumeSource": { - "description": "Represents a Persistent Disk resource in Google Compute Engine.", - "type": "object", - "properties": { - "fsType": { - "description": "Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine +optional", - "type": "string" - }, - "partition": { - "description": "The partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk +optional", - "type": "integer", - "format": "int32" - }, - "readOnly": { - "description": "ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk +optional", - "type": "boolean" - }, - "pdName": { - "description": "Unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GitRepoVolumeSource": { - "description": "Represents a volume that is populated with the contents of a git repository. Git repo volumes do not support ownership management. Git repo volumes support SELinux relabeling.", - "type": "object", - "properties": { - "repository": { - "description": "Repository URL", - "type": "string" - }, - "revision": { - "description": "Commit hash for the specified revision. +optional", - "type": "string" - }, - "directory": { - "description": "Target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GlusterfsVolumeSource": { - "description": "Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "Path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "string" - }, - "readOnly": { - "description": "ReadOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod +optional", - "type": "boolean" - }, - "endpoints": { - "description": "EndpointsName is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.HTTPGetAction": { - "description": "HTTPGetAction describes an action based on HTTP Get requests.", - "type": "object", - "properties": { - "path": { - "description": "Path to access on the HTTP server. +optional", - "type": "string" - }, - "port": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.util.intstr.IntOrString" - }, - "host": { - "description": "Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead. +optional", - "type": "string" - }, - "scheme": { - "description": "Scheme to use for connecting to the host. Defaults to HTTP. +optional", - "type": "string" - }, - "httpHeaders": { - "description": "Custom headers to set in the request. HTTP allows repeated headers. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HTTPHeader" - } - } - } - }, - "k8s.io.api.core.v1.HTTPHeader": { - "description": "HTTPHeader describes a custom header to be used in HTTP probes", - "type": "object", - "properties": { - "name": { - "description": "The header field name", - "type": "string" - }, - "value": { - "description": "The header field value", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Handler": { - "description": "Handler defines a specific action that should be taken TODO: pass structured data to these actions, and document that data here.", - "type": "object", - "properties": { - "exec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ExecAction" - }, - "httpGet": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HTTPGetAction" - }, - "tcpSocket": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TCPSocketAction" - } - } - }, - "k8s.io.api.core.v1.HostPathVolumeSource": { - "description": "Represents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "Path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath", - "type": "string" - }, - "type": { - "description": "Type for HostPath Volume Defaults to \"\" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ISCSIVolumeSource": { - "description": "Represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine +optional", - "type": "string" - }, - "readOnly": { - "description": "ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. +optional", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "lun": { - "description": "iSCSI Target Lun number.", - "type": "integer", - "format": "int32" - }, - "targetPortal": { - "description": "iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).", - "type": "string" - }, - "iqn": { - "description": "Target iSCSI Qualified Name.", - "type": "string" - }, - "iscsiInterface": { - "description": "iSCSI Interface Name that uses an iSCSI transport. Defaults to 'default' (tcp). +optional", - "type": "string" - }, - "portals": { - "description": "iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260). +optional", - "type": "array", - "items": { - "type": "string" - } - }, - "chapAuthDiscovery": { - "description": "whether support iSCSI Discovery CHAP authentication +optional", - "type": "boolean" - }, - "chapAuthSession": { - "description": "whether support iSCSI Session CHAP authentication +optional", - "type": "boolean" - }, - "initiatorName": { - "description": "Custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface \u003ctarget portal\u003e:\u003cvolume name\u003e will be created for the connection. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.KeyToPath": { - "description": "Maps a string key to a path within a volume.", - "type": "object", - "properties": { - "path": { - "description": "The relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.", - "type": "string" - }, - "key": { - "description": "The key to project.", - "type": "string" - }, - "mode": { - "description": "Optional: mode bits to use on this file, must be a value between 0 and 0777. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. +optional", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.Lifecycle": { - "description": "Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.", - "type": "object", - "properties": { - "postStart": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Handler" - }, - "preStop": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Handler" - } - } - }, - "k8s.io.api.core.v1.LocalObjectReference": { - "description": "LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.", - "type": "object", - "properties": { - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid? +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.NFSVolumeSource": { - "description": "Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "Path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "string" - }, - "readOnly": { - "description": "ReadOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs +optional", - "type": "boolean" - }, - "server": { - "description": "Server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.NodeAffinity": { - "description": "Node affinity is a group of node affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelector" - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PreferredSchedulingTerm" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelector": { - "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", - "type": "object", - "properties": { - "nodeSelectorTerms": { - "description": "Required. A list of node selector terms. The terms are ORed.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorTerm" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelectorRequirement": { - "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", - "type": "object", - "properties": { - "key": { - "description": "The label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", - "type": "string" - }, - "values": { - "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch. +optional", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelectorTerm": { - "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "A list of node selector requirements by node's labels. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorRequirement" - } - }, - "matchFields": { - "description": "A list of node selector requirements by node's fields. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorRequirement" - } - } - } - }, - "k8s.io.api.core.v1.ObjectFieldSelector": { - "description": "ObjectFieldSelector selects an APIVersioned field of an object.", - "type": "object", - "properties": { - "apiVersion": { - "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\". +optional", - "type": "string" - }, - "fieldPath": { - "description": "Path of the field to select in the specified API version.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PersistentVolumeClaimVolumeSource": { - "description": "PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).", - "type": "object", - "properties": { - "readOnly": { - "description": "Will force the ReadOnly setting in VolumeMounts. Default false. +optional", - "type": "boolean" - }, - "claimName": { - "description": "ClaimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PhotonPersistentDiskVolumeSource": { - "description": "Represents a Photon Controller persistent disk resource.", - "type": "object", - "properties": { - "fsType": { - "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "pdID": { - "description": "ID that identifies Photon Controller persistent disk", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PodAffinity": { - "description": "Pod affinity is a group of inter pod affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "description": "If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WeightedPodAffinityTerm" - } - } - } - }, - "k8s.io.api.core.v1.PodAffinityTerm": { - "description": "Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key \u003ctopologyKey\u003e matches that of any node on which a pod of the set of pods is running", - "type": "object", - "properties": { - "labelSelector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "namespaces": { - "description": "namespaces specifies which namespaces the labelSelector applies to (matches against); null or empty list means \"this pod's namespace\" +optional", - "type": "array", - "items": { - "type": "string" - } - }, - "topologyKey": { - "description": "This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PodAntiAffinity": { - "description": "Pod anti affinity is a group of inter pod anti affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "description": "If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WeightedPodAffinityTerm" - } - } - } - }, - "k8s.io.api.core.v1.PodSecurityContext": { - "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", - "type": "object", - "properties": { - "seLinuxOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SELinuxOptions" - }, - "windowsOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WindowsSecurityContextOptions" - }, - "runAsUser": { - "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. +optional", - "type": "integer", - "format": "int64" - }, - "runAsGroup": { - "description": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. +optional", - "type": "integer", - "format": "int64" - }, - "runAsNonRoot": { - "description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. +optional", - "type": "boolean" - }, - "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. +optional", - "type": "array", - "items": { - "type": "integer", - "format": "int64" - } - }, - "fsGroup": { - "description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw----", - "type": "integer", - "format": "int64" - }, - "sysctls": { - "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Sysctl" - } - } - } - }, - "k8s.io.api.core.v1.PortworxVolumeSource": { - "description": "PortworxVolumeSource represents a Portworx volume resource.", - "type": "object", - "properties": { - "volumeID": { - "description": "VolumeID uniquely identifies a Portworx volume", - "type": "string" - }, - "fsType": { - "description": "FSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "readOnly": { - "description": "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. +optional", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.PreferredSchedulingTerm": { - "description": "An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).", - "type": "object", - "properties": { - "weight": { - "description": "Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.", - "type": "integer", - "format": "int32" - }, - "preference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorTerm" - } - } - }, - "k8s.io.api.core.v1.Probe": { - "description": "Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.", - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes +optional", - "type": "integer", - "format": "int32" - }, - "handler": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Handler" - }, - "initialDelaySeconds": { - "description": "Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes +optional", - "type": "integer", - "format": "int32" - }, - "periodSeconds": { - "description": "How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. +optional", - "type": "integer", - "format": "int32" - }, - "successThreshold": { - "description": "Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness. Minimum value is 1. +optional", - "type": "integer", - "format": "int32" - }, - "failureThreshold": { - "description": "Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. +optional", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.ProjectedVolumeSource": { - "description": "Represents a projected volume source", - "type": "object", - "properties": { - "defaultMode": { - "description": "Mode bits to use on created files by default. Must be a value between 0 and 0777. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. +optional", - "type": "integer", - "format": "int32" - }, - "sources": { - "description": "list of volume projections", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeProjection" - } - } - } - }, - "k8s.io.api.core.v1.QuobyteVolumeSource": { - "description": "Represents a Quobyte mount that lasts the lifetime of a pod. Quobyte volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "group": { - "description": "Group to map volume access to Default is no group +optional", - "type": "string" - }, - "readOnly": { - "description": "ReadOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false. +optional", - "type": "boolean" - }, - "user": { - "description": "User to map volume access to Defaults to serivceaccount user +optional", - "type": "string" - }, - "registry": { - "description": "Registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes", - "type": "string" - }, - "volume": { - "description": "Volume is a string that references an already created Quobyte volume by name.", - "type": "string" - }, - "tenant": { - "description": "Tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.RBDVolumeSource": { - "description": "Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "Filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine +optional", - "type": "string" - }, - "readOnly": { - "description": "ReadOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it +optional", - "type": "boolean" - }, - "monitors": { - "description": "A collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "array", - "items": { - "type": "string" - } - }, - "user": { - "description": "The rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it +optional", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "image": { - "description": "The rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - }, - "pool": { - "description": "The rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it +optional", - "type": "string" - }, - "keyring": { - "description": "Keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ResourceFieldSelector": { - "description": "ResourceFieldSelector represents container resources (cpu, memory) and their output format", - "type": "object", - "properties": { - "resource": { - "description": "Required: resource to select", - "type": "string" - }, - "containerName": { - "description": "Container name: required for volumes, optional for env vars +optional", - "type": "string" - }, - "divisor": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - }, - "k8s.io.api.core.v1.SELinuxOptions": { - "description": "SELinuxOptions are the labels to be applied to the container", - "type": "object", - "properties": { - "type": { - "description": "Type is a SELinux type label that applies to the container. +optional", - "type": "string" - }, - "user": { - "description": "User is a SELinux user label that applies to the container. +optional", - "type": "string" - }, - "role": { - "description": "Role is a SELinux role label that applies to the container. +optional", - "type": "string" - }, - "level": { - "description": "Level is SELinux level label that applies to the container. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ScaleIOVolumeSource": { - "description": "ScaleIOVolumeSource represents a persistent ScaleIO volume", - "type": "object", - "properties": { - "fsType": { - "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Default is \"xfs\". +optional", - "type": "string" - }, - "readOnly": { - "description": "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. +optional", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "volumeName": { - "description": "The name of a volume already created in the ScaleIO system that is associated with this volume source.", - "type": "string" - }, - "gateway": { - "description": "The host address of the ScaleIO API Gateway.", - "type": "string" - }, - "system": { - "description": "The name of the storage system as configured in ScaleIO.", - "type": "string" - }, - "sslEnabled": { - "description": "Flag to enable/disable SSL communication with Gateway, default false +optional", - "type": "boolean" - }, - "protectionDomain": { - "description": "The name of the ScaleIO Protection Domain for the configured storage. +optional", - "type": "string" - }, - "storagePool": { - "description": "The ScaleIO Storage Pool associated with the protection domain. +optional", - "type": "string" - }, - "storageMode": { - "description": "Indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.SecretKeySelector": { - "description": "SecretKeySelector selects a key of a Secret.", - "type": "object", - "properties": { - "key": { - "description": "The key of the secret to select from. Must be a valid secret key.", - "type": "string" - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the Secret or its key must be defined +optional", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.SecretProjection": { - "description": "Adapts a secret into a projected volume.", - "type": "object", - "properties": { - "items": { - "description": "If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the Secret or its key must be defined +optional", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.SecretVolumeSource": { - "description": "Adapts a Secret into a volume.", - "type": "object", - "properties": { - "items": { - "description": "If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "secretName": { - "description": "Name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret +optional", - "type": "string" - }, - "optional": { - "description": "Specify whether the Secret or its keys must be defined +optional", - "type": "boolean" - }, - "defaultMode": { - "description": "Optional: mode bits to use on created files by default. Must be a value between 0 and 0777. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set. +optional", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.SecurityContext": { - "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", - "type": "object", - "properties": { - "seLinuxOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SELinuxOptions" - }, - "windowsOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WindowsSecurityContextOptions" - }, - "runAsUser": { - "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. +optional", - "type": "integer", - "format": "int64" - }, - "runAsGroup": { - "description": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. +optional", - "type": "integer", - "format": "int64" - }, - "runAsNonRoot": { - "description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. +optional", - "type": "boolean" - }, - "capabilities": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Capabilities" - }, - "privileged": { - "description": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. +optional", - "type": "boolean" - }, - "readOnlyRootFilesystem": { - "description": "Whether this container has a read-only root filesystem. Default is false. +optional", - "type": "boolean" - }, - "allowPrivilegeEscalation": { - "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN +optional", - "type": "boolean" - }, - "procMount": { - "description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ServiceAccountTokenProjection": { - "description": "ServiceAccountTokenProjection represents a projected service account token volume. This projection can be used to insert a service account token into the pods runtime filesystem for use against APIs (Kubernetes API Server or otherwise).", - "type": "object", - "properties": { - "path": { - "description": "Path is the path relative to the mount point of the file to project the token into.", - "type": "string" - }, - "audience": { - "description": "Audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver. +optional", - "type": "string" - }, - "expirationSeconds": { - "description": "ExpirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes. +optional", - "type": "integer", - "format": "int64" - } - } - }, - "k8s.io.api.core.v1.SessionAffinityConfig": { - "description": "SessionAffinityConfig represents the configurations of session affinity.", - "type": "object", - "properties": { - "clientIP": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ClientIPConfig" - } - } - }, - "k8s.io.api.core.v1.StorageOSVolumeSource": { - "description": "Represents a StorageOS persistent volume resource.", - "type": "object", - "properties": { - "fsType": { - "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. +optional", - "type": "string" - }, - "readOnly": { - "description": "Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. +optional", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "volumeName": { - "description": "VolumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.", - "type": "string" - }, - "volumeNamespace": { - "description": "VolumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Sysctl": { - "description": "Sysctl defines a kernel parameter to be set", - "type": "object", - "properties": { - "name": { - "description": "Name of a property to set", - "type": "string" - }, - "value": { - "description": "Value of a property to set", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.TCPSocketAction": { - "description": "TCPSocketAction describes an action based on opening a socket", - "type": "object", - "properties": { - "port": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.util.intstr.IntOrString" - }, - "host": { - "description": "Optional: Host name to connect to, defaults to the pod IP. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Toleration": { - "description": "The pod this Toleration is attached to tolerates any taint that matches the triple \u003ckey,value,effect\u003e using the matching operator \u003coperator\u003e.", - "type": "object", - "properties": { - "key": { - "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys. +optional", - "type": "string" - }, - "operator": { - "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category. +optional", - "type": "string" - }, - "value": { - "description": "Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string. +optional", - "type": "string" - }, - "effect": { - "description": "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute. +optional", - "type": "string" - }, - "tolerationSeconds": { - "description": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system. +optional", - "type": "integer", - "format": "int64" - } - } - }, - "k8s.io.api.core.v1.Volume": { - "description": "Volume represents a named volume in a pod that may be accessed by any container in the pod.", - "type": "object", - "properties": { - "name": { - "description": "Volume's name. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", - "type": "string" - }, - "volumeSource": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeSource" - } - } - }, - "k8s.io.api.core.v1.VolumeMount": { - "description": "VolumeMount describes a mounting of a Volume within a container.", - "type": "object", - "properties": { - "name": { - "description": "This must match the Name of a Volume.", - "type": "string" - }, - "readOnly": { - "description": "Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false. +optional", - "type": "boolean" - }, - "mountPath": { - "description": "Path within the container at which the volume should be mounted. Must not contain ':'.", - "type": "string" - }, - "subPath": { - "description": "Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root). +optional", - "type": "string" - }, - "mountPropagation": { - "description": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10. +optional", - "type": "string" - }, - "subPathExpr": { - "description": "Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to \"\" (volume's root). SubPathExpr and SubPath are mutually exclusive. This field is beta in 1.15. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.VolumeProjection": { - "description": "Projection that may be projected along with other supported volume types", - "type": "object", - "properties": { - "configMap": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapProjection" - }, - "secret": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretProjection" - }, - "downwardAPI": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIProjection" - }, - "serviceAccountToken": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ServiceAccountTokenProjection" - } - } - }, - "k8s.io.api.core.v1.VolumeSource": { - "description": "Represents the source of a volume to mount. Only one of its members may be specified.", - "type": "object", - "properties": { - "configMap": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapVolumeSource" - }, - "gcePersistentDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GCEPersistentDiskVolumeSource" - }, - "awsElasticBlockStore": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource" - }, - "hostPath": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HostPathVolumeSource" - }, - "glusterfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GlusterfsVolumeSource" - }, - "nfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NFSVolumeSource" - }, - "rbd": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.RBDVolumeSource" - }, - "iscsi": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ISCSIVolumeSource" - }, - "cinder": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CinderVolumeSource" - }, - "cephfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CephFSVolumeSource" - }, - "fc": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FCVolumeSource" - }, - "flocker": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FlockerVolumeSource" - }, - "flexVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FlexVolumeSource" - }, - "azureFile": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AzureFileVolumeSource" - }, - "vsphereVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VsphereVirtualDiskVolumeSource" - }, - "quobyte": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.QuobyteVolumeSource" - }, - "azureDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AzureDiskVolumeSource" - }, - "photonPersistentDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PhotonPersistentDiskVolumeSource" - }, - "portworxVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PortworxVolumeSource" - }, - "scaleIO": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ScaleIOVolumeSource" - }, - "storageos": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.StorageOSVolumeSource" - }, - "csi": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CSIVolumeSource" - }, - "secret": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretVolumeSource" - }, - "downwardAPI": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeSource" - }, - "emptyDir": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EmptyDirVolumeSource" - }, - "gitRepo": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GitRepoVolumeSource" - }, - "persistentVolumeClaim": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PersistentVolumeClaimVolumeSource" - }, - "projected": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ProjectedVolumeSource" - } - } - }, - "k8s.io.api.core.v1.VsphereVirtualDiskVolumeSource": { - "description": "Represents a vSphere volume resource.", - "type": "object", - "properties": { - "fsType": { - "description": "Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. +optional", - "type": "string" - }, - "volumePath": { - "description": "Path that identifies vSphere volume vmdk", - "type": "string" - }, - "storagePolicyName": { - "description": "Storage Policy Based Management (SPBM) profile name. +optional", - "type": "string" - }, - "storagePolicyID": { - "description": "Storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName. +optional", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.WeightedPodAffinityTerm": { - "description": "The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)", - "type": "object", - "properties": { - "weight": { - "description": "weight associated with matching the corresponding podAffinityTerm, in the range 1-100.", - "type": "integer", - "format": "int32" - }, - "podAffinityTerm": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - } - }, - "k8s.io.api.core.v1.WindowsSecurityContextOptions": { - "description": "WindowsSecurityContextOptions contain Windows-specific options and credentials.", - "type": "object", - "properties": { - "gmsaCredentialSpecName": { - "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. +optional", - "type": "string" - }, - "gmsaCredentialSpec": { - "description": "GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field. This field is alpha-level and is only honored by servers that enable the WindowsGMSA feature flag. +optional", - "type": "string" - }, - "runAsUserName": { - "description": "The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. This field is alpha-level and it is only honored by servers that enable the WindowsRunAsUserName feature flag. +optional", - "type": "string" - } - } - }, - "k8s.io.apimachinery.pkg.api.resource.Quantity": { - "description": "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and Int64() accessors.", - "type": "object", - "properties": { - "string": { - "type": "string" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector": { - "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", - "type": "object", - "properties": { - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed. +optional", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed. +optional", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", - "type": "object", - "properties": { - "key": { - "description": "key is the label key that the selector applies to. +patchMergeKey=key +patchStrategy=merge", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. +optional", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.apimachinery.pkg.util.intstr.IntOrString": { - "description": "IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number. TODO: Rename to Int32OrString", - "type": "object", - "properties": { - "type": { - "type": "integer", - "format": "int64" - }, - "intVal": { - "type": "integer", - "format": "int32" - }, - "strVal": { - "type": "string" - } - } - } - } - } -} \ No newline at end of file diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.gen.json b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.gen.json deleted file mode 100644 index e9c676cca..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.gen.json +++ /dev/null @@ -1,5172 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "Istio control plane descriptor", - "version": "v1alpha1" - }, - "components": { - "schemas": { - "istio.mesh.v1alpha1.AuthenticationPolicy": { - "description": "AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation. Mesh policy cannot be INHERIT.", - "type": "string", - "enum": [ - "NONE", - "MUTUAL_TLS", - "INHERIT" - ] - }, - "istio.mesh.v1alpha1.Certificate": { - "type": "object", - "properties": { - "secretName": { - "description": "Name of the secret the certificate and its key will be stored into. If it is empty, it will not be stored into a secret. Instead, the certificate and its key will be stored into a hard-coded directory.", - "type": "string" - }, - "dnsNames": { - "description": "The DNS names for the certificate. A certificate may contain multiple DNS names.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.mesh.v1alpha1.ConfigSource": { - "description": "ConfigSource describes information about a configuration store inside a mesh. A single control plane instance can interact with one or more data sources.", - "type": "object", - "properties": { - "address": { - "description": "Address of the server implementing the Istio Mesh Configuration protocol (MCP). Can be IP address or a fully qualified DNS name. Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or fs:/// to specify a file-based backend with absolute path to the directory.", - "type": "string" - }, - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - }, - "subscribedResources": { - "description": "Describes the source of configuration, if nothing is specified default is MCP", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Resource" - } - } - } - }, - "istio.mesh.v1alpha1.MeshConfig": { - "description": "MeshConfig defines mesh-wide settings for the Istio service mesh.", - "type": "object", - "properties": { - "localityLbSetting": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.LocalityLoadBalancerSetting" - }, - "connectTimeout": { - "description": "Connection timeout used by Envoy. (MUST BE \u003e=1ms) Default timeout is 10s.", - "type": "string" - }, - "tcpKeepalive": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive" - }, - "h2UpgradePolicy": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicy" - }, - "caCertificates": { - "description": "The extra root certificates for workload-to-workload communication. The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.CertificateData" - } - }, - "proxyListenPort": { - "description": "Port on which Envoy should listen for incoming connections from other services. Default port is 15001.", - "type": "integer", - "format": "int32" - }, - "proxyHttpPort": { - "description": "Port on which Envoy should listen for HTTP PROXY requests if set.", - "type": "integer", - "format": "int32" - }, - "protocolDetectionTimeout": { - "description": "Automatic protocol detection uses a set of heuristics to determine whether the connection is using TLS or not (on the server side), as well as the application protocol being used (e.g., http vs tcp). These heuristics rely on the client sending the first bits of data. For server first protocols like MySQL, MongoDB, etc. Envoy will timeout on the protocol detection after the specified period, defaulting to non mTLS plain TCP traffic. Set this field to tweak the period that Envoy will wait for the client to send the first bits of data. (MUST BE \u003e=1ms or 0s to disable). Default detection timeout is 0s (no timeout).", - "type": "string" - }, - "ingressClass": { - "description": "Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of `kubernetes.io/ingress.class` annotation.", - "type": "string" - }, - "ingressService": { - "description": "Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value `istio-ingressgateway` is used.", - "type": "string" - }, - "ingressControllerMode": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.IngressControllerMode" - }, - "ingressSelector": { - "description": "Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. It is recommended that this is the same value as ingress_service.", - "type": "string" - }, - "enableTracing": { - "description": "Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration.", - "type": "boolean" - }, - "accessLogFile": { - "description": "File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging.", - "type": "string" - }, - "accessLogFormat": { - "description": "Format for the proxy access log Empty value results in proxy's default access log format", - "type": "string" - }, - "accessLogEncoding": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.AccessLogEncoding" - }, - "enableEnvoyAccessLogService": { - "description": "This flag enables Envoy's gRPC Access Log Service. See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto) for details about Envoy's gRPC Access Log Service API. Default value is `false`.", - "type": "boolean" - }, - "disableEnvoyListenerLog": { - "description": "This flag disables Envoy Listener logs. See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log) Istio Enables Envoy's listener access logs on \"NoRoute\" response flag. Default value is `false`.", - "type": "boolean" - }, - "defaultConfig": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig" - }, - "outboundTrafficPolicy": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy" - }, - "configSources": { - "description": "ConfigSource describes a source of configuration data for networking rules, and other Istio configuration artifacts. Multiple data sources can be configured for a single control plane.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ConfigSource" - } - }, - "enableAutoMtls": { - "description": "This flag is used to enable mutual `TLS` automatically for service to service communication within the mesh, default true. If set to true, and a given service does not have a corresponding `DestinationRule` configured, or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side TLS configuration appropriately. More specifically, If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate for mutual `TLS` to connect to upstream. If upstream service is in plain text mode, use plain text. If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead.", - "type": "boolean", - "nullable": true - }, - "trustDomain": { - "description": "The trust domain corresponds to the trust root of a system. Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain)", - "type": "string" - }, - "trustDomainAliases": { - "description": "The trust domain aliases represent the aliases of `trust_domain`. For example, if we have ```yaml trustDomain: td1 trustDomainAliases: [\"td2\", \"td3\"] ``` Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh.", - "type": "array", - "items": { - "type": "string" - } - }, - "defaultServiceExportTo": { - "description": "The default value for the ServiceEntry.export_to field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use \"*\" as the default value which implies that services are exported to all namespaces. `All namespaces` is a reasonable default for implementations that don't need to restrict access or visibility of services across namespace boundaries. If that requirement is present it is generally good practice to make the default `Current namespace` so that services are only visible within their own namespaces by default. Operators can then expand the visibility of services to other namespaces as needed. Use of `No Namespace` is expected to be rare but can have utility for deployments where dependency management needs to be precise even within the scope of a single namespace. For further discussion see the reference documentation for `ServiceEntry`, `Sidecar`, and `Gateway`.", - "type": "array", - "items": { - "type": "string" - } - }, - "defaultVirtualServiceExportTo": { - "description": "The default value for the VirtualService.export_to field. Has the same syntax as `default_service_export_to`. If not set the system will use \"*\" as the default value which implies that virtual services are exported to all namespaces", - "type": "array", - "items": { - "type": "string" - } - }, - "defaultDestinationRuleExportTo": { - "description": "The default value for the `DestinationRule.export_to` field. Has the same syntax as `default_service_export_to`. If not set the system will use \"*\" as the default value which implies that destination rules are exported to all namespaces", - "type": "array", - "items": { - "type": "string" - } - }, - "rootNamespace": { - "description": "The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace. The precise semantics of this processing are documented on each resource type.", - "type": "string" - }, - "dnsRefreshRate": { - "description": "Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` Default refresh rate is `5s`.", - "type": "string" - }, - "inboundClusterStatName": { - "description": "Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern `inbound|\u003cport\u003e|\u003cport-name\u003e|\u003cservice-FQDN\u003e`. For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern. A Pattern can be composed of various pre-defined variables. The following variables are supported. - `%SERVICE%` - Will be substituted with name of the service. - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. - `%SERVICE_PORT%` - Will be substituted with port of the service. - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. Following are some examples of supported patterns for reviews: - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name. - `%SERVICE%` will use reviews.prod as the stats name.", - "type": "string" - }, - "outboundClusterStatName": { - "description": "Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern `outbound|\u003cport\u003e|\u003csubsetname\u003e|\u003cservice-FQDN\u003e`. For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern. A Pattern can be composed of various pre-defined variables. The following variables are supported. - `%SERVICE%` - Will be substituted with name of the service. - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. - `%SERVICE_PORT%` - Will be substituted with port of the service. - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. - `%SUBSET_NAME%` - Will be substituted with subset. Following are some examples of supported patterns for reviews: - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name. - `%SERVICE%` will use reviews.prod as the stats name.", - "type": "string" - }, - "certificates": { - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Certificate" - } - }, - "serviceSettings": { - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ServiceSettings" - } - }, - "enablePrometheusMerge": { - "description": "If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and `prometheus.io/path` annotations. If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. In this case, it is recommended to disable aggregation on that deployment with the `prometheus.istio.io/merge-metrics: \"false\"` annotation. If not specified, this will be enabled by default.", - "type": "boolean", - "nullable": true - }, - "verifyCertificateAtClient": { - "type": "boolean", - "deprecated": true, - "nullable": true - }, - "ca": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.CA" - }, - "extensionProviders": { - "description": "Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy can be used with an extension provider to delegate the authorization decision to a custom authorization system.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider" - } - }, - "defaultProviders": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.DefaultProviders" - }, - "discoverySelectors": { - "description": "A list of Kubernetes selectors that specify the set of namespaces that Istio considers when computing configuration updates for sidecars. This can be used to reduce Istio's computational load by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. If omitted, Istio will use the default behavior of processing all namespaces in the cluster. Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. The following example selects any namespace that matches either below: 1. The namespace has both of these labels: `env: prod` and `region: us-east1` 2. The namespace has label `app` equal to `cassandra` or `spark`. ```yaml discoverySelectors: - matchLabels: env: prod region: us-east1 - matchExpressions: - key: app operator: In values: - cassandra - spark ``` Refer to the [kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for additional detail on selector semantics.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - } - }, - "pathNormalization": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization" - }, - "defaultHttpRetryPolicy": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPRetry" - }, - "meshMTLS": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.TLSConfig" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.AccessLogEncoding": { - "type": "string", - "enum": [ - "TEXT", - "JSON" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.CA": { - "type": "object", - "properties": { - "address": { - "description": "REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000", - "type": "string" - }, - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - }, - "requestTimeout": { - "description": "timeout for forward CSR requests from Istiod to External CA Default: 10s", - "type": "string" - }, - "istiodSide": { - "description": "Use istiod_side to specify CA Server integrate to Istiod side or Agent side Default: true", - "type": "boolean" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.CertificateData": { - "type": "object", - "properties": { - "certSigners": { - "description": "Optional. Specify the kubernetes signers (External CA) that use this trustAnchor when Istiod is acting as RA(registration authority) If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.", - "type": "array", - "items": { - "type": "string" - } - }, - "trustDomains": { - "description": "Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trust_domain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.", - "type": "array", - "items": { - "type": "string" - } - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "pem" - ], - "properties": { - "pem": { - "description": "The PEM data of the certificate.", - "type": "string" - } - } - }, - { - "required": [ - "spiffeBundleUrl" - ], - "properties": { - "spiffeBundleUrl": { - "description": "The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint.", - "type": "string" - } - } - } - ] - } - }, - { - "required": [ - "pem" - ], - "properties": { - "pem": { - "description": "The PEM data of the certificate.", - "type": "string" - } - } - }, - { - "required": [ - "spiffeBundleUrl" - ], - "properties": { - "spiffeBundleUrl": { - "description": "The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint.", - "type": "string" - } - } - } - ] - }, - "istio.mesh.v1alpha1.MeshConfig.DefaultProviders": { - "description": "Holds the name references to the providers that will be used by default in other Istio configuration resources if the provider is not specified. These names must match a provider defined in `extension_providers` that is one of the supported tracing providers.", - "type": "object", - "properties": { - "tracing": { - "description": "Name of the default provider(s) for tracing.", - "type": "array", - "items": { - "type": "string" - } - }, - "metrics": { - "description": "Name of the default provider(s) for metrics.", - "type": "array", - "items": { - "type": "string" - } - }, - "accessLogging": { - "description": "Name of the default provider(s) for access logging.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider": { - "type": "object", - "properties": { - "name": { - "description": "REQUIRED. A unique name identifying the extension provider.", - "type": "string" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "envoyExtAuthzHttp" - ], - "properties": { - "envoyExtAuthzHttp": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - } - } - }, - { - "required": [ - "envoyExtAuthzGrpc" - ], - "properties": { - "envoyExtAuthzGrpc": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - } - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider", - "deprecated": true - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - } - } - }, - { - "required": [ - "opencensus" - ], - "properties": { - "opencensus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - } - } - }, - { - "required": [ - "skywalking" - ], - "properties": { - "skywalking": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - } - } - }, - { - "required": [ - "opentelemetry" - ], - "properties": { - "opentelemetry": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider" - } - } - }, - { - "required": [ - "prometheus" - ], - "properties": { - "prometheus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - } - } - }, - { - "required": [ - "envoyFileAccessLog" - ], - "properties": { - "envoyFileAccessLog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - } - } - }, - { - "required": [ - "envoyHttpAls" - ], - "properties": { - "envoyHttpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyTcpAls" - ], - "properties": { - "envoyTcpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyOtelAls" - ], - "properties": { - "envoyOtelAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider" - } - } - }, - {} - ] - } - }, - { - "required": [ - "envoyExtAuthzHttp" - ], - "properties": { - "envoyExtAuthzHttp": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - } - } - }, - { - "required": [ - "envoyExtAuthzGrpc" - ], - "properties": { - "envoyExtAuthzGrpc": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - } - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider", - "deprecated": true - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - } - } - }, - { - "required": [ - "opencensus" - ], - "properties": { - "opencensus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - } - } - }, - { - "required": [ - "skywalking" - ], - "properties": { - "skywalking": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - } - } - }, - { - "required": [ - "opentelemetry" - ], - "properties": { - "opentelemetry": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider" - } - } - }, - { - "required": [ - "prometheus" - ], - "properties": { - "prometheus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - } - } - }, - { - "required": [ - "envoyFileAccessLog" - ], - "properties": { - "envoyFileAccessLog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - } - } - }, - { - "required": [ - "envoyHttpAls" - ], - "properties": { - "envoyHttpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyTcpAls" - ], - "properties": { - "envoyTcpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyOtelAls" - ], - "properties": { - "envoyOtelAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider" - } - } - }, - { - "not": { - "anyOf": [ - {}, - { - "required": [ - "envoyExtAuthzHttp" - ], - "properties": { - "envoyExtAuthzHttp": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - } - } - }, - { - "required": [ - "envoyExtAuthzGrpc" - ], - "properties": { - "envoyExtAuthzGrpc": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - } - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider", - "deprecated": true - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - } - } - }, - { - "required": [ - "opencensus" - ], - "properties": { - "opencensus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - } - } - }, - { - "required": [ - "skywalking" - ], - "properties": { - "skywalking": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - } - } - }, - { - "required": [ - "opentelemetry" - ], - "properties": { - "opentelemetry": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider" - } - } - }, - { - "required": [ - "prometheus" - ], - "properties": { - "prometheus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - } - } - }, - { - "required": [ - "envoyFileAccessLog" - ], - "properties": { - "envoyFileAccessLog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - } - } - }, - { - "required": [ - "envoyHttpAls" - ], - "properties": { - "envoyHttpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyTcpAls" - ], - "properties": { - "envoyTcpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyOtelAls" - ], - "properties": { - "envoyOtelAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider" - } - } - } - ] - } - } - ] - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider", - "deprecated": true - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicy": { - "description": "Default Policy for upgrading http1.1 connections to http2.", - "type": "string", - "enum": [ - "DO_NOT_UPGRADE", - "UPGRADE" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.IngressControllerMode": { - "type": "string", - "enum": [ - "UNSPECIFIED", - "OFF", - "DEFAULT", - "STRICT" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy": { - "type": "object", - "properties": { - "mode": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.Mode" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.Mode": { - "type": "string", - "enum": [ - "REGISTRY_ONLY", - "ALLOW_ANY" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization": { - "type": "object", - "properties": { - "normalization": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization.NormalizationType" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization.NormalizationType": { - "type": "string", - "enum": [ - "DEFAULT", - "NONE", - "BASE", - "MERGE_SLASHES", - "DECODE_AND_MERGE_SLASHES" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.ServiceSettings": { - "type": "object", - "properties": { - "hosts": { - "description": "The services to which the Settings should be applied. Services are selected using the hostname matching rules used by DestinationRule. For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local", - "type": "array", - "items": { - "type": "string" - } - }, - "settings": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ServiceSettings.Settings" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ServiceSettings.Settings": { - "description": "Settings for the selected services.", - "type": "object", - "properties": { - "clusterLocal": { - "description": "If true, specifies that the client and service endpoints must reside in the same cluster. By default, in multi-cluster deployments, the Istio control plane assumes all service endpoints to be reachable from any client in any of the clusters which are part of the mesh. This configuration option limits the set of service endpoints visible to a client to be cluster scoped. There are some common scenarios when this can be useful: - A service (or group of services) is inherently local to the cluster and has local storage for that cluster. For example, the kube-system namespace (e.g. the Kube API Server). - A mesh administrator wants to slowly migrate services to Istio. They might start by first having services cluster-local and then slowly transition them to mesh-wide. They could do this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group (e.g. *.myns.svc.cluster.local). By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all services in the kube-system namespace to be cluster-local, unless explicitly overridden here.", - "type": "boolean" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.TLSConfig": { - "type": "object", - "properties": { - "minProtocolVersion": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.TLSConfig.TLSProtocol" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.TLSConfig.TLSProtocol": { - "description": "TLS protocol versions.", - "type": "string", - "enum": [ - "TLS_AUTO", - "TLSV1_2", - "TLSV1_3" - ] - }, - "istio.mesh.v1alpha1.PrivateKeyProvider": { - "description": "PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured mesh wide or individual per-workload basis.", - "type": "object", - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "cryptomb" - ], - "properties": { - "cryptomb": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb" - } - } - }, - { - "required": [ - "qat" - ], - "properties": { - "qat": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT" - } - } - } - ] - } - }, - { - "required": [ - "cryptomb" - ], - "properties": { - "cryptomb": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb" - } - } - }, - { - "required": [ - "qat" - ], - "properties": { - "qat": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT" - } - } - } - ] - }, - "istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb" - }, - "istio.mesh.v1alpha1.PrivateKeyProvider.QAT": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT" - }, - "istio.mesh.v1alpha1.ProxyConfig": { - "description": "ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis as well as by the mesh-wide defaults. To set the mesh wide defaults, configure the `defaultConfig` section of `meshConfig`. For example: ``` meshConfig: defaultConfig: discoveryAddress: istiod:15012 ``` This can also be configured on a per-workload basis by configuring the `proxy.istio.io/config` annotation on the pod. For example: ``` annotations: proxy.istio.io/config: | discoveryAddress: istiod:15012 ``` If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults. This is different than a deep merge provided by protobuf. For example, `\"tracing\": { \"sampling\": 5 }` would completely override a setting configuring a tracing provider such as `\"tracing\": { \"zipkin\": { \"address\": \"...\" } }`. Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.", - "type": "object", - "properties": { - "image": { - "$ref": "#/components/schemas/istio.networking.v1beta1.ProxyImage" - }, - "readinessProbe": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ReadinessProbe" - }, - "tracing": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing" - }, - "concurrency": { - "description": "The number of worker threads to run. If unset, this will be automatically determined based on CPU requests/limits. If set to 0, all cores on the machine will be used. Default is 2 worker threads.", - "type": "integer", - "nullable": true - }, - "configPath": { - "description": "Path to the generated configuration file directory. Proxy agent generates the actual configuration and stores it in this directory.", - "type": "string" - }, - "binaryPath": { - "description": "Path to the proxy binary", - "type": "string" - }, - "drainDuration": { - "description": "The time in seconds that Envoy will drain connections during a hot restart. MUST be \u003e=1s (e.g., _1s/1m/1h_) Default drain duration is `45s`.", - "type": "string" - }, - "discoveryAddress": { - "description": "Address of the discovery service exposing xDS with mTLS connection. The inject configuration may override this value.", - "type": "string" - }, - "discoveryRefreshDelay": { - "type": "string", - "deprecated": true - }, - "zipkinAddress": { - "description": "Address of the Zipkin service (e.g. _zipkin:9411_). DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.", - "type": "string", - "deprecated": true - }, - "statsdUdpAddress": { - "description": "IP Address and Port of a statsd UDP listener (e.g. `10.75.241.127:9125`).", - "type": "string" - }, - "envoyMetricsServiceAddress": { - "type": "string", - "deprecated": true - }, - "proxyAdminPort": { - "description": "Port on which Envoy should listen for administrative commands. Default port is `15000`.", - "type": "integer", - "format": "int32" - }, - "availabilityZone": { - "type": "string", - "deprecated": true - }, - "controlPlaneAuthPolicy": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.AuthenticationPolicy" - }, - "customConfigFile": { - "description": "File path of custom proxy configuration, currently used by proxies in front of Mixer and Pilot.", - "type": "string" - }, - "statNameLength": { - "description": "Maximum length of name field in Envoy's metrics. The length of the name field is determined by the length of a name field in a service and the set of labels that comprise a particular version of the service. The default value is set to 189 characters. Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. Increase the value of this field if you find that the metrics from Envoys are truncated.", - "type": "integer", - "format": "int32" - }, - "proxyBootstrapTemplatePath": { - "description": "Path to the proxy bootstrap template file", - "type": "string" - }, - "interceptionMode": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.InboundInterceptionMode" - }, - "sds": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.SDS", - "deprecated": true - }, - "envoyAccessLogService": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.RemoteService" - }, - "envoyMetricsService": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.RemoteService" - }, - "proxyMetadata": { - "description": "Additional environment variables for the proxy. Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "runtimeValues": { - "description": "Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping. This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "statusPort": { - "description": "Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port `15020`.", - "type": "integer", - "format": "int32" - }, - "extraStatTags": { - "description": "An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be added by configuring the telemetry extension. Each additional tag needs to be present in this list. Extra tags emitted by the telemetry extensions must be listed here so that they can be processed and exposed as Prometheus metrics.", - "type": "array", - "items": { - "type": "string" - } - }, - "gatewayTopology": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Topology" - }, - "terminationDrainDuration": { - "description": "The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied.", - "type": "string" - }, - "meshId": { - "description": "The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) All control planes running in the same service mesh should specify the same mesh ID. Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.", - "type": "string" - }, - "proxyStatsMatcher": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.ProxyStatsMatcher" - }, - "holdApplicationUntilProxyStarts": { - "description": "Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. This feature adds hooks to delay application startup until the pod proxy is ready to accept traffic, mitigating some startup race conditions. Default value is 'false'.", - "type": "boolean", - "nullable": true - }, - "caCertificatesPem": { - "description": "The PEM data of the extra root certificates for workload-to-workload communication. This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) are added automatically by Istiod.", - "type": "array", - "items": { - "type": "string" - } - }, - "privateKeyProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "serviceCluster" - ], - "properties": { - "serviceCluster": { - "description": "Service cluster defines the name for the `service_cluster` that is shared by all Envoy instances. This setting corresponds to `--service-cluster` flag in Envoy. In a typical Envoy deployment, the `service-cluster` flag is used to identify the caller, for source-based routing scenarios. Since Istio does not assign a local `service/service` version to each Envoy instance, the name is same for all of them. However, the source/caller's identity (e.g., IP address) is encoded in the `--service-node` flag when launching Envoy. When the RDS service receives API calls from Envoy, it uses the value of the `service-node` flag to compute routes that are relative to the service instances located at that IP address.", - "type": "string" - } - } - }, - { - "required": [ - "tracingServiceName" - ], - "properties": { - "tracingServiceName": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.TracingServiceName" - } - } - } - ] - } - }, - { - "required": [ - "serviceCluster" - ], - "properties": { - "serviceCluster": { - "description": "Service cluster defines the name for the `service_cluster` that is shared by all Envoy instances. This setting corresponds to `--service-cluster` flag in Envoy. In a typical Envoy deployment, the `service-cluster` flag is used to identify the caller, for source-based routing scenarios. Since Istio does not assign a local `service/service` version to each Envoy instance, the name is same for all of them. However, the source/caller's identity (e.g., IP address) is encoded in the `--service-node` flag when launching Envoy. When the RDS service receives API calls from Envoy, it uses the value of the `service-node` flag to compute routes that are relative to the service instances located at that IP address.", - "type": "string" - } - } - }, - { - "required": [ - "tracingServiceName" - ], - "properties": { - "tracingServiceName": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.TracingServiceName" - } - } - } - ] - }, - "istio.mesh.v1alpha1.ProxyConfig.InboundInterceptionMode": { - "description": "The mode used to redirect inbound traffic to Envoy. This setting has no effect on outbound traffic: iptables `REDIRECT` is always used for outbound connections.", - "type": "string", - "enum": [ - "REDIRECT", - "TPROXY", - "NONE" - ] - }, - "istio.mesh.v1alpha1.ProxyConfig.ProxyStatsMatcher": { - "description": "Proxy stats name matchers for stats creation. Note this is in addition to the minimum Envoy stats that Istio generates by default.", - "type": "object", - "properties": { - "inclusionPrefixes": { - "description": "Proxy stats name prefix matcher for inclusion.", - "type": "array", - "items": { - "type": "string" - } - }, - "inclusionSuffixes": { - "description": "Proxy stats name suffix matcher for inclusion.", - "type": "array", - "items": { - "type": "string" - } - }, - "inclusionRegexps": { - "description": "Proxy stats name regexps matcher for inclusion.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.mesh.v1alpha1.ProxyConfig.TracingServiceName": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.TracingServiceName" - }, - "istio.mesh.v1alpha1.RemoteService": { - "type": "object", - "properties": { - "address": { - "description": "Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name.", - "type": "string" - }, - "tcpKeepalive": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive" - }, - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - } - } - }, - "istio.mesh.v1alpha1.Resource": { - "description": "Resource describes the source of configuration", - "type": "string", - "enum": [ - "SERVICE_REGISTRY" - ] - }, - "istio.mesh.v1alpha1.SDS": { - "description": "SDS defines secret discovery service(SDS) configuration to be used by the proxy. For workload, its values are set in sidecar injector(passed as arguments to istio-proxy container). For pilot/mixer, it's passed as arguments to istio-proxy container in pilot/mixer deployment yaml files directly. $hide_from_docs", - "type": "object", - "properties": { - "enabled": { - "description": "True if SDS is enabled.", - "type": "boolean" - }, - "k8sSaJwtPath": { - "description": "Path of k8s service account JWT path.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Topology": { - "type": "object", - "properties": { - "numTrustedProxies": { - "type": "integer" - }, - "forwardClientCertDetails": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Topology.ForwardClientCertDetails" - } - } - }, - "istio.mesh.v1alpha1.Topology.ForwardClientCertDetails": { - "type": "string", - "enum": [ - "UNDEFINED", - "SANITIZE", - "FORWARD_ONLY", - "APPEND_FORWARD", - "SANITIZE_SET", - "ALWAYS_FORWARD_ONLY" - ] - }, - "istio.mesh.v1alpha1.Tracing": { - "description": "Tracing defines configuration for the tracing performed by Envoy instances.", - "type": "object", - "properties": { - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - }, - "customTags": { - "description": "Configures the custom tags to be added to active span by all proxies (i.e. sidecars and gateways). The key represents the name of the tag. Ex: ```yaml custom_tags: new_tag_name: header: name: custom-http-header-name default_value: defaulted-value-from-custom-header ``` $hide_from_docs", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.CustomTag" - } - }, - "maxPathTagLength": { - "description": "Configures the maximum length of the request path to extract and include in the HttpUrl tag. Used to truncate length request paths to meet the needs of tracing backend. If not set, then a length of 256 will be used. $hide_from_docs", - "type": "integer" - }, - "sampling": { - "description": "The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0.", - "type": "number", - "format": "double" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Zipkin" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Lightstep" - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Datadog" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Stackdriver" - } - } - }, - { - "required": [ - "openCensusAgent" - ], - "properties": { - "openCensusAgent": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.OpenCensusAgent" - } - } - } - ] - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Zipkin" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Lightstep" - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Datadog" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Stackdriver" - } - } - }, - { - "required": [ - "openCensusAgent" - ], - "properties": { - "openCensusAgent": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.OpenCensusAgent" - } - } - } - ] - }, - "istio.mesh.v1alpha1.Tracing.CustomTag": { - "description": "Configure custom tags that will be added to any active span. Tags can be generated via literals, environment variables or an incoming request header. $hide_from_docs", - "type": "object", - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "literal" - ], - "properties": { - "literal": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Literal" - } - } - }, - { - "required": [ - "environment" - ], - "properties": { - "environment": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Environment" - } - } - }, - { - "required": [ - "header" - ], - "properties": { - "header": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.RequestHeader" - } - } - } - ] - } - }, - { - "required": [ - "literal" - ], - "properties": { - "literal": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Literal" - } - } - }, - { - "required": [ - "environment" - ], - "properties": { - "environment": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Environment" - } - } - }, - { - "required": [ - "header" - ], - "properties": { - "header": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.RequestHeader" - } - } - } - ] - }, - "istio.mesh.v1alpha1.Tracing.Datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Datadog" - }, - "istio.mesh.v1alpha1.Tracing.Environment": { - "description": "Environment is the proxy's environment variable to be used for populating the custom span tag. $hide_from_docs", - "type": "object", - "properties": { - "name": { - "description": "Name of the environment variable used to populate the tag's value", - "type": "string" - }, - "defaultValue": { - "description": "When the environment variable is not found, the tag's value will be populated with this default value if specified, otherwise the tag will not be populated.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Tracing.Lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Lightstep" - }, - "istio.mesh.v1alpha1.Tracing.Literal": { - "description": "Literal type represents a static value. $hide_from_docs", - "type": "object", - "properties": { - "value": { - "description": "Static literal value used to populate the tag value.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Tracing.OpenCensusAgent": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.OpenCensusAgent" - }, - "istio.mesh.v1alpha1.Tracing.RequestHeader": { - "description": "RequestHeader is the HTTP request header which will be used to populate the span tag. A default value can be configured if the header does not exist. $hide_from_docs", - "type": "object", - "properties": { - "name": { - "description": "HTTP header name used to obtain the value from to populate the tag value.", - "type": "string" - }, - "defaultValue": { - "description": "Default value to be used for the tag when the named HTTP header does not exist. The tag will be skipped if no default value is provided.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Tracing.Stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Stackdriver" - }, - "istio.mesh.v1alpha1.Tracing.Zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Zipkin" - }, - "istio.networking.v1alpha3.ClientTLSSettings": { - "description": "SSL/TLS related settings for upstream connections. See Envoy's [TLS context](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto.html#common-tls-configuration) for more details. These settings are common to both HTTP and TCP upstreams. For example, the following rule configures a client to use mutual TLS for connections to upstream database cluster. {{\u003ctabset category-name=\"example\"\u003e}} {{\u003ctab name=\"v1alpha3\" category-value=\"v1alpha3\"\u003e}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: db-mtls spec: host: mydbserver.prod.svc.cluster.local trafficPolicy: tls: mode: MUTUAL clientCertificate: /etc/certs/myclientcert.pem privateKey: /etc/certs/client_private_key.pem caCertificates: /etc/certs/rootcacerts.pem ``` {{\u003c/tab\u003e}} {{\u003ctab name=\"v1beta1\" category-value=\"v1beta1\"\u003e}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: db-mtls spec: host: mydbserver.prod.svc.cluster.local trafficPolicy: tls: mode: MUTUAL clientCertificate: /etc/certs/myclientcert.pem privateKey: /etc/certs/client_private_key.pem caCertificates: /etc/certs/rootcacerts.pem ``` {{\u003c/tab\u003e}} {{\u003c/tabset\u003e}} The following rule configures a client to use TLS when talking to a foreign service whose domain matches *.foo.com. {{\u003ctabset category-name=\"example\"\u003e}} {{\u003ctab name=\"v1alpha3\" category-value=\"v1alpha3\"\u003e}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: tls-foo spec: host: \"*.foo.com\" trafficPolicy: tls: mode: SIMPLE ``` {{\u003c/tab\u003e}} {{\u003ctab name=\"v1beta1\" category-value=\"v1beta1\"\u003e}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: tls-foo spec: host: \"*.foo.com\" trafficPolicy: tls: mode: SIMPLE ``` {{\u003c/tab\u003e}} {{\u003c/tabset\u003e}} The following rule configures a client to use Istio mutual TLS when talking to rating services. {{\u003ctabset category-name=\"example\"\u003e}} {{\u003ctab name=\"v1alpha3\" category-value=\"v1alpha3\"\u003e}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: ratings-istio-mtls spec: host: ratings.prod.svc.cluster.local trafficPolicy: tls: mode: ISTIO_MUTUAL ``` {{\u003c/tab\u003e}} {{\u003ctab name=\"v1beta1\" category-value=\"v1beta1\"\u003e}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: ratings-istio-mtls spec: host: ratings.prod.svc.cluster.local trafficPolicy: tls: mode: ISTIO_MUTUAL ``` {{\u003c/tab\u003e}} {{\u003c/tabset\u003e}}", - "type": "object", - "properties": { - "mode": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings.TLSmode" - }, - "clientCertificate": { - "description": "REQUIRED if mode is `MUTUAL`. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is `ISTIO_MUTUAL`.", - "type": "string" - }, - "privateKey": { - "description": "REQUIRED if mode is `MUTUAL`. The path to the file holding the client's private key. Should be empty if mode is `ISTIO_MUTUAL`.", - "type": "string" - }, - "caCertificates": { - "description": "OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will not verify the server's certificate. Should be empty if mode is `ISTIO_MUTUAL`.", - "type": "string" - }, - "credentialName": { - "description": "The name of the secret that holds the TLS certs for the client including the CA certificates. Secret must exist in the same namespace with the proxy using the certificates. The secret (of type `generic`)should contain the following keys and values: `key: \u003cprivateKey\u003e`, `cert: \u003cclientCert\u003e`, `cacert: \u003cCACertificate\u003e`. Here CACertificate is used to verify the server certificate. For mutual TLS, `cacert: \u003cCACertificate\u003e` can be provided in the same secret or a separate secret named `\u003csecret\u003e-cacert`. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. Only one of client certificates and CA certificate or credentialName can be specified. **NOTE:** This field is applicable at sidecars only if `DestinationRule` has a `workloadSelector` specified. Otherwise the field will be applicable only at gateways, and sidecars will continue to use the certificate paths.", - "type": "string" - }, - "subjectAltNames": { - "description": "A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` and `ENABLE_AUTO_SNI` environmental variables are set to `true`.", - "type": "array", - "items": { - "type": "string" - } - }, - "sni": { - "description": "SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` environmental variable is set to `true`.", - "type": "string" - }, - "insecureSkipVerify": { - "description": "InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. This flag should only be set if global CA signature verifcation is enabled, `VerifyCertAtClient` environmental variable is set to `true`, but no verification is desired for a specific host. If enabled with or without `VerifyCertAtClient` enabled, verification of the CA signature and SAN will be skipped. `InsecureSkipVerify` is `false` by default. `VerifyCertAtClient` is `false` by default in Istio version 1.9 but will be `true` by default in a later version where, going forward, it will be enabled by default.", - "type": "boolean", - "nullable": true - } - } - }, - "istio.networking.v1alpha3.ClientTLSSettings.TLSmode": { - "description": "TLS connection mode", - "type": "string", - "enum": [ - "DISABLE", - "SIMPLE", - "MUTUAL", - "ISTIO_MUTUAL" - ] - }, - "istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive": { - "description": "TCP keepalive.", - "type": "object", - "properties": { - "time": { - "description": "The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)", - "type": "string" - }, - "probes": { - "description": "Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)", - "type": "integer" - }, - "interval": { - "description": "The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)", - "type": "string" - } - } - }, - "istio.networking.v1alpha3.ExecHealthCheckConfig": { - "type": "object", - "properties": { - "command": { - "description": "Command to run. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.networking.v1alpha3.HTTPHeader": { - "type": "object", - "properties": { - "name": { - "description": "The header field name", - "type": "string" - }, - "value": { - "description": "The header field value", - "type": "string" - } - } - }, - "istio.networking.v1alpha3.HTTPHealthCheckConfig": { - "type": "object", - "properties": { - "path": { - "description": "Path to access on the HTTP server.", - "type": "string" - }, - "port": { - "description": "Port on which the endpoint lives.", - "type": "integer" - }, - "host": { - "description": "Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.", - "type": "string" - }, - "scheme": { - "description": "HTTP or HTTPS, defaults to HTTP", - "type": "string" - }, - "httpHeaders": { - "description": "Headers the proxy will pass on to make the request. Allows repeated headers.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPHeader" - } - } - } - }, - "istio.networking.v1alpha3.HTTPRetry": { - "description": "Describes the retry policy to use when a HTTP request fails. For example, the following rule sets the maximum number of retries to 3 when calling ratings:v1 service, with a 2s timeout per retry attempt. A retry will be attempted if there is a connect-failure, refused_stream or when the upstream server responds with Service Unavailable(503). {{\u003ctabset category-name=\"example\"\u003e}} {{\u003ctab name=\"v1alpha3\" category-value=\"v1alpha3\"\u003e}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings-route spec: hosts: - ratings.prod.svc.cluster.local http: - route: - destination: host: ratings.prod.svc.cluster.local subset: v1 retries: attempts: 3 perTryTimeout: 2s retryOn: connect-failure,refused-stream,503 ``` {{\u003c/tab\u003e}} {{\u003ctab name=\"v1beta1\" category-value=\"v1beta1\"\u003e}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: ratings-route spec: hosts: - ratings.prod.svc.cluster.local http: - route: - destination: host: ratings.prod.svc.cluster.local subset: v1 retries: attempts: 3 perTryTimeout: 2s retryOn: gateway-error,connect-failure,refused-stream ``` {{\u003c/tab\u003e}} {{\u003c/tabset\u003e}}", - "type": "object", - "properties": { - "attempts": { - "description": "Number of retries to be allowed for a given request. The interval between retries will be determined automatically (25ms+). When request `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute) or `per_try_timeout` is configured, the actual number of retries attempted also depends on the specified request `timeout` and `per_try_timeout` values.", - "type": "integer", - "format": "int32" - }, - "perTryTimeout": { - "description": "Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE \u003e=1ms. Default is same value as request `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute), which means no timeout.", - "type": "string" - }, - "retryOn": { - "description": "Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. If `retry_on` specifies a valid HTTP status, it will be added to retriable_status_codes retry policy. See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on) and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details.", - "type": "string" - }, - "retryRemoteLocalities": { - "description": "Flag to specify whether the retries should retry to other localities. See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details.", - "type": "boolean", - "nullable": true - } - } - }, - "istio.networking.v1alpha3.LocalityLoadBalancerSetting": { - "description": "Locality-weighted load balancing allows administrators to control the distribution of traffic to endpoints based on the localities of where the traffic originates and where it will terminate. These localities are specified using arbitrary labels that designate a hierarchy of localities in {region}/{zone}/{sub-zone} form. For additional detail refer to [Locality Weight](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) The following example shows how to setup locality weights mesh-wide. Given a mesh with workloads and their service deployed to \"us-west/zone1/*\" and \"us-west/zone2/*\". This example specifies that when traffic accessing a service originates from workloads in \"us-west/zone1/*\", 80% of the traffic will be sent to endpoints in \"us-west/zone1/*\", i.e the same zone, and the remaining 20% will go to endpoints in \"us-west/zone2/*\". This setup is intended to favor routing traffic to endpoints in the same locality. A similar setting is specified for traffic originating in \"us-west/zone2/*\". ```yaml distribute: - from: us-west/zone1/* to: \"us-west/zone1/*\": 80 \"us-west/zone2/*\": 20 - from: us-west/zone2/* to: \"us-west/zone1/*\": 20 \"us-west/zone2/*\": 80 ``` If the goal of the operator is not to distribute load across zones and regions but rather to restrict the regionality of failover to meet other operational requirements an operator can set a 'failover' policy instead of a 'distribute' policy. The following example sets up a locality failover policy for regions. Assume a service resides in zones within us-east, us-west \u0026 eu-west this example specifies that when endpoints within us-east become unhealthy traffic should failover to endpoints in any zone or sub-zone within eu-west and similarly us-west should failover to us-east. ```yaml failover: - from: us-east to: eu-west - from: us-west to: us-east ``` Locality load balancing settings.", - "type": "object", - "properties": { - "distribute": { - "description": "Optional: only one of distribute, failover or failoverPriority can be set. Explicitly specify loadbalancing weight across different zones and geographical locations. Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) If empty, the locality weight is set according to the endpoints number within it.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute" - } - }, - "failover": { - "description": "Optional: only one of distribute, failover or failoverPriority can be set. Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.LocalityLoadBalancerSetting.Failover" - } - }, - "failoverPriority": { - "description": "failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. This is to support traffic failover across different groups of endpoints. Suppose there are total N labels specified: 1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority. 2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority. 3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority. 4. All the other endpoints have priority P(N) i.e. lowest priority. Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match. It can be any label specified on both client and server workloads. The following labels which have special semantic meaning are also supported: - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks. - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`. - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`. - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`. - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`. The below topology config indicates the following priority levels: ```yaml failoverPriority: - \"topology.istio.io/network\" - \"topology.kubernetes.io/region\" - \"topology.kubernetes.io/zone\" - \"topology.istio.io/subzone\" ``` 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority. 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority. 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority. 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority. 5. all the other endpoints have the same lowest priority. Optional: only one of distribute, failover or failoverPriority can be set. And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect.", - "type": "array", - "items": { - "type": "string" - } - }, - "enabled": { - "description": "enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.", - "type": "boolean", - "nullable": true - } - } - }, - "istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute": { - "description": "Describes how traffic originating in the 'from' zone or sub-zone is distributed over a set of 'to' zones. Syntax for specifying a zone is {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any segment of the specification. Examples: `*` - matches all localities `us-west/*` - all zones and sub-zones within the us-west region `us-west/zone-1/*` - all sub-zones within us-west/zone-1", - "type": "object", - "properties": { - "from": { - "description": "Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.", - "type": "string" - }, - "to": { - "description": "Map of upstream localities to traffic distribution weights. The sum of all weights should be 100. Any locality not present will receive no traffic.", - "type": "object", - "additionalProperties": { - "type": "integer" - } - } - } - }, - "istio.networking.v1alpha3.LocalityLoadBalancerSetting.Failover": { - "description": "Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.", - "type": "object", - "properties": { - "from": { - "description": "Originating region.", - "type": "string" - }, - "to": { - "description": "Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy.", - "type": "string" - } - } - }, - "istio.networking.v1alpha3.ReadinessProbe": { - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 second.", - "type": "integer", - "format": "int32" - }, - "initialDelaySeconds": { - "description": "Number of seconds after the container has started before readiness probes are initiated.", - "type": "integer", - "format": "int32" - }, - "periodSeconds": { - "description": "How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1 second.", - "type": "integer", - "format": "int32" - }, - "successThreshold": { - "description": "Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1 second.", - "type": "integer", - "format": "int32" - }, - "failureThreshold": { - "description": "Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3 seconds.", - "type": "integer", - "format": "int32" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPHealthCheckConfig" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.TCPHealthCheckConfig" - } - } - }, - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ExecHealthCheckConfig" - } - } - } - ] - } - }, - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPHealthCheckConfig" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.TCPHealthCheckConfig" - } - } - }, - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ExecHealthCheckConfig" - } - } - } - ] - }, - "istio.networking.v1alpha3.TCPHealthCheckConfig": { - "type": "object", - "properties": { - "port": { - "description": "Port of host", - "type": "integer" - }, - "host": { - "description": "Host to connect to, defaults to localhost", - "type": "string" - } - } - }, - "istio.networking.v1beta1.ProxyImage": { - "description": "The following values are used to construct proxy image url. format: `${hub}/${image_name}/${tag}-${image_type}`, example: `docker.io/istio/proxyv2:1.11.1` or `docker.io/istio/proxyv2:1.11.1-distroless`. This information was previously part of the Values API.", - "type": "object", - "properties": { - "imageType": { - "description": "The image type of the image. Istio publishes default, debug, and distroless images. Other values are allowed if those image types (example: centos) are published to the specified hub. supported values: default, debug, distroless.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration": { - "type": "object", - "properties": { - "env": { - "description": "If present will be appended to the environment variables of the container", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVar" - } - }, - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "image": { - "description": "Standard Kubernetes container image configuration", - "type": "string" - }, - "volumeMounts": { - "description": "Pod volumes to mount into the container's filesystem. Cannot be updated.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeMount" - } - }, - "securityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecurityContext" - } - } - }, - "istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig": { - "type": "object", - "properties": { - "env": { - "description": "If present will be appended to the environment variables of the container", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVar" - } - }, - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "image": { - "description": "Standard Kubernetes container image configuration", - "type": "string" - }, - "volumeMounts": { - "description": "Pod volumes to mount into the container's filesystem. Cannot be updated.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeMount" - } - }, - "livenessProbe": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Probe" - }, - "readinessProbe": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Probe" - }, - "imagePullPolicy": { - "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.", - "type": "string" - }, - "securityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecurityContext" - }, - "volumes": { - "description": "List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Volume" - } - }, - "nodeSelector": { - "description": "Standard Kubernetes node selector configuration", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "imagePullSecrets": { - "description": "ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - }, - "affinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Affinity" - }, - "tolerations": { - "description": "If specified, the pod's tolerations.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Toleration" - } - }, - "priorityClassName": { - "description": "If specified, indicates the pod's priority. \"system-node-critical\" and \"system-cluster-critical\" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.", - "type": "string" - }, - "topologySpreadConstraints": { - "description": "Used to control how Pods are spread across a cluster among failure-domains. This can help to achieve high availability as well as efficient resource utilization. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TopologySpreadConstraint" - } - }, - "replicas": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Replicas" - }, - "podMetadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "podDisruptionBudget": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.PodDisruptionBudget" - }, - "deploymentStrategy": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.DeploymentStrategy" - }, - "podSecurityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodSecurityContext" - } - } - }, - "istio_operator.v2.api.v1alpha1.CNIConfiguration": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - }, - "logLevel": { - "type": "string" - }, - "chained": { - "type": "boolean", - "nullable": true - }, - "binDir": { - "type": "string" - }, - "confDir": { - "type": "string" - }, - "excludeNamespaces": { - "type": "array", - "items": { - "type": "string" - } - }, - "includeNamespaces": { - "type": "array", - "items": { - "type": "string" - } - }, - "confFileName": { - "type": "string" - }, - "pspClusterRoleName": { - "type": "string" - }, - "repair": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.CNIConfiguration.RepairConfiguration" - }, - "taint": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.CNIConfiguration.TaintConfiguration" - }, - "resourceQuotas": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.CNIConfiguration.ResourceQuotas" - }, - "daemonset": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig" - } - } - }, - "istio_operator.v2.api.v1alpha1.CNIConfiguration.RepairConfiguration": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - }, - "labelPods": { - "type": "boolean", - "nullable": true - }, - "deletePods": { - "type": "boolean", - "nullable": true - }, - "initContainerName": { - "type": "string" - }, - "brokenPodLabelKey": { - "type": "string" - }, - "brokenPodLabelValue": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.CNIConfiguration.ResourceQuotas": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - }, - "pods": { - "type": "string" - }, - "priorityClasses": { - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.CNIConfiguration.TaintConfiguration": { - "type": "object", - "properties": { - "container": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration" - }, - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.ConfigState": { - "type": "string", - "enum": [ - "Unspecified", - "Created", - "ReconcileFailed", - "Reconciling", - "Available", - "Unmanaged" - ] - }, - "istio_operator.v2.api.v1alpha1.ContainerImageConfiguration": { - "type": "object", - "properties": { - "imagePullPolicy": { - "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.", - "type": "string" - }, - "imagePullSecrets": { - "description": "ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - }, - "hub": { - "description": "Default hub for container images.", - "type": "string" - }, - "tag": { - "description": "Default tag for container images.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.CustomSidecarInjectionTemplates": { - "type": "object", - "properties": { - "name": { - "type": "string" - }, - "template": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.DeploymentStrategy": { - "type": "object", - "properties": { - "type": { - "description": "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate.", - "type": "string" - }, - "rollingUpdate": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment" - } - } - }, - "istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment": { - "type": "object", - "properties": { - "maxUnavailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "maxSurge": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - } - } - }, - "istio_operator.v2.api.v1alpha1.ExternalIstiodConfiguration": { - "description": "ExternalIstiodConfiguration defines settings for local istiod to control remote clusters as well", - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.HTTPGetAction": { - "description": "HTTPGetAction describes an action based on HTTP Get requests.", - "type": "object", - "properties": { - "path": { - "description": "Path to access on the HTTP server.", - "type": "string" - }, - "port": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "host": { - "description": "Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.", - "type": "string" - }, - "scheme": { - "description": "Scheme to use for connecting to the host. Defaults to HTTP.", - "type": "string" - }, - "httpHeaders": { - "description": "Custom headers to set in the request. HTTP allows repeated headers.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HTTPHeader" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.HTTPProxyEnvsConfiguration": { - "type": "object", - "properties": { - "httpProxy": { - "type": "string" - }, - "httpsProxy": { - "type": "string" - }, - "noProxy": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.IntOrString": { - "description": "IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number. GOTYPE: *IntOrString", - "oneOf": [ - { - "type": "string" - }, - { - "type": "integer" - } - ] - }, - "istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec": { - "description": "IstioControlPlane defines an Istio control plane", - "type": "object", - "properties": { - "version": { - "description": "Contains the intended version for the Istio control plane.", - "type": "string" - }, - "mode": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ModeType" - }, - "logging": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.LoggingConfiguration" - }, - "sds": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.SDSConfiguration" - }, - "mountMtlsCerts": { - "description": "Use the user-specified, secret volume mounted key and certs for Pilot and workloads.", - "type": "boolean", - "nullable": true - }, - "istiod": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IstiodConfiguration" - }, - "proxy": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ProxyConfiguration" - }, - "proxyInit": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ProxyInitConfiguration" - }, - "telemetryV2": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.TelemetryV2Configuration" - }, - "proxyWasm": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ProxyWasmConfiguration" - }, - "watchOneNamespace": { - "description": "Whether to restrict the applications namespace the controller manages. If not set, controller watches all namespaces", - "type": "boolean", - "nullable": true - }, - "jwtPolicy": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.JWTPolicyType" - }, - "caAddress": { - "description": "The customized CA address to retrieve certificates for the pods in the cluster. CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.", - "type": "string" - }, - "caProvider": { - "description": "The name of the CA for workload certificates.", - "type": "string" - }, - "distribution": { - "description": "Contains the intended distribution for the Istio control plane. The official distribution is used by default unless special preserved distribution value is set. The only preserved distribution is \"cisco\" as of now.", - "type": "string" - }, - "httpProxyEnvs": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.HTTPProxyEnvsConfiguration" - }, - "meshConfig": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig" - }, - "k8sResourceOverlays": { - "description": "K8s resource overlay patches", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch" - } - }, - "meshID": { - "description": "Name of the Mesh to which this control plane belongs.", - "type": "string" - }, - "containerImageConfiguration": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ContainerImageConfiguration" - }, - "meshExpansion": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration" - }, - "clusterID": { - "description": "Cluster ID", - "type": "string" - }, - "networkName": { - "description": "Network defines the network this cluster belongs to. This name corresponds to the networks in the map of mesh networks.", - "type": "string" - }, - "sidecarInjector": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.SidecarInjectorConfiguration" - }, - "tracer": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing" - } - } - }, - "istio_operator.v2.api.v1alpha1.IstioControlPlaneStatus": { - "type": "object", - "properties": { - "status": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ConfigState" - }, - "meshConfig": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig" - }, - "clusterID": { - "description": "Cluster ID", - "type": "string" - }, - "istioControlPlaneName": { - "description": "Name of the IstioControlPlane resource It is used on remote clusters in the PeerIstioControlPlane resource status to identify the original Istio control plane", - "type": "string" - }, - "gatewayAddress": { - "description": "Current addresses for the corresponding gateways", - "type": "array", - "items": { - "type": "string" - } - }, - "istiodAddresses": { - "description": "Current addresses for the corresponding istiod pods", - "type": "array", - "items": { - "type": "string" - } - }, - "injectionNamespaces": { - "description": "Namespaces which are set for injection for this control plane", - "type": "array", - "items": { - "type": "string" - } - }, - "caRootCertificate": { - "description": "Istio CA root certificate", - "type": "string" - }, - "errorMessage": { - "description": "Reconciliation error message if any", - "type": "string" - }, - "checksums": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.StatusChecksums" - } - } - }, - "istio_operator.v2.api.v1alpha1.IstiodConfiguration": { - "description": "IstiodConfiguration defines config options for Istiod", - "type": "object", - "properties": { - "deployment": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig" - }, - "enableAnalysis": { - "description": "If enabled, pilot will run Istio analyzers and write analysis errors to the Status field of any Istio Resources", - "type": "boolean", - "nullable": true - }, - "enableStatus": { - "description": "If enabled, pilot will update the CRD Status field of all Istio resources with reconciliation status", - "type": "boolean", - "nullable": true - }, - "externalIstiod": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ExternalIstiodConfiguration" - }, - "traceSampling": { - "type": "number", - "nullable": true - }, - "enableProtocolSniffingOutbound": { - "description": "If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported", - "type": "boolean", - "nullable": true - }, - "enableProtocolSniffingInbound": { - "description": "If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported", - "type": "boolean", - "nullable": true - }, - "certProvider": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.PilotCertProviderType" - }, - "spiffe": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.SPIFFEConfiguration" - } - } - }, - "istio_operator.v2.api.v1alpha1.JWTPolicyType": { - "type": "string", - "enum": [ - "JWTPolicyType_UNSPECIFIED", - "THIRD_PARTY_JWT", - "FIRST_PARTY_JWT" - ] - }, - "istio_operator.v2.api.v1alpha1.K8sObjectMeta": { - "description": "Generic k8s resource metadata", - "type": "object", - "properties": { - "labels": { - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch": { - "type": "object", - "properties": { - "groupVersionKind": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.GroupVersionKind" - }, - "objectKey": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.NamespacedName" - }, - "patches": { - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.GroupVersionKind": { - "type": "object", - "properties": { - "kind": { - "type": "string" - }, - "group": { - "type": "string" - }, - "version": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch": { - "type": "object", - "properties": { - "path": { - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Type" - }, - "value": { - "type": "string" - }, - "parseValue": { - "type": "boolean" - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Type": { - "type": "string", - "enum": [ - "unspecified", - "replace", - "remove" - ] - }, - "istio_operator.v2.api.v1alpha1.LoggingConfiguration": { - "description": "Comma-separated minimum per-scope logging level of messages to output, in the form of \u003cscope\u003e:\u003clevel\u003e,\u003cscope\u003e:\u003clevel\u003e The control plane has different scopes depending on component, but can configure default log level across all components If empty, default scope and level will be used as configured in code", - "type": "object", - "properties": { - "level": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration": { - "type": "object", - "properties": { - "gateway": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration" - }, - "enabled": { - "type": "boolean", - "nullable": true - }, - "istiod": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Istiod" - }, - "webhook": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Webhook" - }, - "clusterServices": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.ClusterServices" - } - } - }, - "istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.ClusterServices": { - "type": "object", - "properties": { - "expose": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration": { - "type": "object", - "properties": { - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "service": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.UnprotectedService" - }, - "k8sResourceOverlays": { - "description": "K8s resource overlay patches", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch" - } - }, - "deployment": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig" - }, - "runAsRoot": { - "description": "Whether to run the gateway in a privileged container", - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Istiod": { - "type": "object", - "properties": { - "expose": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Webhook": { - "type": "object", - "properties": { - "expose": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.ModeType": { - "type": "string", - "enum": [ - "ModeType_UNSPECIFIED", - "ACTIVE", - "PASSIVE" - ] - }, - "istio_operator.v2.api.v1alpha1.NamespacedName": { - "type": "object", - "properties": { - "name": { - "description": "Name of the referenced Kubernetes resource", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced Kubernetes resource", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.OperatorEndpointsConfiguration": { - "description": "OperatorEndpointsConfiguration defines config options for automatic SPIFFE endpoints", - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.PDBConfiguration": { - "description": "PDBConfiguration holds Pod Disruption Budget related config options", - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.PilotCertProviderType": { - "type": "string", - "enum": [ - "PilotCertProviderType_UNSPECIFIED", - "KUBERNETES", - "ISTIOD" - ] - }, - "istio_operator.v2.api.v1alpha1.PodDisruptionBudget": { - "description": "PodDisruptionBudget is a description of a PodDisruptionBudget", - "type": "object", - "properties": { - "maxUnavailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "minAvailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - } - } - }, - "istio_operator.v2.api.v1alpha1.Probe": { - "description": "Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.", - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes", - "type": "integer", - "format": "int32" - }, - "terminationGracePeriodSeconds": { - "description": "Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.", - "type": "integer", - "format": "int64" - }, - "initialDelaySeconds": { - "description": "Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes", - "type": "integer", - "format": "int32" - }, - "periodSeconds": { - "description": "How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.", - "type": "integer", - "format": "int32" - }, - "successThreshold": { - "description": "Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.", - "type": "integer", - "format": "int32" - }, - "failureThreshold": { - "description": "Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.", - "type": "integer", - "format": "int32" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ExecAction" - } - } - }, - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.HTTPGetAction" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.TCPSocketAction" - } - } - }, - { - "required": [ - "grpc" - ], - "properties": { - "grpc": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GRPCAction" - } - } - } - ] - } - }, - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ExecAction" - } - } - }, - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.HTTPGetAction" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.TCPSocketAction" - } - } - }, - { - "required": [ - "grpc" - ], - "properties": { - "grpc": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GRPCAction" - } - } - } - ] - }, - "istio_operator.v2.api.v1alpha1.ProxyConfiguration": { - "description": "ProxyConfiguration defines config options for Proxy", - "type": "object", - "properties": { - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "image": { - "type": "string" - }, - "lifecycle": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Lifecycle" - }, - "privileged": { - "description": "If set to true, istio-proxy container will have privileged securityContext", - "type": "boolean", - "nullable": true - }, - "holdApplicationUntilProxyStarts": { - "description": "Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready Default value is 'false'.", - "type": "boolean", - "nullable": true - }, - "tracer": { - "description": "Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver", - "type": "string" - }, - "enableCoreDump": { - "description": "If set, newly injected sidecars will have core dumps enabled.", - "type": "boolean", - "nullable": true - }, - "logLevel": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ProxyLogLevel" - }, - "componentLogLevel": { - "description": "Per Component log level for proxy, applies to gateways and sidecars. If a component level is not set, then the \"LogLevel\" will be used. If left empty, \"misc:error\" is used.", - "type": "string" - }, - "clusterDomain": { - "description": "cluster domain. Default value is \"cluster.local\"", - "type": "string" - }, - "includeIPRanges": { - "description": "IncludeIPRanges the range where to capture egress traffic", - "type": "string" - }, - "excludeIPRanges": { - "description": "ExcludeIPRanges the range where not to capture egress traffic", - "type": "string" - }, - "excludeInboundPorts": { - "description": "ExcludeInboundPorts the comma separated list of inbound ports to be excluded from redirection to Envoy", - "type": "string" - }, - "excludeOutboundPorts": { - "description": "ExcludeOutboundPorts the comma separated list of outbound ports to be excluded from redirection to Envoy", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.ProxyInitConfiguration": { - "description": "ProxyInitConfiguration defines config options for Proxy Init containers", - "type": "object", - "properties": { - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "image": { - "type": "string" - }, - "cni": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.CNIConfiguration" - } - } - }, - "istio_operator.v2.api.v1alpha1.ProxyLogLevel": { - "type": "string", - "enum": [ - "ProxyLogLevel_UNSPECIFIED", - "TRACE", - "DEBUG", - "INFO", - "WARNING", - "ERROR", - "CRITICAL", - "OFF" - ] - }, - "istio_operator.v2.api.v1alpha1.ProxyWasmConfiguration": { - "description": "ProxyWasmConfiguration defines config options for Envoy wasm", - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.Quantity": { - "description": "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and Int64() accessors. GOTYPE: *Quantity", - "oneOf": [ - { - "type": "string" - }, - { - "type": "integer" - } - ], - "pattern": "^(\\\\+|-)?(([0-9]+(\\\\.[0-9]*)?)|(\\\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\\\+|-)?(([0-9]+(\\\\.[0-9]*)?)|(\\\\.[0-9]+))))?$" - }, - "istio_operator.v2.api.v1alpha1.Replicas": { - "description": "Replicas contains pod replica configuration", - "type": "object", - "properties": { - "count": { - "description": "Standard Kubernetes replica count configuration", - "type": "integer", - "nullable": true - }, - "max": { - "description": "max is the upper limit for the number of replicas to which the autoscaler can scale up. min and max both need to be set the turn on autoscaling. It cannot be less than min.", - "type": "integer", - "nullable": true - }, - "min": { - "description": "min is the lower limit for the number of replicas to which the autoscaler can scale down. min and max both need to be set the turn on autoscaling.", - "type": "integer", - "nullable": true - }, - "targetCPUUtilizationPercentage": { - "description": "target average CPU utilization (represented as a percentage of requested CPU) over all the pods; default 80% will be used if not specified.", - "type": "integer", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.ResourceRequirements": { - "description": "ResourceRequirements describes the compute resource requirements.", - "type": "object", - "properties": { - "limits": { - "description": "Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Quantity" - } - }, - "requests": { - "description": "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Quantity" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.SDSConfiguration": { - "description": "SDSConfiguration defines Secret Discovery Service config options", - "type": "object", - "properties": { - "tokenAudience": { - "description": "The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the JWT is intended for the CA.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.SPIFFEConfiguration": { - "description": "SPIFFEConfiguration is for SPIFFE configuration of Pilot", - "type": "object", - "properties": { - "operatorEndpoints": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.OperatorEndpointsConfiguration" - } - } - }, - "istio_operator.v2.api.v1alpha1.Service": { - "description": "Service describes the attributes that a user creates on a service.", - "type": "object", - "properties": { - "type": { - "description": "type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ExternalName\" maps to the specified externalName. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a stable IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", - "type": "string" - }, - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "ports": { - "description": "The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ServicePort" - } - }, - "selector": { - "description": "Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "clusterIP": { - "description": "clusterIP is the IP address of the service and is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. This field can not be changed through updates. Valid values are \"None\", empty string (\"\"), or a valid IP address. \"None\" can be specified for headless services when proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "string" - }, - "externalIPs": { - "description": "externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.", - "type": "array", - "items": { - "type": "string" - } - }, - "sessionAffinity": { - "description": "Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "string" - }, - "loadBalancerIP": { - "description": "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.", - "type": "string" - }, - "loadBalancerSourceRanges": { - "description": "If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/", - "type": "array", - "items": { - "type": "string" - } - }, - "externalName": { - "description": "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires Type to be ExternalName.", - "type": "string" - }, - "externalTrafficPolicy": { - "description": "externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. \"Local\" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. \"Cluster\" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.", - "type": "string" - }, - "healthCheckNodePort": { - "description": "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.", - "type": "integer", - "format": "int32" - }, - "publishNotReadyAddresses": { - "description": "publishNotReadyAddresses, when set to true, indicates that DNS implementations must publish the notReadyAddresses of subsets for the Endpoints associated with the Service. The default value is false. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate SRV records for its Pods without respect to their readiness for purpose of peer discovery.", - "type": "boolean", - "nullable": true - }, - "sessionAffinityConfig": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SessionAffinityConfig" - }, - "ipFamily": { - "description": "ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which allocate external load-balancers should use the same IP family. Endpoints for this Service will be of this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.ServicePort": { - "description": "ServicePort contains information on service's port.", - "type": "object", - "properties": { - "name": { - "description": "The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. if only one ServicePort is defined on this service.", - "type": "string" - }, - "protocol": { - "description": "The IP protocol for this port. Supports \"TCP\", \"UDP\", and \"SCTP\". Default is TCP.", - "type": "string" - }, - "port": { - "description": "The port that will be exposed by this service.", - "type": "integer", - "format": "int32" - }, - "targetPort": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "nodePort": { - "description": "The port on each node on which this service is exposed when type=NodePort or LoadBalancer. Usually assigned by the system. If specified, it will be allocated to the service if unused or else creation of the service will fail. Default is to auto-allocate a port if the ServiceType of this Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", - "type": "integer", - "format": "int32" - } - } - }, - "istio_operator.v2.api.v1alpha1.SidecarInjectionTemplates": { - "type": "object", - "properties": { - "gateway": { - "description": "Overrides for the default \"gateway\" injection template. This template will be merged with the default \"gateway\" template, overwriting values, if existing.", - "type": "string" - }, - "sidecar": { - "description": "Overrides for the default \"sidecar\" injection template. This template will be merged with the default \"sidecar\" template, overwriting values, if existing.", - "type": "string" - }, - "customTemplates": { - "description": "Custom templates can be defined for sidecar injection. These templates can be applied by annotating pods with \"inject.istio.io/templates=\u003cname of custom template\u003e\". See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.CustomSidecarInjectionTemplates" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.SidecarInjectorConfiguration": { - "type": "object", - "properties": { - "service": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Service" - }, - "deployment": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig" - }, - "templates": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.SidecarInjectionTemplates" - } - } - }, - "istio_operator.v2.api.v1alpha1.StatusChecksums": { - "type": "object", - "properties": { - "meshConfig": { - "type": "string" - }, - "sidecarInjector": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.TCPSocketAction": { - "description": "TCPSocketAction describes an action based on opening a socket", - "type": "object", - "properties": { - "port": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "host": { - "description": "Optional: Host name to connect to, defaults to the pod IP.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.TelemetryV2Configuration": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.UnprotectedService": { - "description": "Service describes the attributes that a user creates on a service.", - "type": "object", - "properties": { - "type": { - "description": "type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ExternalName\" maps to the specified externalName. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a stable IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", - "type": "string" - }, - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "ports": { - "description": "The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ServicePort" - } - }, - "selector": { - "description": "Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "clusterIP": { - "description": "clusterIP is the IP address of the service and is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. This field can not be changed through updates. Valid values are \"None\", empty string (\"\"), or a valid IP address. \"None\" can be specified for headless services when proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "string" - }, - "externalIPs": { - "description": "externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.", - "type": "array", - "items": { - "type": "string" - } - }, - "sessionAffinity": { - "description": "Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "string" - }, - "loadBalancerIP": { - "description": "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.", - "type": "string" - }, - "loadBalancerSourceRanges": { - "description": "If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/", - "type": "array", - "items": { - "type": "string" - } - }, - "externalName": { - "description": "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires Type to be ExternalName.", - "type": "string" - }, - "externalTrafficPolicy": { - "description": "externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. \"Local\" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. \"Cluster\" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.", - "type": "string" - }, - "healthCheckNodePort": { - "description": "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.", - "type": "integer", - "format": "int32" - }, - "publishNotReadyAddresses": { - "description": "publishNotReadyAddresses, when set to true, indicates that DNS implementations must publish the notReadyAddresses of subsets for the Endpoints associated with the Service. The default value is false. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate SRV records for its Pods without respect to their readiness for purpose of peer discovery.", - "type": "boolean", - "nullable": true - }, - "sessionAffinityConfig": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SessionAffinityConfig" - }, - "ipFamily": { - "description": "ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which allocate external load-balancers should use the same IP family. Endpoints for this Service will be of this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource": { - "description": "Represents a Persistent Disk resource in AWS. An AWS EBS disk must exist before mounting to a container. The disk must also be in the same AWS zone as the kubelet. An AWS EBS disk can only be mounted as read/write once. AWS EBS volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "volumeID": { - "description": "volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore", - "type": "string" - }, - "fsType": { - "description": "fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "partition": { - "description": "partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).", - "type": "integer", - "format": "int32" - }, - "readOnly": { - "description": "readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.Affinity": { - "description": "Affinity is a group of affinity scheduling rules.", - "type": "object", - "properties": { - "nodeAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeAffinity" - }, - "podAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinity" - }, - "podAntiAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAntiAffinity" - } - } - }, - "k8s.io.api.core.v1.AzureDiskVolumeSource": { - "description": "AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.", - "type": "object", - "properties": { - "kind": { - "description": "kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared", - "type": "string" - }, - "fsType": { - "description": "fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "readOnly": { - "description": "readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "diskName": { - "description": "diskName is the Name of the data disk in the blob storage", - "type": "string" - }, - "diskURI": { - "description": "diskURI is the URI of data disk in the blob storage", - "type": "string" - }, - "cachingMode": { - "description": "cachingMode is the Host Caching mode: None, Read Only, Read Write.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.AzureFileVolumeSource": { - "description": "AzureFile represents an Azure File Service mount on the host and bind mount to the pod.", - "type": "object", - "properties": { - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "secretName": { - "description": "secretName is the name of secret that contains Azure Storage Account Name and Key", - "type": "string" - }, - "shareName": { - "description": "shareName is the azure share Name", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.CSIVolumeSource": { - "description": "Represents a source location of a volume to mount, managed by an external CSI driver", - "type": "object", - "properties": { - "fsType": { - "description": "fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.", - "type": "string" - }, - "readOnly": { - "description": "readOnly specifies a read-only configuration for the volume. Defaults to false (read/write).", - "type": "boolean" - }, - "driver": { - "description": "driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.", - "type": "string" - }, - "volumeAttributes": { - "description": "volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "nodePublishSecretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.Capabilities": { - "description": "Adds and removes POSIX capabilities from running containers.", - "type": "object", - "properties": { - "add": { - "description": "Added capabilities", - "type": "array", - "items": { - "type": "string" - } - }, - "drop": { - "description": "Removed capabilities", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.CephFSVolumeSource": { - "description": "Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /", - "type": "string" - }, - "readOnly": { - "description": "readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "boolean" - }, - "monitors": { - "description": "monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "array", - "items": { - "type": "string" - } - }, - "user": { - "description": "user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "string" - }, - "secretFile": { - "description": "secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.CinderVolumeSource": { - "description": "Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "volumeID": { - "description": "volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md", - "type": "string" - }, - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md", - "type": "string" - }, - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.ClientIPConfig": { - "description": "ClientIPConfig represents the configurations of Client IP based session affinity.", - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be \u003e0 \u0026\u0026 \u003c=86400(for 1 day) if ServiceAffinity == \"ClientIP\". Default value is 10800(for 3 hours).", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.ConfigMapKeySelector": { - "description": "Selects a key from a ConfigMap.", - "type": "object", - "properties": { - "key": { - "description": "The key to select.", - "type": "string" - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the ConfigMap or its key must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.ConfigMapProjection": { - "description": "Adapts a ConfigMap into a projected volume. The contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.", - "type": "object", - "properties": { - "items": { - "description": "items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "optional specify whether the ConfigMap or its keys must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.ConfigMapVolumeSource": { - "description": "Adapts a ConfigMap into a volume. The contents of the target ConfigMap's Data field will be presented in a volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. ConfigMap volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "items": { - "description": "items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "optional specify whether the ConfigMap or its keys must be defined", - "type": "boolean" - }, - "defaultMode": { - "description": "defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.DownwardAPIProjection": { - "description": "Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.", - "type": "object", - "properties": { - "items": { - "description": "Items is a list of DownwardAPIVolume file", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeFile" - } - } - } - }, - "k8s.io.api.core.v1.DownwardAPIVolumeFile": { - "description": "DownwardAPIVolumeFile represents information to create the file containing the pod field", - "type": "object", - "properties": { - "path": { - "description": "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'", - "type": "string" - }, - "fieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ObjectFieldSelector" - }, - "resourceFieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceFieldSelector" - }, - "mode": { - "description": "Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.DownwardAPIVolumeSource": { - "description": "DownwardAPIVolumeSource represents a volume containing downward API info. Downward API volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "items": { - "description": "Items is a list of downward API volume file", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeFile" - } - }, - "defaultMode": { - "description": "Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.EmptyDirVolumeSource": { - "description": "Represents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "medium": { - "description": "medium represents what type of storage medium should back this directory. The default is \"\" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir", - "type": "string" - }, - "sizeLimit": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - }, - "k8s.io.api.core.v1.EnvVar": { - "description": "EnvVar represents an environment variable present in a Container.", - "type": "object", - "properties": { - "name": { - "description": "Name of the environment variable. Must be a C_IDENTIFIER.", - "type": "string" - }, - "value": { - "description": "Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\".", - "type": "string" - }, - "valueFrom": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVarSource" - } - } - }, - "k8s.io.api.core.v1.EnvVarSource": { - "description": "EnvVarSource represents a source for the value of an EnvVar.", - "type": "object", - "properties": { - "fieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ObjectFieldSelector" - }, - "resourceFieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceFieldSelector" - }, - "configMapKeyRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapKeySelector" - }, - "secretKeyRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretKeySelector" - } - } - }, - "k8s.io.api.core.v1.EphemeralVolumeSource": { - "description": "Represents an ephemeral volume that is handled by a normal storage driver.", - "type": "object", - "properties": { - "volumeClaimTemplate": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PersistentVolumeClaimTemplate" - } - } - }, - "k8s.io.api.core.v1.ExecAction": { - "description": "ExecAction describes a \"run in container\" action.", - "type": "object", - "properties": { - "command": { - "description": "Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FCVolumeSource": { - "description": "Represents a Fibre Channel volume. Fibre Channel volumes can only be mounted as read/write once. Fibre Channel volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "readOnly": { - "description": "readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "targetWWNs": { - "description": "targetWWNs is Optional: FC target worldwide names (WWNs)", - "type": "array", - "items": { - "type": "string" - } - }, - "lun": { - "description": "lun is Optional: FC target lun number", - "type": "integer", - "format": "int32" - }, - "wwids": { - "description": "wwids Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FlexVolumeSource": { - "description": "FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.", - "type": "string" - }, - "readOnly": { - "description": "readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "driver": { - "description": "driver is the name of the driver to use for this volume.", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "options": { - "description": "options is Optional: this field holds extra command options if any.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FlockerVolumeSource": { - "description": "Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "datasetName": { - "description": "datasetName is Name of the dataset stored as metadata -\u003e name on the dataset for Flocker should be considered as deprecated", - "type": "string" - }, - "datasetUUID": { - "description": "datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GCEPersistentDiskVolumeSource": { - "description": "Represents a Persistent Disk resource in Google Compute Engine. A GCE PD must exist before mounting to a container. The disk must also be in the same GCE project and zone as the kubelet. A GCE PD can only be mounted as read/write once or read-only many times. GCE PDs support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "partition": { - "description": "partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk", - "type": "integer", - "format": "int32" - }, - "readOnly": { - "description": "readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk", - "type": "boolean" - }, - "pdName": { - "description": "pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GRPCAction": { - "type": "object", - "properties": { - "port": { - "description": "Port number of the gRPC service. Number must be in the range 1 to 65535.", - "type": "integer", - "format": "int32" - }, - "service": { - "description": "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GitRepoVolumeSource": { - "description": "Represents a volume that is populated with the contents of a git repository. Git repo volumes do not support ownership management. Git repo volumes support SELinux relabeling. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.", - "type": "object", - "properties": { - "repository": { - "description": "repository is the URL", - "type": "string" - }, - "revision": { - "description": "revision is the commit hash for the specified revision.", - "type": "string" - }, - "directory": { - "description": "directory is the target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GlusterfsVolumeSource": { - "description": "Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "boolean" - }, - "endpoints": { - "description": "endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.HTTPGetAction": { - "description": "HTTPGetAction describes an action based on HTTP Get requests.", - "type": "object", - "properties": { - "path": { - "description": "Path to access on the HTTP server.", - "type": "string" - }, - "port": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.util.intstr.IntOrString" - }, - "host": { - "description": "Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.", - "type": "string" - }, - "scheme": { - "description": "Scheme to use for connecting to the host. Defaults to HTTP.", - "type": "string" - }, - "httpHeaders": { - "description": "Custom headers to set in the request. HTTP allows repeated headers.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HTTPHeader" - } - } - } - }, - "k8s.io.api.core.v1.HTTPHeader": { - "description": "HTTPHeader describes a custom header to be used in HTTP probes", - "type": "object", - "properties": { - "name": { - "description": "The header field name", - "type": "string" - }, - "value": { - "description": "The header field value", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.HostPathVolumeSource": { - "description": "Represents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath", - "type": "string" - }, - "type": { - "description": "type for HostPath Volume Defaults to \"\" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ISCSIVolumeSource": { - "description": "Represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "lun": { - "description": "lun represents iSCSI Target Lun number.", - "type": "integer", - "format": "int32" - }, - "targetPortal": { - "description": "targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).", - "type": "string" - }, - "iqn": { - "description": "iqn is the target iSCSI Qualified Name.", - "type": "string" - }, - "iscsiInterface": { - "description": "iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).", - "type": "string" - }, - "portals": { - "description": "portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).", - "type": "array", - "items": { - "type": "string" - } - }, - "chapAuthDiscovery": { - "description": "chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication", - "type": "boolean" - }, - "chapAuthSession": { - "description": "chapAuthSession defines whether support iSCSI Session CHAP authentication", - "type": "boolean" - }, - "initiatorName": { - "description": "initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface \u003ctarget portal\u003e:\u003cvolume name\u003e will be created for the connection.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.KeyToPath": { - "description": "Maps a string key to a path within a volume.", - "type": "object", - "properties": { - "path": { - "description": "path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.", - "type": "string" - }, - "key": { - "description": "key is the key to project.", - "type": "string" - }, - "mode": { - "description": "mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.Lifecycle": { - "description": "Lifecycle describes actions that the management system should take in response to container lifecycle events. For the PostStart and PreStop lifecycle handlers, management of the container blocks until the action is complete, unless the container process fails, in which case the handler is aborted.", - "type": "object", - "properties": { - "postStart": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LifecycleHandler" - }, - "preStop": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LifecycleHandler" - } - } - }, - "k8s.io.api.core.v1.LifecycleHandler": { - "description": "LifecycleHandler defines a specific action that should be taken in a lifecycle hook. One and only one of the fields, except TCPSocket must be specified.", - "type": "object", - "properties": { - "exec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ExecAction" - }, - "httpGet": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HTTPGetAction" - }, - "tcpSocket": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TCPSocketAction" - } - } - }, - "k8s.io.api.core.v1.LocalObjectReference": { - "description": "LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.", - "type": "object", - "properties": { - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.NFSVolumeSource": { - "description": "Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "boolean" - }, - "server": { - "description": "server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.NodeAffinity": { - "description": "Node affinity is a group of node affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelector" - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PreferredSchedulingTerm" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelector": { - "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", - "type": "object", - "properties": { - "nodeSelectorTerms": { - "description": "Required. A list of node selector terms. The terms are ORed.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorTerm" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelectorRequirement": { - "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", - "type": "object", - "properties": { - "key": { - "description": "The label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", - "type": "string" - }, - "values": { - "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelectorTerm": { - "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "A list of node selector requirements by node's labels.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorRequirement" - } - }, - "matchFields": { - "description": "A list of node selector requirements by node's fields.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorRequirement" - } - } - } - }, - "k8s.io.api.core.v1.ObjectFieldSelector": { - "description": "ObjectFieldSelector selects an APIVersioned field of an object.", - "type": "object", - "properties": { - "apiVersion": { - "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", - "type": "string" - }, - "fieldPath": { - "description": "Path of the field to select in the specified API version.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PersistentVolumeClaimSpec": { - "description": "PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes", - "type": "object", - "properties": { - "resources": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceRequirements" - }, - "accessModes": { - "description": "accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1", - "type": "array", - "items": { - "type": "string" - } - }, - "selector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "volumeName": { - "description": "volumeName is the binding reference to the PersistentVolume backing this claim.", - "type": "string" - }, - "storageClassName": { - "description": "storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1", - "type": "string" - }, - "volumeMode": { - "description": "volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.", - "type": "string" - }, - "dataSource": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TypedLocalObjectReference" - }, - "dataSourceRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TypedLocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.PersistentVolumeClaimTemplate": { - "description": "PersistentVolumeClaimTemplate is used to produce PersistentVolumeClaim objects as part of an EphemeralVolumeSource.", - "type": "object", - "properties": { - "metadata": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PersistentVolumeClaimSpec" - } - } - }, - "k8s.io.api.core.v1.PersistentVolumeClaimVolumeSource": { - "description": "PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).", - "type": "object", - "properties": { - "readOnly": { - "description": "readOnly Will force the ReadOnly setting in VolumeMounts. Default false.", - "type": "boolean" - }, - "claimName": { - "description": "claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PhotonPersistentDiskVolumeSource": { - "description": "Represents a Photon Controller persistent disk resource.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "pdID": { - "description": "pdID is the ID that identifies Photon Controller persistent disk", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PodAffinity": { - "description": "Pod affinity is a group of inter pod affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "description": "If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WeightedPodAffinityTerm" - } - } - } - }, - "k8s.io.api.core.v1.PodAffinityTerm": { - "description": "Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key \u003ctopologyKey\u003e matches that of any node on which a pod of the set of pods is running", - "type": "object", - "properties": { - "labelSelector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "namespaces": { - "description": "namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means \"this pod's namespace\".", - "type": "array", - "items": { - "type": "string" - } - }, - "topologyKey": { - "description": "This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.", - "type": "string" - }, - "namespaceSelector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - } - } - }, - "k8s.io.api.core.v1.PodAntiAffinity": { - "description": "Pod anti affinity is a group of inter pod anti affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "description": "If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WeightedPodAffinityTerm" - } - } - } - }, - "k8s.io.api.core.v1.PodSecurityContext": { - "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", - "type": "object", - "properties": { - "seLinuxOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SELinuxOptions" - }, - "windowsOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WindowsSecurityContextOptions" - }, - "runAsUser": { - "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsGroup": { - "description": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsNonRoot": { - "description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", - "type": "boolean" - }, - "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows.", - "type": "array", - "items": { - "type": "integer", - "format": "int64" - } - }, - "fsGroup": { - "description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "sysctls": { - "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Sysctl" - } - }, - "fsGroupChangePolicy": { - "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used. Note that this field cannot be set when spec.os.name is windows.", - "type": "string" - }, - "seccompProfile": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SeccompProfile" - } - } - }, - "k8s.io.api.core.v1.PortworxVolumeSource": { - "description": "PortworxVolumeSource represents a Portworx volume resource.", - "type": "object", - "properties": { - "volumeID": { - "description": "volumeID uniquely identifies a Portworx volume", - "type": "string" - }, - "fsType": { - "description": "fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.PreferredSchedulingTerm": { - "description": "An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).", - "type": "object", - "properties": { - "weight": { - "description": "Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.", - "type": "integer", - "format": "int32" - }, - "preference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorTerm" - } - } - }, - "k8s.io.api.core.v1.ProjectedVolumeSource": { - "description": "Represents a projected volume source", - "type": "object", - "properties": { - "defaultMode": { - "description": "defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - }, - "sources": { - "description": "sources is the list of volume projections", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeProjection" - } - } - } - }, - "k8s.io.api.core.v1.QuobyteVolumeSource": { - "description": "Represents a Quobyte mount that lasts the lifetime of a pod. Quobyte volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "group": { - "description": "group to map volume access to Default is no group", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.", - "type": "boolean" - }, - "user": { - "description": "user to map volume access to Defaults to serivceaccount user", - "type": "string" - }, - "registry": { - "description": "registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes", - "type": "string" - }, - "volume": { - "description": "volume is a string that references an already created Quobyte volume by name.", - "type": "string" - }, - "tenant": { - "description": "tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.RBDVolumeSource": { - "description": "Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "boolean" - }, - "monitors": { - "description": "monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "array", - "items": { - "type": "string" - } - }, - "user": { - "description": "user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "image": { - "description": "image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - }, - "pool": { - "description": "pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - }, - "keyring": { - "description": "keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ResourceFieldSelector": { - "description": "ResourceFieldSelector represents container resources (cpu, memory) and their output format", - "type": "object", - "properties": { - "resource": { - "description": "Required: resource to select", - "type": "string" - }, - "containerName": { - "description": "Container name: required for volumes, optional for env vars", - "type": "string" - }, - "divisor": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - }, - "k8s.io.api.core.v1.ResourceRequirements": { - "description": "ResourceRequirements describes the compute resource requirements.", - "type": "object", - "properties": { - "limits": { - "description": "Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - }, - "requests": { - "description": "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - } - }, - "k8s.io.api.core.v1.SELinuxOptions": { - "description": "SELinuxOptions are the labels to be applied to the container", - "type": "object", - "properties": { - "type": { - "description": "Type is a SELinux type label that applies to the container.", - "type": "string" - }, - "user": { - "description": "User is a SELinux user label that applies to the container.", - "type": "string" - }, - "role": { - "description": "Role is a SELinux role label that applies to the container.", - "type": "string" - }, - "level": { - "description": "Level is SELinux level label that applies to the container.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ScaleIOVolumeSource": { - "description": "ScaleIOVolumeSource represents a persistent ScaleIO volume", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Default is \"xfs\".", - "type": "string" - }, - "readOnly": { - "description": "readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "volumeName": { - "description": "volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.", - "type": "string" - }, - "gateway": { - "description": "gateway is the host address of the ScaleIO API Gateway.", - "type": "string" - }, - "system": { - "description": "system is the name of the storage system as configured in ScaleIO.", - "type": "string" - }, - "sslEnabled": { - "description": "sslEnabled Flag enable/disable SSL communication with Gateway, default false", - "type": "boolean" - }, - "protectionDomain": { - "description": "protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.", - "type": "string" - }, - "storagePool": { - "description": "storagePool is the ScaleIO Storage Pool associated with the protection domain.", - "type": "string" - }, - "storageMode": { - "description": "storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.SeccompProfile": { - "description": "SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.", - "type": "object", - "properties": { - "type": { - "description": "type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.", - "type": "string" - }, - "localhostProfile": { - "description": "localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is \"Localhost\".", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.SecretKeySelector": { - "description": "SecretKeySelector selects a key of a Secret.", - "type": "object", - "properties": { - "key": { - "description": "The key of the secret to select from. Must be a valid secret key.", - "type": "string" - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the Secret or its key must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.SecretProjection": { - "description": "Adapts a secret into a projected volume. The contents of the target Secret's Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.", - "type": "object", - "properties": { - "items": { - "description": "items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "optional field specify whether the Secret or its key must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.SecretVolumeSource": { - "description": "Adapts a Secret into a volume. The contents of the target Secret's Data field will be presented in a volume as files using the keys in the Data field as the file names. Secret volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "items": { - "description": "items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "secretName": { - "description": "secretName is the name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret", - "type": "string" - }, - "optional": { - "description": "optional field specify whether the Secret or its keys must be defined", - "type": "boolean" - }, - "defaultMode": { - "description": "defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.SecurityContext": { - "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", - "type": "object", - "properties": { - "seLinuxOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SELinuxOptions" - }, - "windowsOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WindowsSecurityContextOptions" - }, - "runAsUser": { - "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsGroup": { - "description": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsNonRoot": { - "description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", - "type": "boolean" - }, - "seccompProfile": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SeccompProfile" - }, - "capabilities": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Capabilities" - }, - "privileged": { - "description": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.", - "type": "boolean" - }, - "readOnlyRootFilesystem": { - "description": "Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.", - "type": "boolean" - }, - "allowPrivilegeEscalation": { - "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.", - "type": "boolean" - }, - "procMount": { - "description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ServiceAccountTokenProjection": { - "description": "ServiceAccountTokenProjection represents a projected service account token volume. This projection can be used to insert a service account token into the pods runtime filesystem for use against APIs (Kubernetes API Server or otherwise).", - "type": "object", - "properties": { - "path": { - "description": "path is the path relative to the mount point of the file to project the token into.", - "type": "string" - }, - "audience": { - "description": "audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.", - "type": "string" - }, - "expirationSeconds": { - "description": "expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.", - "type": "integer", - "format": "int64" - } - } - }, - "k8s.io.api.core.v1.SessionAffinityConfig": { - "description": "SessionAffinityConfig represents the configurations of session affinity.", - "type": "object", - "properties": { - "clientIP": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ClientIPConfig" - } - } - }, - "k8s.io.api.core.v1.StorageOSVolumeSource": { - "description": "Represents a StorageOS persistent volume resource.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "volumeName": { - "description": "volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.", - "type": "string" - }, - "volumeNamespace": { - "description": "volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Sysctl": { - "description": "Sysctl defines a kernel parameter to be set", - "type": "object", - "properties": { - "name": { - "description": "Name of a property to set", - "type": "string" - }, - "value": { - "description": "Value of a property to set", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.TCPSocketAction": { - "description": "TCPSocketAction describes an action based on opening a socket", - "type": "object", - "properties": { - "port": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.util.intstr.IntOrString" - }, - "host": { - "description": "Optional: Host name to connect to, defaults to the pod IP.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Toleration": { - "description": "The pod this Toleration is attached to tolerates any taint that matches the triple \u003ckey,value,effect\u003e using the matching operator \u003coperator\u003e.", - "type": "object", - "properties": { - "key": { - "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.", - "type": "string" - }, - "operator": { - "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.", - "type": "string" - }, - "value": { - "description": "Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.", - "type": "string" - }, - "effect": { - "description": "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.", - "type": "string" - }, - "tolerationSeconds": { - "description": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.", - "type": "integer", - "format": "int64" - } - } - }, - "k8s.io.api.core.v1.TopologySpreadConstraint": { - "description": "TopologySpreadConstraint specifies how to spread matching pods among the given topology.", - "type": "object", - "properties": { - "labelSelector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "topologyKey": { - "description": "TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each \u003ckey, value\u003e as a \"bucket\", and try to put balanced number of pods into each bucket. It's a required field.", - "type": "string" - }, - "maxSkew": { - "description": "MaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.", - "type": "integer", - "format": "int32" - }, - "whenUnsatisfiable": { - "description": "WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered \"Unsatisfiable\" for an incoming pod if and only if every possible node assignment for that pod would violate \"MaxSkew\" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.TypedLocalObjectReference": { - "description": "TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace.", - "type": "object", - "properties": { - "name": { - "description": "Name is the name of resource being referenced", - "type": "string" - }, - "kind": { - "description": "Kind is the type of resource being referenced", - "type": "string" - }, - "apiGroup": { - "description": "APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Volume": { - "description": "Volume represents a named volume in a pod that may be accessed by any container in the pod.", - "type": "object", - "properties": { - "name": { - "description": "name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", - "type": "string" - }, - "volumeSource": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeSource" - } - } - }, - "k8s.io.api.core.v1.VolumeMount": { - "description": "VolumeMount describes a mounting of a Volume within a container.", - "type": "object", - "properties": { - "name": { - "description": "This must match the Name of a Volume.", - "type": "string" - }, - "readOnly": { - "description": "Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.", - "type": "boolean" - }, - "mountPath": { - "description": "Path within the container at which the volume should be mounted. Must not contain ':'.", - "type": "string" - }, - "subPath": { - "description": "Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).", - "type": "string" - }, - "mountPropagation": { - "description": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.", - "type": "string" - }, - "subPathExpr": { - "description": "Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to \"\" (volume's root). SubPathExpr and SubPath are mutually exclusive.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.VolumeProjection": { - "description": "Projection that may be projected along with other supported volume types", - "type": "object", - "properties": { - "configMap": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapProjection" - }, - "secret": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretProjection" - }, - "downwardAPI": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIProjection" - }, - "serviceAccountToken": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ServiceAccountTokenProjection" - } - } - }, - "k8s.io.api.core.v1.VolumeSource": { - "description": "Represents the source of a volume to mount. Only one of its members may be specified.", - "type": "object", - "properties": { - "configMap": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapVolumeSource" - }, - "gcePersistentDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GCEPersistentDiskVolumeSource" - }, - "awsElasticBlockStore": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource" - }, - "hostPath": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HostPathVolumeSource" - }, - "glusterfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GlusterfsVolumeSource" - }, - "nfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NFSVolumeSource" - }, - "rbd": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.RBDVolumeSource" - }, - "iscsi": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ISCSIVolumeSource" - }, - "cinder": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CinderVolumeSource" - }, - "cephfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CephFSVolumeSource" - }, - "fc": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FCVolumeSource" - }, - "flocker": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FlockerVolumeSource" - }, - "flexVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FlexVolumeSource" - }, - "azureFile": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AzureFileVolumeSource" - }, - "vsphereVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VsphereVirtualDiskVolumeSource" - }, - "quobyte": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.QuobyteVolumeSource" - }, - "azureDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AzureDiskVolumeSource" - }, - "photonPersistentDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PhotonPersistentDiskVolumeSource" - }, - "portworxVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PortworxVolumeSource" - }, - "scaleIO": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ScaleIOVolumeSource" - }, - "storageos": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.StorageOSVolumeSource" - }, - "csi": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CSIVolumeSource" - }, - "secret": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretVolumeSource" - }, - "downwardAPI": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeSource" - }, - "emptyDir": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EmptyDirVolumeSource" - }, - "gitRepo": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GitRepoVolumeSource" - }, - "persistentVolumeClaim": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PersistentVolumeClaimVolumeSource" - }, - "projected": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ProjectedVolumeSource" - }, - "ephemeral": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EphemeralVolumeSource" - } - } - }, - "k8s.io.api.core.v1.VsphereVirtualDiskVolumeSource": { - "description": "Represents a vSphere volume resource.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "volumePath": { - "description": "volumePath is the path that identifies vSphere volume vmdk", - "type": "string" - }, - "storagePolicyName": { - "description": "storagePolicyName is the storage Policy Based Management (SPBM) profile name.", - "type": "string" - }, - "storagePolicyID": { - "description": "storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.WeightedPodAffinityTerm": { - "description": "The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)", - "type": "object", - "properties": { - "weight": { - "description": "weight associated with matching the corresponding podAffinityTerm, in the range 1-100.", - "type": "integer", - "format": "int32" - }, - "podAffinityTerm": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - } - }, - "k8s.io.api.core.v1.WindowsSecurityContextOptions": { - "description": "WindowsSecurityContextOptions contain Windows-specific options and credentials.", - "type": "object", - "properties": { - "gmsaCredentialSpecName": { - "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", - "type": "string" - }, - "gmsaCredentialSpec": { - "description": "GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.", - "type": "string" - }, - "runAsUserName": { - "description": "The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", - "type": "string" - }, - "hostProcess": { - "description": "HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.", - "type": "boolean" - } - } - }, - "k8s.io.apimachinery.pkg.api.resource.Quantity": { - "description": "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors. The serialization format is: \u003cquantity\u003e ::= \u003csignedNumber\u003e\u003csuffix\u003e (Note that \u003csuffix\u003e may be empty, from the \"\" case in \u003cdecimalSI\u003e.) \u003cdigit\u003e ::= 0 | 1 | ... | 9 \u003cdigits\u003e ::= \u003cdigit\u003e | \u003cdigit\u003e\u003cdigits\u003e \u003cnumber\u003e ::= \u003cdigits\u003e | \u003cdigits\u003e.\u003cdigits\u003e | \u003cdigits\u003e. | .\u003cdigits\u003e \u003csign\u003e ::= \"+\" | \"-\" \u003csignedNumber\u003e ::= \u003cnumber\u003e | \u003csign\u003e\u003cnumber\u003e \u003csuffix\u003e ::= \u003cbinarySI\u003e | \u003cdecimalExponent\u003e | \u003cdecimalSI\u003e \u003cbinarySI\u003e ::= Ki | Mi | Gi | Ti | Pi | Ei (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html) \u003cdecimalSI\u003e ::= m | \"\" | k | M | G | T | P | E (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) \u003cdecimalExponent\u003e ::= \"e\" \u003csignedNumber\u003e | \"E\" \u003csignedNumber\u003e No matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities. When a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized. Before serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that: a. No precision is lost b. No fractional digits will be emitted c. The exponent (or suffix) is as large as possible. The sign will be omitted unless the number is negative. Examples: 1.5 will be serialized as \"1500m\" 1.5Gi will be serialized as \"1536Mi\" Note that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise. Non-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.) This format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.", - "type": "object", - "properties": { - "string": { - "type": "string" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.FieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format. Each key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:\u003cname\u003e', where \u003cname\u003e is the name of a field in a struct, or key in a map 'v:\u003cvalue\u003e', where \u003cvalue\u003e is the exact json formatted value of a list item 'i:\u003cindex\u003e', where \u003cindex\u003e is position of a item in a list 'k:\u003ckeys\u003e', where \u003ckeys\u003e is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set. The exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": "object", - "properties": { - "Raw": { - "description": "Raw is the underlying serialization of this object.", - "type": "string", - "format": "binary" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector": { - "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", - "type": "object", - "properties": { - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", - "type": "object", - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "type": "object", - "properties": { - "time": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.Time" - }, - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": "string" - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": "string" - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": "string" - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": "string" - }, - "fieldsV1": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.FieldsV1" - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": "string" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "type": "object", - "properties": { - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names", - "type": "string" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": "string" - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": "string" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": "string" - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces", - "type": "string" - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids", - "type": "string" - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "type": "integer", - "format": "int64" - }, - "creationTimestamp": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.Time" - }, - "deletionTimestamp": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.Time" - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "type": "integer", - "format": "int64" - }, - "labels": { - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.OwnerReference" - } - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "type": "array", - "items": { - "type": "string" - } - }, - "clusterName": { - "description": "The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.", - "type": "string" - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.OwnerReference": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "type": "object", - "properties": { - "name": { - "description": "Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names", - "type": "string" - }, - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids", - "type": "string" - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": "boolean" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": "boolean" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.Time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "type": "object", - "properties": { - "seconds": { - "description": "Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive.", - "type": "integer", - "format": "int64" - }, - "nanos": { - "description": "Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.apimachinery.pkg.util.intstr.IntOrString": { - "description": "IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number. TODO: Rename to Int32OrString", - "type": "object", - "properties": { - "type": { - "type": "integer", - "format": "int64" - }, - "intVal": { - "type": "integer", - "format": "int32" - }, - "strVal": { - "type": "string" - } - } - } - } - } -} \ No newline at end of file diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.pb.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.pb.go deleted file mode 100644 index d607774c8..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.pb.go +++ /dev/null @@ -1,3456 +0,0 @@ -// Copyright 2021 Cisco Systems, Inc. and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.28.0 -// protoc (unknown) -// source: api/v1alpha1/istiocontrolplane.proto - -// $schema: istio-operator.api.v1alpha1.IstioControlPlaneSpec -// $title: Istio ControlPlane Spec -// $description: Istio control plane descriptor - -package v1alpha1 - -import ( - wrappers "github.com/golang/protobuf/ptypes/wrappers" - _ "google.golang.org/genproto/googleapis/api/annotations" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - v1alpha1 "istio.io/api/mesh/v1alpha1" - v1 "k8s.io/api/core/v1" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -type ModeType int32 - -const ( - ModeType_ModeType_UNSPECIFIED ModeType = 0 - ModeType_ACTIVE ModeType = 1 - ModeType_PASSIVE ModeType = 2 -) - -// Enum value maps for ModeType. -var ( - ModeType_name = map[int32]string{ - 0: "ModeType_UNSPECIFIED", - 1: "ACTIVE", - 2: "PASSIVE", - } - ModeType_value = map[string]int32{ - "ModeType_UNSPECIFIED": 0, - "ACTIVE": 1, - "PASSIVE": 2, - } -) - -func (x ModeType) Enum() *ModeType { - p := new(ModeType) - *p = x - return p -} - -func (x ModeType) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (ModeType) Descriptor() protoreflect.EnumDescriptor { - return file_api_v1alpha1_istiocontrolplane_proto_enumTypes[0].Descriptor() -} - -func (ModeType) Type() protoreflect.EnumType { - return &file_api_v1alpha1_istiocontrolplane_proto_enumTypes[0] -} - -func (x ModeType) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use ModeType.Descriptor instead. -func (ModeType) EnumDescriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{0} -} - -type ProxyLogLevel int32 - -const ( - ProxyLogLevel_ProxyLogLevel_UNSPECIFIED ProxyLogLevel = 0 - ProxyLogLevel_TRACE ProxyLogLevel = 1 - ProxyLogLevel_DEBUG ProxyLogLevel = 2 - ProxyLogLevel_INFO ProxyLogLevel = 3 - ProxyLogLevel_WARNING ProxyLogLevel = 4 - ProxyLogLevel_ERROR ProxyLogLevel = 5 - ProxyLogLevel_CRITICAL ProxyLogLevel = 6 - ProxyLogLevel_OFF ProxyLogLevel = 7 -) - -// Enum value maps for ProxyLogLevel. -var ( - ProxyLogLevel_name = map[int32]string{ - 0: "ProxyLogLevel_UNSPECIFIED", - 1: "TRACE", - 2: "DEBUG", - 3: "INFO", - 4: "WARNING", - 5: "ERROR", - 6: "CRITICAL", - 7: "OFF", - } - ProxyLogLevel_value = map[string]int32{ - "ProxyLogLevel_UNSPECIFIED": 0, - "TRACE": 1, - "DEBUG": 2, - "INFO": 3, - "WARNING": 4, - "ERROR": 5, - "CRITICAL": 6, - "OFF": 7, - } -) - -func (x ProxyLogLevel) Enum() *ProxyLogLevel { - p := new(ProxyLogLevel) - *p = x - return p -} - -func (x ProxyLogLevel) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (ProxyLogLevel) Descriptor() protoreflect.EnumDescriptor { - return file_api_v1alpha1_istiocontrolplane_proto_enumTypes[1].Descriptor() -} - -func (ProxyLogLevel) Type() protoreflect.EnumType { - return &file_api_v1alpha1_istiocontrolplane_proto_enumTypes[1] -} - -func (x ProxyLogLevel) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use ProxyLogLevel.Descriptor instead. -func (ProxyLogLevel) EnumDescriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{1} -} - -type PilotCertProviderType int32 - -const ( - PilotCertProviderType_PilotCertProviderType_UNSPECIFIED PilotCertProviderType = 0 - PilotCertProviderType_KUBERNETES PilotCertProviderType = 1 - PilotCertProviderType_ISTIOD PilotCertProviderType = 2 -) - -// Enum value maps for PilotCertProviderType. -var ( - PilotCertProviderType_name = map[int32]string{ - 0: "PilotCertProviderType_UNSPECIFIED", - 1: "KUBERNETES", - 2: "ISTIOD", - } - PilotCertProviderType_value = map[string]int32{ - "PilotCertProviderType_UNSPECIFIED": 0, - "KUBERNETES": 1, - "ISTIOD": 2, - } -) - -func (x PilotCertProviderType) Enum() *PilotCertProviderType { - p := new(PilotCertProviderType) - *p = x - return p -} - -func (x PilotCertProviderType) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (PilotCertProviderType) Descriptor() protoreflect.EnumDescriptor { - return file_api_v1alpha1_istiocontrolplane_proto_enumTypes[2].Descriptor() -} - -func (PilotCertProviderType) Type() protoreflect.EnumType { - return &file_api_v1alpha1_istiocontrolplane_proto_enumTypes[2] -} - -func (x PilotCertProviderType) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use PilotCertProviderType.Descriptor instead. -func (PilotCertProviderType) EnumDescriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{2} -} - -type JWTPolicyType int32 - -const ( - JWTPolicyType_JWTPolicyType_UNSPECIFIED JWTPolicyType = 0 - JWTPolicyType_THIRD_PARTY_JWT JWTPolicyType = 1 - JWTPolicyType_FIRST_PARTY_JWT JWTPolicyType = 2 -) - -// Enum value maps for JWTPolicyType. -var ( - JWTPolicyType_name = map[int32]string{ - 0: "JWTPolicyType_UNSPECIFIED", - 1: "THIRD_PARTY_JWT", - 2: "FIRST_PARTY_JWT", - } - JWTPolicyType_value = map[string]int32{ - "JWTPolicyType_UNSPECIFIED": 0, - "THIRD_PARTY_JWT": 1, - "FIRST_PARTY_JWT": 2, - } -) - -func (x JWTPolicyType) Enum() *JWTPolicyType { - p := new(JWTPolicyType) - *p = x - return p -} - -func (x JWTPolicyType) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (JWTPolicyType) Descriptor() protoreflect.EnumDescriptor { - return file_api_v1alpha1_istiocontrolplane_proto_enumTypes[3].Descriptor() -} - -func (JWTPolicyType) Type() protoreflect.EnumType { - return &file_api_v1alpha1_istiocontrolplane_proto_enumTypes[3] -} - -func (x JWTPolicyType) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use JWTPolicyType.Descriptor instead. -func (JWTPolicyType) EnumDescriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{3} -} - -// IstioControlPlane defines an Istio control plane -// -// -// -// -type IstioControlPlaneSpec struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Contains the intended version for the Istio control plane. - // +kubebuilder:validation:Pattern=^1\. - Version string `protobuf:"bytes,1,opt,name=version,proto3" json:"version,omitempty"` - // Configure the mode for this control plane. - // Currently, two options are supported: "ACTIVE" and "PASSIVE". - // ACTIVE mode means that a full-fledged Istio control plane will be deployed and operated - // (usually called primary cluster in upstream Istio terminology). - // PASSIVE mode means that only a few resources will be installed for sidecar injection and cross-cluster - // communication, it is used for multi cluster setups (this is the remote cluster in upstream Istio terminology). - // +kubebuilder:validation:Enum=ACTIVE;PASSIVE - Mode ModeType `protobuf:"varint,2,opt,name=mode,proto3,enum=istio_operator.v2.api.v1alpha1.ModeType" json:"mode,omitempty"` - // Logging configurations. - Logging *LoggingConfiguration `protobuf:"bytes,3,opt,name=logging,proto3" json:"logging,omitempty"` - // Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - MountMtlsCerts *wrappers.BoolValue `protobuf:"bytes,4,opt,name=mountMtlsCerts,proto3" json:"mountMtlsCerts,omitempty"` - // Istiod configuration. - Istiod *IstiodConfiguration `protobuf:"bytes,5,opt,name=istiod,proto3" json:"istiod,omitempty"` - // Proxy configuration options. - Proxy *ProxyConfiguration `protobuf:"bytes,6,opt,name=proxy,proto3" json:"proxy,omitempty"` - // Proxy Init configuration options. - ProxyInit *ProxyInitConfiguration `protobuf:"bytes,7,opt,name=proxyInit,proto3" json:"proxyInit,omitempty"` - // Telemetry V2 configuration. - TelemetryV2 *TelemetryV2Configuration `protobuf:"bytes,8,opt,name=telemetryV2,proto3" json:"telemetryV2,omitempty"` - // If SDS is configured, mTLS certificates for the sidecars will be distributed through the - // SecretDiscoveryService instead of using K8S secrets to mount the certificates. - Sds *SDSConfiguration `protobuf:"bytes,9,opt,name=sds,proto3" json:"sds,omitempty"` - // ProxyWasm configuration options. - ProxyWasm *ProxyWasmConfiguration `protobuf:"bytes,10,opt,name=proxyWasm,proto3" json:"proxyWasm,omitempty"` - // Whether to restrict the applications namespace the controller manages. - // If not set, controller watches all namespaces - WatchOneNamespace *wrappers.BoolValue `protobuf:"bytes,11,opt,name=watchOneNamespace,proto3" json:"watchOneNamespace,omitempty"` - // Configure the policy for validating JWT. - // Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - // +kubebuilder:validation:Enum=THIRD_PARTY_JWT;FIRST_PARTY_JWT - JwtPolicy JWTPolicyType `protobuf:"varint,12,opt,name=jwtPolicy,proto3,enum=istio_operator.v2.api.v1alpha1.JWTPolicyType" json:"jwtPolicy,omitempty"` - // The customized CA address to retrieve certificates for the pods in the cluster. - // CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - CaAddress string `protobuf:"bytes,13,opt,name=caAddress,proto3" json:"caAddress,omitempty"` - // The name of the CA for workload certificates. - CaProvider string `protobuf:"bytes,14,opt,name=caProvider,proto3" json:"caProvider,omitempty"` - // Contains the intended distribution for the Istio control plane. - // The official distribution is used by default unless special preserved distribution value is set. - // The only preserved distribution is "cisco" as of now. - Distribution string `protobuf:"bytes,15,opt,name=distribution,proto3" json:"distribution,omitempty"` - // Upstream HTTP proxy properties to be injected as environment variables to the pod containers. - HttpProxyEnvs *HTTPProxyEnvsConfiguration `protobuf:"bytes,16,opt,name=httpProxyEnvs,proto3" json:"httpProxyEnvs,omitempty"` - // Defines mesh-wide settings for the Istio control plane. - MeshConfig *v1alpha1.MeshConfig `protobuf:"bytes,17,opt,name=meshConfig,proto3" json:"meshConfig,omitempty"` - // K8s resource overlay patches - K8SResourceOverlays []*K8SResourceOverlayPatch `protobuf:"bytes,18,rep,name=k8sResourceOverlays,proto3" json:"k8sResourceOverlays,omitempty"` - // Name of the Mesh to which this control plane belongs. - MeshID string `protobuf:"bytes,19,opt,name=meshID,proto3" json:"meshID,omitempty"` - // Global configuration for container images. - ContainerImageConfiguration *ContainerImageConfiguration `protobuf:"bytes,20,opt,name=containerImageConfiguration,proto3" json:"containerImageConfiguration,omitempty"` - // Mesh expansion configuration - MeshExpansion *MeshExpansionConfiguration `protobuf:"bytes,21,opt,name=meshExpansion,proto3" json:"meshExpansion,omitempty"` - // Cluster ID - ClusterID string `protobuf:"bytes,22,opt,name=clusterID,proto3" json:"clusterID,omitempty"` - // Network defines the network this cluster belongs to. This name - // corresponds to the networks in the map of mesh networks. - // +default=network1 - NetworkName string `protobuf:"bytes,23,opt,name=networkName,proto3" json:"networkName,omitempty"` - // Standalone sidecar injector configuration. - SidecarInjector *SidecarInjectorConfiguration `protobuf:"bytes,24,opt,name=sidecarInjector,proto3" json:"sidecarInjector,omitempty"` - // Tracing defines configuration for the tracing performed by Envoy instances. - Tracer *v1alpha1.Tracing `protobuf:"bytes,25,opt,name=tracer,proto3" json:"tracer,omitempty"` -} - -func (x *IstioControlPlaneSpec) Reset() { - *x = IstioControlPlaneSpec{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *IstioControlPlaneSpec) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*IstioControlPlaneSpec) ProtoMessage() {} - -func (x *IstioControlPlaneSpec) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use IstioControlPlaneSpec.ProtoReflect.Descriptor instead. -func (*IstioControlPlaneSpec) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{0} -} - -func (x *IstioControlPlaneSpec) GetVersion() string { - if x != nil { - return x.Version - } - return "" -} - -func (x *IstioControlPlaneSpec) GetMode() ModeType { - if x != nil { - return x.Mode - } - return ModeType_ModeType_UNSPECIFIED -} - -func (x *IstioControlPlaneSpec) GetLogging() *LoggingConfiguration { - if x != nil { - return x.Logging - } - return nil -} - -func (x *IstioControlPlaneSpec) GetMountMtlsCerts() *wrappers.BoolValue { - if x != nil { - return x.MountMtlsCerts - } - return nil -} - -func (x *IstioControlPlaneSpec) GetIstiod() *IstiodConfiguration { - if x != nil { - return x.Istiod - } - return nil -} - -func (x *IstioControlPlaneSpec) GetProxy() *ProxyConfiguration { - if x != nil { - return x.Proxy - } - return nil -} - -func (x *IstioControlPlaneSpec) GetProxyInit() *ProxyInitConfiguration { - if x != nil { - return x.ProxyInit - } - return nil -} - -func (x *IstioControlPlaneSpec) GetTelemetryV2() *TelemetryV2Configuration { - if x != nil { - return x.TelemetryV2 - } - return nil -} - -func (x *IstioControlPlaneSpec) GetSds() *SDSConfiguration { - if x != nil { - return x.Sds - } - return nil -} - -func (x *IstioControlPlaneSpec) GetProxyWasm() *ProxyWasmConfiguration { - if x != nil { - return x.ProxyWasm - } - return nil -} - -func (x *IstioControlPlaneSpec) GetWatchOneNamespace() *wrappers.BoolValue { - if x != nil { - return x.WatchOneNamespace - } - return nil -} - -func (x *IstioControlPlaneSpec) GetJwtPolicy() JWTPolicyType { - if x != nil { - return x.JwtPolicy - } - return JWTPolicyType_JWTPolicyType_UNSPECIFIED -} - -func (x *IstioControlPlaneSpec) GetCaAddress() string { - if x != nil { - return x.CaAddress - } - return "" -} - -func (x *IstioControlPlaneSpec) GetCaProvider() string { - if x != nil { - return x.CaProvider - } - return "" -} - -func (x *IstioControlPlaneSpec) GetDistribution() string { - if x != nil { - return x.Distribution - } - return "" -} - -func (x *IstioControlPlaneSpec) GetHttpProxyEnvs() *HTTPProxyEnvsConfiguration { - if x != nil { - return x.HttpProxyEnvs - } - return nil -} - -func (x *IstioControlPlaneSpec) GetMeshConfig() *v1alpha1.MeshConfig { - if x != nil { - return x.MeshConfig - } - return nil -} - -func (x *IstioControlPlaneSpec) GetK8SResourceOverlays() []*K8SResourceOverlayPatch { - if x != nil { - return x.K8SResourceOverlays - } - return nil -} - -func (x *IstioControlPlaneSpec) GetMeshID() string { - if x != nil { - return x.MeshID - } - return "" -} - -func (x *IstioControlPlaneSpec) GetContainerImageConfiguration() *ContainerImageConfiguration { - if x != nil { - return x.ContainerImageConfiguration - } - return nil -} - -func (x *IstioControlPlaneSpec) GetMeshExpansion() *MeshExpansionConfiguration { - if x != nil { - return x.MeshExpansion - } - return nil -} - -func (x *IstioControlPlaneSpec) GetClusterID() string { - if x != nil { - return x.ClusterID - } - return "" -} - -func (x *IstioControlPlaneSpec) GetNetworkName() string { - if x != nil { - return x.NetworkName - } - return "" -} - -func (x *IstioControlPlaneSpec) GetSidecarInjector() *SidecarInjectorConfiguration { - if x != nil { - return x.SidecarInjector - } - return nil -} - -func (x *IstioControlPlaneSpec) GetTracer() *v1alpha1.Tracing { - if x != nil { - return x.Tracer - } - return nil -} - -type SidecarInjectorConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Deployment spec - Deployment *BaseKubernetesResourceConfig `protobuf:"bytes,1,opt,name=deployment,proto3" json:"deployment,omitempty"` - // Service spec - Service *Service `protobuf:"bytes,2,opt,name=service,proto3" json:"service,omitempty"` - // Fields to introduce sidecar injection template customizations - Templates *SidecarInjectionTemplates `protobuf:"bytes,3,opt,name=templates,proto3" json:"templates,omitempty"` -} - -func (x *SidecarInjectorConfiguration) Reset() { - *x = SidecarInjectorConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SidecarInjectorConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SidecarInjectorConfiguration) ProtoMessage() {} - -func (x *SidecarInjectorConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SidecarInjectorConfiguration.ProtoReflect.Descriptor instead. -func (*SidecarInjectorConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{1} -} - -func (x *SidecarInjectorConfiguration) GetDeployment() *BaseKubernetesResourceConfig { - if x != nil { - return x.Deployment - } - return nil -} - -func (x *SidecarInjectorConfiguration) GetService() *Service { - if x != nil { - return x.Service - } - return nil -} - -func (x *SidecarInjectorConfiguration) GetTemplates() *SidecarInjectionTemplates { - if x != nil { - return x.Templates - } - return nil -} - -type SidecarInjectionTemplates struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Overrides for the default "sidecar" injection template. This template will be merged with the default "sidecar" template, overwriting values, if existing. - Sidecar string `protobuf:"bytes,1,opt,name=sidecar,proto3" json:"sidecar,omitempty"` - // Overrides for the default "gateway" injection template. This template will be merged with the default "gateway" template, overwriting values, if existing. - Gateway string `protobuf:"bytes,2,opt,name=gateway,proto3" json:"gateway,omitempty"` - // Custom templates can be defined for sidecar injection. These templates can be applied by annotating pods with "inject.istio.io/templates=". See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental. - CustomTemplates []*CustomSidecarInjectionTemplates `protobuf:"bytes,3,rep,name=customTemplates,proto3" json:"customTemplates,omitempty"` -} - -func (x *SidecarInjectionTemplates) Reset() { - *x = SidecarInjectionTemplates{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SidecarInjectionTemplates) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SidecarInjectionTemplates) ProtoMessage() {} - -func (x *SidecarInjectionTemplates) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[2] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SidecarInjectionTemplates.ProtoReflect.Descriptor instead. -func (*SidecarInjectionTemplates) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{2} -} - -func (x *SidecarInjectionTemplates) GetSidecar() string { - if x != nil { - return x.Sidecar - } - return "" -} - -func (x *SidecarInjectionTemplates) GetGateway() string { - if x != nil { - return x.Gateway - } - return "" -} - -func (x *SidecarInjectionTemplates) GetCustomTemplates() []*CustomSidecarInjectionTemplates { - if x != nil { - return x.CustomTemplates - } - return nil -} - -type CustomSidecarInjectionTemplates struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` - Template string `protobuf:"bytes,2,opt,name=template,proto3" json:"template,omitempty"` -} - -func (x *CustomSidecarInjectionTemplates) Reset() { - *x = CustomSidecarInjectionTemplates{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[3] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *CustomSidecarInjectionTemplates) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*CustomSidecarInjectionTemplates) ProtoMessage() {} - -func (x *CustomSidecarInjectionTemplates) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[3] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use CustomSidecarInjectionTemplates.ProtoReflect.Descriptor instead. -func (*CustomSidecarInjectionTemplates) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{3} -} - -func (x *CustomSidecarInjectionTemplates) GetName() string { - if x != nil { - return x.Name - } - return "" -} - -func (x *CustomSidecarInjectionTemplates) GetTemplate() string { - if x != nil { - return x.Template - } - return "" -} - -type MeshExpansionConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` - Gateway *MeshExpansionConfiguration_IstioMeshGatewayConfiguration `protobuf:"bytes,2,opt,name=gateway,proto3" json:"gateway,omitempty"` - // istiod component configuration - Istiod *MeshExpansionConfiguration_Istiod `protobuf:"bytes,3,opt,name=istiod,proto3" json:"istiod,omitempty"` - // webhook component configuration - Webhook *MeshExpansionConfiguration_Webhook `protobuf:"bytes,4,opt,name=webhook,proto3" json:"webhook,omitempty"` - // cluster services configuration - ClusterServices *MeshExpansionConfiguration_ClusterServices `protobuf:"bytes,5,opt,name=clusterServices,proto3" json:"clusterServices,omitempty"` -} - -func (x *MeshExpansionConfiguration) Reset() { - *x = MeshExpansionConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[4] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *MeshExpansionConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*MeshExpansionConfiguration) ProtoMessage() {} - -func (x *MeshExpansionConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[4] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use MeshExpansionConfiguration.ProtoReflect.Descriptor instead. -func (*MeshExpansionConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{4} -} - -func (x *MeshExpansionConfiguration) GetEnabled() *wrappers.BoolValue { - if x != nil { - return x.Enabled - } - return nil -} - -func (x *MeshExpansionConfiguration) GetGateway() *MeshExpansionConfiguration_IstioMeshGatewayConfiguration { - if x != nil { - return x.Gateway - } - return nil -} - -func (x *MeshExpansionConfiguration) GetIstiod() *MeshExpansionConfiguration_Istiod { - if x != nil { - return x.Istiod - } - return nil -} - -func (x *MeshExpansionConfiguration) GetWebhook() *MeshExpansionConfiguration_Webhook { - if x != nil { - return x.Webhook - } - return nil -} - -func (x *MeshExpansionConfiguration) GetClusterServices() *MeshExpansionConfiguration_ClusterServices { - if x != nil { - return x.ClusterServices - } - return nil -} - -// Comma-separated minimum per-scope logging level of messages to output, in the form of :,: -// The control plane has different scopes depending on component, but can configure default log level across all components -// If empty, default scope and level will be used as configured in code -type LoggingConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // +kubebuilder:validation:Pattern=`^([a-zA-Z]+:[a-zA-Z]+,?)+$` - Level string `protobuf:"bytes,1,opt,name=level,proto3" json:"level,omitempty"` -} - -func (x *LoggingConfiguration) Reset() { - *x = LoggingConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[5] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *LoggingConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*LoggingConfiguration) ProtoMessage() {} - -func (x *LoggingConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[5] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use LoggingConfiguration.ProtoReflect.Descriptor instead. -func (*LoggingConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{5} -} - -func (x *LoggingConfiguration) GetLevel() string { - if x != nil { - return x.Level - } - return "" -} - -// SDSConfiguration defines Secret Discovery Service config options -type SDSConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - // When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - // - // JWT is intended for the CA. - TokenAudience string `protobuf:"bytes,1,opt,name=tokenAudience,proto3" json:"tokenAudience,omitempty"` -} - -func (x *SDSConfiguration) Reset() { - *x = SDSConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[6] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SDSConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SDSConfiguration) ProtoMessage() {} - -func (x *SDSConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[6] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SDSConfiguration.ProtoReflect.Descriptor instead. -func (*SDSConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{6} -} - -func (x *SDSConfiguration) GetTokenAudience() string { - if x != nil { - return x.TokenAudience - } - return "" -} - -// ProxyConfiguration defines config options for Proxy -type ProxyConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Image string `protobuf:"bytes,1,opt,name=image,proto3" json:"image,omitempty"` - // If set to true, istio-proxy container will have privileged securityContext - Privileged *wrappers.BoolValue `protobuf:"bytes,2,opt,name=privileged,proto3" json:"privileged,omitempty"` - // If set, newly injected sidecars will have core dumps enabled. - EnableCoreDump *wrappers.BoolValue `protobuf:"bytes,3,opt,name=enableCoreDump,proto3" json:"enableCoreDump,omitempty"` - // Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. - // Expected values are: trace|debug|info|warning|error|critical|off - // +kubebuilder:validation:Enum=TRACE;DEBUG;INFO;WARNING;ERROR;CRITICAL;OFF - LogLevel ProxyLogLevel `protobuf:"varint,4,opt,name=logLevel,proto3,enum=istio_operator.v2.api.v1alpha1.ProxyLogLevel" json:"logLevel,omitempty"` - // Per Component log level for proxy, applies to gateways and sidecars. If a component level is - // not set, then the "LogLevel" will be used. If left empty, "misc:error" is used. - ComponentLogLevel string `protobuf:"bytes,5,opt,name=componentLogLevel,proto3" json:"componentLogLevel,omitempty"` - // cluster domain. Default value is "cluster.local" - ClusterDomain string `protobuf:"bytes,6,opt,name=clusterDomain,proto3" json:"clusterDomain,omitempty"` - // Controls if sidecar is injected at the front of the container list and blocks - // the start of the other containers until the proxy is ready - // Default value is 'false'. - HoldApplicationUntilProxyStarts *wrappers.BoolValue `protobuf:"bytes,7,opt,name=holdApplicationUntilProxyStarts,proto3" json:"holdApplicationUntilProxyStarts,omitempty"` - Lifecycle *v1.Lifecycle `protobuf:"bytes,8,opt,name=lifecycle,proto3" json:"lifecycle,omitempty"` - Resources *ResourceRequirements `protobuf:"bytes,9,opt,name=resources,proto3" json:"resources,omitempty"` - // IncludeIPRanges the range where to capture egress traffic - IncludeIPRanges string `protobuf:"bytes,10,opt,name=includeIPRanges,proto3" json:"includeIPRanges,omitempty"` - // ExcludeIPRanges the range where not to capture egress traffic - ExcludeIPRanges string `protobuf:"bytes,11,opt,name=excludeIPRanges,proto3" json:"excludeIPRanges,omitempty"` - // ExcludeInboundPorts the comma separated list of inbound ports to be excluded from redirection to Envoy - ExcludeInboundPorts string `protobuf:"bytes,12,opt,name=excludeInboundPorts,proto3" json:"excludeInboundPorts,omitempty"` - // ExcludeOutboundPorts the comma separated list of outbound ports to be excluded from redirection to Envoy - ExcludeOutboundPorts string `protobuf:"bytes,13,opt,name=excludeOutboundPorts,proto3" json:"excludeOutboundPorts,omitempty"` - // Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver - Tracer *string `protobuf:"bytes,14,opt,name=tracer,proto3,oneof" json:"tracer,omitempty"` -} - -func (x *ProxyConfiguration) Reset() { - *x = ProxyConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[7] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ProxyConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ProxyConfiguration) ProtoMessage() {} - -func (x *ProxyConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[7] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ProxyConfiguration.ProtoReflect.Descriptor instead. -func (*ProxyConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{7} -} - -func (x *ProxyConfiguration) GetImage() string { - if x != nil { - return x.Image - } - return "" -} - -func (x *ProxyConfiguration) GetPrivileged() *wrappers.BoolValue { - if x != nil { - return x.Privileged - } - return nil -} - -func (x *ProxyConfiguration) GetEnableCoreDump() *wrappers.BoolValue { - if x != nil { - return x.EnableCoreDump - } - return nil -} - -func (x *ProxyConfiguration) GetLogLevel() ProxyLogLevel { - if x != nil { - return x.LogLevel - } - return ProxyLogLevel_ProxyLogLevel_UNSPECIFIED -} - -func (x *ProxyConfiguration) GetComponentLogLevel() string { - if x != nil { - return x.ComponentLogLevel - } - return "" -} - -func (x *ProxyConfiguration) GetClusterDomain() string { - if x != nil { - return x.ClusterDomain - } - return "" -} - -func (x *ProxyConfiguration) GetHoldApplicationUntilProxyStarts() *wrappers.BoolValue { - if x != nil { - return x.HoldApplicationUntilProxyStarts - } - return nil -} - -func (x *ProxyConfiguration) GetLifecycle() *v1.Lifecycle { - if x != nil { - return x.Lifecycle - } - return nil -} - -func (x *ProxyConfiguration) GetResources() *ResourceRequirements { - if x != nil { - return x.Resources - } - return nil -} - -func (x *ProxyConfiguration) GetIncludeIPRanges() string { - if x != nil { - return x.IncludeIPRanges - } - return "" -} - -func (x *ProxyConfiguration) GetExcludeIPRanges() string { - if x != nil { - return x.ExcludeIPRanges - } - return "" -} - -func (x *ProxyConfiguration) GetExcludeInboundPorts() string { - if x != nil { - return x.ExcludeInboundPorts - } - return "" -} - -func (x *ProxyConfiguration) GetExcludeOutboundPorts() string { - if x != nil { - return x.ExcludeOutboundPorts - } - return "" -} - -func (x *ProxyConfiguration) GetTracer() string { - if x != nil && x.Tracer != nil { - return *x.Tracer - } - return "" -} - -// ProxyInitConfiguration defines config options for Proxy Init containers -type ProxyInitConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Image string `protobuf:"bytes,1,opt,name=image,proto3" json:"image,omitempty"` - Resources *ResourceRequirements `protobuf:"bytes,2,opt,name=resources,proto3" json:"resources,omitempty"` - Cni *CNIConfiguration `protobuf:"bytes,3,opt,name=cni,proto3" json:"cni,omitempty"` -} - -func (x *ProxyInitConfiguration) Reset() { - *x = ProxyInitConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[8] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ProxyInitConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ProxyInitConfiguration) ProtoMessage() {} - -func (x *ProxyInitConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[8] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ProxyInitConfiguration.ProtoReflect.Descriptor instead. -func (*ProxyInitConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{8} -} - -func (x *ProxyInitConfiguration) GetImage() string { - if x != nil { - return x.Image - } - return "" -} - -func (x *ProxyInitConfiguration) GetResources() *ResourceRequirements { - if x != nil { - return x.Resources - } - return nil -} - -func (x *ProxyInitConfiguration) GetCni() *CNIConfiguration { - if x != nil { - return x.Cni - } - return nil -} - -type CNIConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` - Chained *wrappers.BoolValue `protobuf:"bytes,2,opt,name=chained,proto3" json:"chained,omitempty"` - BinDir string `protobuf:"bytes,4,opt,name=binDir,proto3" json:"binDir,omitempty"` - ConfDir string `protobuf:"bytes,5,opt,name=confDir,proto3" json:"confDir,omitempty"` - ExcludeNamespaces []string `protobuf:"bytes,6,rep,name=excludeNamespaces,proto3" json:"excludeNamespaces,omitempty"` - IncludeNamespaces []string `protobuf:"bytes,7,rep,name=includeNamespaces,proto3" json:"includeNamespaces,omitempty"` - LogLevel string `protobuf:"bytes,8,opt,name=logLevel,proto3" json:"logLevel,omitempty"` - ConfFileName string `protobuf:"bytes,9,opt,name=confFileName,proto3" json:"confFileName,omitempty"` - PspClusterRoleName string `protobuf:"bytes,10,opt,name=pspClusterRoleName,proto3" json:"pspClusterRoleName,omitempty"` - Repair *CNIConfiguration_RepairConfiguration `protobuf:"bytes,11,opt,name=repair,proto3" json:"repair,omitempty"` - Taint *CNIConfiguration_TaintConfiguration `protobuf:"bytes,12,opt,name=taint,proto3" json:"taint,omitempty"` - ResourceQuotas *CNIConfiguration_ResourceQuotas `protobuf:"bytes,13,opt,name=resourceQuotas,proto3" json:"resourceQuotas,omitempty"` - Daemonset *BaseKubernetesResourceConfig `protobuf:"bytes,14,opt,name=daemonset,proto3" json:"daemonset,omitempty"` -} - -func (x *CNIConfiguration) Reset() { - *x = CNIConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[9] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *CNIConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*CNIConfiguration) ProtoMessage() {} - -func (x *CNIConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[9] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use CNIConfiguration.ProtoReflect.Descriptor instead. -func (*CNIConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{9} -} - -func (x *CNIConfiguration) GetEnabled() *wrappers.BoolValue { - if x != nil { - return x.Enabled - } - return nil -} - -func (x *CNIConfiguration) GetChained() *wrappers.BoolValue { - if x != nil { - return x.Chained - } - return nil -} - -func (x *CNIConfiguration) GetBinDir() string { - if x != nil { - return x.BinDir - } - return "" -} - -func (x *CNIConfiguration) GetConfDir() string { - if x != nil { - return x.ConfDir - } - return "" -} - -func (x *CNIConfiguration) GetExcludeNamespaces() []string { - if x != nil { - return x.ExcludeNamespaces - } - return nil -} - -func (x *CNIConfiguration) GetIncludeNamespaces() []string { - if x != nil { - return x.IncludeNamespaces - } - return nil -} - -func (x *CNIConfiguration) GetLogLevel() string { - if x != nil { - return x.LogLevel - } - return "" -} - -func (x *CNIConfiguration) GetConfFileName() string { - if x != nil { - return x.ConfFileName - } - return "" -} - -func (x *CNIConfiguration) GetPspClusterRoleName() string { - if x != nil { - return x.PspClusterRoleName - } - return "" -} - -func (x *CNIConfiguration) GetRepair() *CNIConfiguration_RepairConfiguration { - if x != nil { - return x.Repair - } - return nil -} - -func (x *CNIConfiguration) GetTaint() *CNIConfiguration_TaintConfiguration { - if x != nil { - return x.Taint - } - return nil -} - -func (x *CNIConfiguration) GetResourceQuotas() *CNIConfiguration_ResourceQuotas { - if x != nil { - return x.ResourceQuotas - } - return nil -} - -func (x *CNIConfiguration) GetDaemonset() *BaseKubernetesResourceConfig { - if x != nil { - return x.Daemonset - } - return nil -} - -// IstiodConfiguration defines config options for Istiod -type IstiodConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Deployment spec - Deployment *BaseKubernetesResourceConfig `protobuf:"bytes,1,opt,name=deployment,proto3" json:"deployment,omitempty"` - // If enabled, pilot will run Istio analyzers and write analysis errors to the Status field of any Istio Resources - EnableAnalysis *wrappers.BoolValue `protobuf:"bytes,2,opt,name=enableAnalysis,proto3" json:"enableAnalysis,omitempty"` - // If enabled, pilot will update the CRD Status field of all Istio resources with reconciliation status - EnableStatus *wrappers.BoolValue `protobuf:"bytes,3,opt,name=enableStatus,proto3" json:"enableStatus,omitempty"` - // Settings for local istiod to control remote clusters as well - ExternalIstiod *ExternalIstiodConfiguration `protobuf:"bytes,4,opt,name=externalIstiod,proto3" json:"externalIstiod,omitempty"` - TraceSampling *wrappers.FloatValue `protobuf:"bytes,5,opt,name=traceSampling,proto3" json:"traceSampling,omitempty"` - // If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported - EnableProtocolSniffingOutbound *wrappers.BoolValue `protobuf:"bytes,6,opt,name=enableProtocolSniffingOutbound,proto3" json:"enableProtocolSniffingOutbound,omitempty"` - // If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported - EnableProtocolSniffingInbound *wrappers.BoolValue `protobuf:"bytes,7,opt,name=enableProtocolSniffingInbound,proto3" json:"enableProtocolSniffingInbound,omitempty"` - // Configure the certificate provider for control plane communication. - // Currently, two providers are supported: "kubernetes" and "istiod". - // As some platforms may not have kubernetes signing APIs, - // Istiod is the default - // +kubebuilder:validation:Enum=KUBERNETES;ISTIOD - CertProvider PilotCertProviderType `protobuf:"varint,8,opt,name=certProvider,proto3,enum=istio_operator.v2.api.v1alpha1.PilotCertProviderType" json:"certProvider,omitempty"` - // SPIFFE configuration of Pilot - Spiffe *SPIFFEConfiguration `protobuf:"bytes,9,opt,name=spiffe,proto3" json:"spiffe,omitempty"` -} - -func (x *IstiodConfiguration) Reset() { - *x = IstiodConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[10] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *IstiodConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*IstiodConfiguration) ProtoMessage() {} - -func (x *IstiodConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[10] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use IstiodConfiguration.ProtoReflect.Descriptor instead. -func (*IstiodConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{10} -} - -func (x *IstiodConfiguration) GetDeployment() *BaseKubernetesResourceConfig { - if x != nil { - return x.Deployment - } - return nil -} - -func (x *IstiodConfiguration) GetEnableAnalysis() *wrappers.BoolValue { - if x != nil { - return x.EnableAnalysis - } - return nil -} - -func (x *IstiodConfiguration) GetEnableStatus() *wrappers.BoolValue { - if x != nil { - return x.EnableStatus - } - return nil -} - -func (x *IstiodConfiguration) GetExternalIstiod() *ExternalIstiodConfiguration { - if x != nil { - return x.ExternalIstiod - } - return nil -} - -func (x *IstiodConfiguration) GetTraceSampling() *wrappers.FloatValue { - if x != nil { - return x.TraceSampling - } - return nil -} - -func (x *IstiodConfiguration) GetEnableProtocolSniffingOutbound() *wrappers.BoolValue { - if x != nil { - return x.EnableProtocolSniffingOutbound - } - return nil -} - -func (x *IstiodConfiguration) GetEnableProtocolSniffingInbound() *wrappers.BoolValue { - if x != nil { - return x.EnableProtocolSniffingInbound - } - return nil -} - -func (x *IstiodConfiguration) GetCertProvider() PilotCertProviderType { - if x != nil { - return x.CertProvider - } - return PilotCertProviderType_PilotCertProviderType_UNSPECIFIED -} - -func (x *IstiodConfiguration) GetSpiffe() *SPIFFEConfiguration { - if x != nil { - return x.Spiffe - } - return nil -} - -// ExternalIstiodConfiguration defines settings for local istiod to control remote clusters as well -type ExternalIstiodConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` -} - -func (x *ExternalIstiodConfiguration) Reset() { - *x = ExternalIstiodConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[11] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ExternalIstiodConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ExternalIstiodConfiguration) ProtoMessage() {} - -func (x *ExternalIstiodConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[11] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ExternalIstiodConfiguration.ProtoReflect.Descriptor instead. -func (*ExternalIstiodConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{11} -} - -func (x *ExternalIstiodConfiguration) GetEnabled() *wrappers.BoolValue { - if x != nil { - return x.Enabled - } - return nil -} - -// SPIFFEConfiguration is for SPIFFE configuration of Pilot -type SPIFFEConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - OperatorEndpoints *OperatorEndpointsConfiguration `protobuf:"bytes,1,opt,name=operatorEndpoints,proto3" json:"operatorEndpoints,omitempty"` -} - -func (x *SPIFFEConfiguration) Reset() { - *x = SPIFFEConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[12] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *SPIFFEConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*SPIFFEConfiguration) ProtoMessage() {} - -func (x *SPIFFEConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[12] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use SPIFFEConfiguration.ProtoReflect.Descriptor instead. -func (*SPIFFEConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{12} -} - -func (x *SPIFFEConfiguration) GetOperatorEndpoints() *OperatorEndpointsConfiguration { - if x != nil { - return x.OperatorEndpoints - } - return nil -} - -// OperatorEndpointsConfiguration defines config options for automatic SPIFFE endpoints -type OperatorEndpointsConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` -} - -func (x *OperatorEndpointsConfiguration) Reset() { - *x = OperatorEndpointsConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[13] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *OperatorEndpointsConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*OperatorEndpointsConfiguration) ProtoMessage() {} - -func (x *OperatorEndpointsConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[13] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use OperatorEndpointsConfiguration.ProtoReflect.Descriptor instead. -func (*OperatorEndpointsConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{13} -} - -func (x *OperatorEndpointsConfiguration) GetEnabled() *wrappers.BoolValue { - if x != nil { - return x.Enabled - } - return nil -} - -type TelemetryV2Configuration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` -} - -func (x *TelemetryV2Configuration) Reset() { - *x = TelemetryV2Configuration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[14] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *TelemetryV2Configuration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*TelemetryV2Configuration) ProtoMessage() {} - -func (x *TelemetryV2Configuration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[14] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use TelemetryV2Configuration.ProtoReflect.Descriptor instead. -func (*TelemetryV2Configuration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{14} -} - -func (x *TelemetryV2Configuration) GetEnabled() *wrappers.BoolValue { - if x != nil { - return x.Enabled - } - return nil -} - -// ProxyWasmConfiguration defines config options for Envoy wasm -type ProxyWasmConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` -} - -func (x *ProxyWasmConfiguration) Reset() { - *x = ProxyWasmConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[15] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *ProxyWasmConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*ProxyWasmConfiguration) ProtoMessage() {} - -func (x *ProxyWasmConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[15] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use ProxyWasmConfiguration.ProtoReflect.Descriptor instead. -func (*ProxyWasmConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{15} -} - -func (x *ProxyWasmConfiguration) GetEnabled() *wrappers.BoolValue { - if x != nil { - return x.Enabled - } - return nil -} - -// PDBConfiguration holds Pod Disruption Budget related config options -type PDBConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` -} - -func (x *PDBConfiguration) Reset() { - *x = PDBConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[16] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *PDBConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*PDBConfiguration) ProtoMessage() {} - -func (x *PDBConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[16] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use PDBConfiguration.ProtoReflect.Descriptor instead. -func (*PDBConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{16} -} - -func (x *PDBConfiguration) GetEnabled() *wrappers.BoolValue { - if x != nil { - return x.Enabled - } - return nil -} - -type HTTPProxyEnvsConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - HttpProxy string `protobuf:"bytes,1,opt,name=httpProxy,proto3" json:"httpProxy,omitempty"` - HttpsProxy string `protobuf:"bytes,2,opt,name=httpsProxy,proto3" json:"httpsProxy,omitempty"` - NoProxy string `protobuf:"bytes,3,opt,name=noProxy,proto3" json:"noProxy,omitempty"` -} - -func (x *HTTPProxyEnvsConfiguration) Reset() { - *x = HTTPProxyEnvsConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[17] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *HTTPProxyEnvsConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*HTTPProxyEnvsConfiguration) ProtoMessage() {} - -func (x *HTTPProxyEnvsConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[17] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use HTTPProxyEnvsConfiguration.ProtoReflect.Descriptor instead. -func (*HTTPProxyEnvsConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{17} -} - -func (x *HTTPProxyEnvsConfiguration) GetHttpProxy() string { - if x != nil { - return x.HttpProxy - } - return "" -} - -func (x *HTTPProxyEnvsConfiguration) GetHttpsProxy() string { - if x != nil { - return x.HttpsProxy - } - return "" -} - -func (x *HTTPProxyEnvsConfiguration) GetNoProxy() string { - if x != nil { - return x.NoProxy - } - return "" -} - -// -type IstioControlPlaneStatus struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Reconciliation status of the Istio control plane - Status ConfigState `protobuf:"varint,1,opt,name=status,proto3,enum=istio_operator.v2.api.v1alpha1.ConfigState" json:"status,omitempty"` - // Cluster ID - ClusterID string `protobuf:"bytes,2,opt,name=clusterID,proto3" json:"clusterID,omitempty"` - // Name of the IstioControlPlane resource - // It is used on remote clusters in the PeerIstioControlPlane resource status - // to identify the original Istio control plane - IstioControlPlaneName string `protobuf:"bytes,3,opt,name=istioControlPlaneName,proto3" json:"istioControlPlaneName,omitempty"` - // Current addresses for the corresponding gateways - GatewayAddress []string `protobuf:"bytes,4,rep,name=gatewayAddress,proto3" json:"gatewayAddress,omitempty"` - // Current addresses for the corresponding istiod pods - IstiodAddresses []string `protobuf:"bytes,5,rep,name=istiodAddresses,proto3" json:"istiodAddresses,omitempty"` - // Namespaces which are set for injection for this control plane - InjectionNamespaces []string `protobuf:"bytes,6,rep,name=injectionNamespaces,proto3" json:"injectionNamespaces,omitempty"` - // Istio CA root certificate - CaRootCertificate string `protobuf:"bytes,7,opt,name=caRootCertificate,proto3" json:"caRootCertificate,omitempty"` - // Reconciliation error message if any - ErrorMessage string `protobuf:"bytes,8,opt,name=errorMessage,proto3" json:"errorMessage,omitempty"` - MeshConfig *v1alpha1.MeshConfig `protobuf:"bytes,9,opt,name=meshConfig,proto3" json:"meshConfig,omitempty"` - Checksums *StatusChecksums `protobuf:"bytes,10,opt,name=checksums,proto3" json:"checksums,omitempty"` -} - -func (x *IstioControlPlaneStatus) Reset() { - *x = IstioControlPlaneStatus{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[18] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *IstioControlPlaneStatus) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*IstioControlPlaneStatus) ProtoMessage() {} - -func (x *IstioControlPlaneStatus) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[18] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use IstioControlPlaneStatus.ProtoReflect.Descriptor instead. -func (*IstioControlPlaneStatus) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{18} -} - -func (x *IstioControlPlaneStatus) GetStatus() ConfigState { - if x != nil { - return x.Status - } - return ConfigState_Unspecified -} - -func (x *IstioControlPlaneStatus) GetClusterID() string { - if x != nil { - return x.ClusterID - } - return "" -} - -func (x *IstioControlPlaneStatus) GetIstioControlPlaneName() string { - if x != nil { - return x.IstioControlPlaneName - } - return "" -} - -func (x *IstioControlPlaneStatus) GetGatewayAddress() []string { - if x != nil { - return x.GatewayAddress - } - return nil -} - -func (x *IstioControlPlaneStatus) GetIstiodAddresses() []string { - if x != nil { - return x.IstiodAddresses - } - return nil -} - -func (x *IstioControlPlaneStatus) GetInjectionNamespaces() []string { - if x != nil { - return x.InjectionNamespaces - } - return nil -} - -func (x *IstioControlPlaneStatus) GetCaRootCertificate() string { - if x != nil { - return x.CaRootCertificate - } - return "" -} - -func (x *IstioControlPlaneStatus) GetErrorMessage() string { - if x != nil { - return x.ErrorMessage - } - return "" -} - -func (x *IstioControlPlaneStatus) GetMeshConfig() *v1alpha1.MeshConfig { - if x != nil { - return x.MeshConfig - } - return nil -} - -func (x *IstioControlPlaneStatus) GetChecksums() *StatusChecksums { - if x != nil { - return x.Checksums - } - return nil -} - -// -type StatusChecksums struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - MeshConfig string `protobuf:"bytes,1,opt,name=meshConfig,proto3" json:"meshConfig,omitempty"` - SidecarInjector string `protobuf:"bytes,2,opt,name=sidecarInjector,proto3" json:"sidecarInjector,omitempty"` -} - -func (x *StatusChecksums) Reset() { - *x = StatusChecksums{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[19] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *StatusChecksums) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*StatusChecksums) ProtoMessage() {} - -func (x *StatusChecksums) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[19] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use StatusChecksums.ProtoReflect.Descriptor instead. -func (*StatusChecksums) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{19} -} - -func (x *StatusChecksums) GetMeshConfig() string { - if x != nil { - return x.MeshConfig - } - return "" -} - -func (x *StatusChecksums) GetSidecarInjector() string { - if x != nil { - return x.SidecarInjector - } - return "" -} - -type MeshExpansionConfiguration_Istiod struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Expose *wrappers.BoolValue `protobuf:"bytes,1,opt,name=expose,proto3" json:"expose,omitempty"` -} - -func (x *MeshExpansionConfiguration_Istiod) Reset() { - *x = MeshExpansionConfiguration_Istiod{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[20] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *MeshExpansionConfiguration_Istiod) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*MeshExpansionConfiguration_Istiod) ProtoMessage() {} - -func (x *MeshExpansionConfiguration_Istiod) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[20] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use MeshExpansionConfiguration_Istiod.ProtoReflect.Descriptor instead. -func (*MeshExpansionConfiguration_Istiod) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{4, 0} -} - -func (x *MeshExpansionConfiguration_Istiod) GetExpose() *wrappers.BoolValue { - if x != nil { - return x.Expose - } - return nil -} - -type MeshExpansionConfiguration_Webhook struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Expose *wrappers.BoolValue `protobuf:"bytes,1,opt,name=expose,proto3" json:"expose,omitempty"` -} - -func (x *MeshExpansionConfiguration_Webhook) Reset() { - *x = MeshExpansionConfiguration_Webhook{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[21] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *MeshExpansionConfiguration_Webhook) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*MeshExpansionConfiguration_Webhook) ProtoMessage() {} - -func (x *MeshExpansionConfiguration_Webhook) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[21] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use MeshExpansionConfiguration_Webhook.ProtoReflect.Descriptor instead. -func (*MeshExpansionConfiguration_Webhook) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{4, 1} -} - -func (x *MeshExpansionConfiguration_Webhook) GetExpose() *wrappers.BoolValue { - if x != nil { - return x.Expose - } - return nil -} - -type MeshExpansionConfiguration_ClusterServices struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Expose *wrappers.BoolValue `protobuf:"bytes,1,opt,name=expose,proto3" json:"expose,omitempty"` -} - -func (x *MeshExpansionConfiguration_ClusterServices) Reset() { - *x = MeshExpansionConfiguration_ClusterServices{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[22] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *MeshExpansionConfiguration_ClusterServices) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*MeshExpansionConfiguration_ClusterServices) ProtoMessage() {} - -func (x *MeshExpansionConfiguration_ClusterServices) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[22] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use MeshExpansionConfiguration_ClusterServices.ProtoReflect.Descriptor instead. -func (*MeshExpansionConfiguration_ClusterServices) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{4, 2} -} - -func (x *MeshExpansionConfiguration_ClusterServices) GetExpose() *wrappers.BoolValue { - if x != nil { - return x.Expose - } - return nil -} - -type MeshExpansionConfiguration_IstioMeshGatewayConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Istio Mesh gateway metadata - Metadata *K8SObjectMeta `protobuf:"bytes,1,opt,name=metadata,proto3" json:"metadata,omitempty"` - // Deployment spec - Deployment *BaseKubernetesResourceConfig `protobuf:"bytes,2,opt,name=deployment,proto3" json:"deployment,omitempty"` - // Service spec - Service *UnprotectedService `protobuf:"bytes,3,opt,name=service,proto3" json:"service,omitempty"` - // Whether to run the gateway in a privileged container - RunAsRoot *wrappers.BoolValue `protobuf:"bytes,4,opt,name=runAsRoot,proto3" json:"runAsRoot,omitempty"` - // K8s resource overlay patches - K8SResourceOverlays []*K8SResourceOverlayPatch `protobuf:"bytes,5,rep,name=k8sResourceOverlays,proto3" json:"k8sResourceOverlays,omitempty"` -} - -func (x *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) Reset() { - *x = MeshExpansionConfiguration_IstioMeshGatewayConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[23] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*MeshExpansionConfiguration_IstioMeshGatewayConfiguration) ProtoMessage() {} - -func (x *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[23] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use MeshExpansionConfiguration_IstioMeshGatewayConfiguration.ProtoReflect.Descriptor instead. -func (*MeshExpansionConfiguration_IstioMeshGatewayConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{4, 3} -} - -func (x *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) GetMetadata() *K8SObjectMeta { - if x != nil { - return x.Metadata - } - return nil -} - -func (x *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) GetDeployment() *BaseKubernetesResourceConfig { - if x != nil { - return x.Deployment - } - return nil -} - -func (x *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) GetService() *UnprotectedService { - if x != nil { - return x.Service - } - return nil -} - -func (x *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) GetRunAsRoot() *wrappers.BoolValue { - if x != nil { - return x.RunAsRoot - } - return nil -} - -func (x *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) GetK8SResourceOverlays() []*K8SResourceOverlayPatch { - if x != nil { - return x.K8SResourceOverlays - } - return nil -} - -type CNIConfiguration_RepairConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` - LabelPods *wrappers.BoolValue `protobuf:"bytes,2,opt,name=labelPods,proto3" json:"labelPods,omitempty"` - DeletePods *wrappers.BoolValue `protobuf:"bytes,3,opt,name=deletePods,proto3" json:"deletePods,omitempty"` - InitContainerName string `protobuf:"bytes,4,opt,name=initContainerName,proto3" json:"initContainerName,omitempty"` - BrokenPodLabelKey string `protobuf:"bytes,5,opt,name=brokenPodLabelKey,proto3" json:"brokenPodLabelKey,omitempty"` - BrokenPodLabelValue string `protobuf:"bytes,6,opt,name=brokenPodLabelValue,proto3" json:"brokenPodLabelValue,omitempty"` -} - -func (x *CNIConfiguration_RepairConfiguration) Reset() { - *x = CNIConfiguration_RepairConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[24] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *CNIConfiguration_RepairConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*CNIConfiguration_RepairConfiguration) ProtoMessage() {} - -func (x *CNIConfiguration_RepairConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[24] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use CNIConfiguration_RepairConfiguration.ProtoReflect.Descriptor instead. -func (*CNIConfiguration_RepairConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{9, 0} -} - -func (x *CNIConfiguration_RepairConfiguration) GetEnabled() *wrappers.BoolValue { - if x != nil { - return x.Enabled - } - return nil -} - -func (x *CNIConfiguration_RepairConfiguration) GetLabelPods() *wrappers.BoolValue { - if x != nil { - return x.LabelPods - } - return nil -} - -func (x *CNIConfiguration_RepairConfiguration) GetDeletePods() *wrappers.BoolValue { - if x != nil { - return x.DeletePods - } - return nil -} - -func (x *CNIConfiguration_RepairConfiguration) GetInitContainerName() string { - if x != nil { - return x.InitContainerName - } - return "" -} - -func (x *CNIConfiguration_RepairConfiguration) GetBrokenPodLabelKey() string { - if x != nil { - return x.BrokenPodLabelKey - } - return "" -} - -func (x *CNIConfiguration_RepairConfiguration) GetBrokenPodLabelValue() string { - if x != nil { - return x.BrokenPodLabelValue - } - return "" -} - -type CNIConfiguration_TaintConfiguration struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` - Container *BaseKubernetesContainerConfiguration `protobuf:"bytes,2,opt,name=container,proto3" json:"container,omitempty"` -} - -func (x *CNIConfiguration_TaintConfiguration) Reset() { - *x = CNIConfiguration_TaintConfiguration{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[25] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *CNIConfiguration_TaintConfiguration) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*CNIConfiguration_TaintConfiguration) ProtoMessage() {} - -func (x *CNIConfiguration_TaintConfiguration) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[25] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use CNIConfiguration_TaintConfiguration.ProtoReflect.Descriptor instead. -func (*CNIConfiguration_TaintConfiguration) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{9, 1} -} - -func (x *CNIConfiguration_TaintConfiguration) GetEnabled() *wrappers.BoolValue { - if x != nil { - return x.Enabled - } - return nil -} - -func (x *CNIConfiguration_TaintConfiguration) GetContainer() *BaseKubernetesContainerConfiguration { - if x != nil { - return x.Container - } - return nil -} - -type CNIConfiguration_ResourceQuotas struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"` - Pods string `protobuf:"bytes,2,opt,name=pods,proto3" json:"pods,omitempty"` - PriorityClasses []string `protobuf:"bytes,3,rep,name=priorityClasses,proto3" json:"priorityClasses,omitempty"` -} - -func (x *CNIConfiguration_ResourceQuotas) Reset() { - *x = CNIConfiguration_ResourceQuotas{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[26] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *CNIConfiguration_ResourceQuotas) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*CNIConfiguration_ResourceQuotas) ProtoMessage() {} - -func (x *CNIConfiguration_ResourceQuotas) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiocontrolplane_proto_msgTypes[26] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use CNIConfiguration_ResourceQuotas.ProtoReflect.Descriptor instead. -func (*CNIConfiguration_ResourceQuotas) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP(), []int{9, 2} -} - -func (x *CNIConfiguration_ResourceQuotas) GetEnabled() *wrappers.BoolValue { - if x != nil { - return x.Enabled - } - return nil -} - -func (x *CNIConfiguration_ResourceQuotas) GetPods() string { - if x != nil { - return x.Pods - } - return "" -} - -func (x *CNIConfiguration_ResourceQuotas) GetPriorityClasses() []string { - if x != nil { - return x.PriorityClasses - } - return nil -} - -var File_api_v1alpha1_istiocontrolplane_proto protoreflect.FileDescriptor - -var file_api_v1alpha1_istiocontrolplane_proto_rawDesc = []byte{ - 0x0a, 0x24, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x69, - 0x73, 0x74, 0x69, 0x6f, 0x63, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x70, 0x6c, 0x61, 0x6e, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, - 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, - 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x19, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x61, 0x6c, - 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x1a, 0x23, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, - 0x69, 0x73, 0x74, 0x69, 0x6f, 0x6d, 0x65, 0x73, 0x68, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x22, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x61, - 0x70, 0x69, 0x2f, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x67, 0x65, 0x6e, 0x65, 0x72, - 0x61, 0x74, 0x65, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1a, 0x6d, 0x65, 0x73, 0x68, - 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x6d, 0x65, 0x73, 0x68, 0x2f, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, - 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x22, 0xd0, 0x0d, 0x0a, 0x15, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x43, 0x6f, 0x6e, 0x74, - 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x53, 0x70, 0x65, 0x63, 0x12, 0x1e, 0x0a, 0x07, - 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04, 0xe2, - 0x41, 0x01, 0x02, 0x52, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x42, 0x0a, 0x04, - 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x28, 0x2e, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, - 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x6f, 0x64, 0x65, - 0x54, 0x79, 0x70, 0x65, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, - 0x12, 0x4e, 0x0a, 0x07, 0x6c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x18, 0x03, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x34, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, - 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x31, 0x2e, 0x4c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07, 0x6c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, - 0x12, 0x42, 0x0a, 0x0e, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x4d, 0x74, 0x6c, 0x73, 0x43, 0x65, 0x72, - 0x74, 0x73, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x6d, 0x6f, 0x75, 0x6e, 0x74, 0x4d, 0x74, 0x6c, 0x73, 0x43, - 0x65, 0x72, 0x74, 0x73, 0x12, 0x4b, 0x0a, 0x06, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x64, 0x18, 0x05, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x64, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x69, 0x73, 0x74, 0x69, 0x6f, - 0x64, 0x12, 0x48, 0x0a, 0x05, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x32, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x05, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x12, 0x54, 0x0a, 0x09, 0x70, - 0x72, 0x6f, 0x78, 0x79, 0x49, 0x6e, 0x69, 0x74, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x36, - 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, - 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, - 0x50, 0x72, 0x6f, 0x78, 0x79, 0x49, 0x6e, 0x69, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, - 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x49, 0x6e, 0x69, - 0x74, 0x12, 0x5a, 0x0a, 0x0b, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x56, 0x32, - 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x38, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, - 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, - 0x79, 0x56, 0x32, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x52, 0x0b, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x56, 0x32, 0x12, 0x42, 0x0a, - 0x03, 0x73, 0x64, 0x73, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, - 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x44, 0x53, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x03, 0x73, 0x64, - 0x73, 0x12, 0x54, 0x0a, 0x09, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x57, 0x61, 0x73, 0x6d, 0x18, 0x0a, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x36, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x57, 0x61, 0x73, 0x6d, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x70, 0x72, - 0x6f, 0x78, 0x79, 0x57, 0x61, 0x73, 0x6d, 0x12, 0x48, 0x0a, 0x11, 0x77, 0x61, 0x74, 0x63, 0x68, - 0x4f, 0x6e, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x18, 0x0b, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x11, - 0x77, 0x61, 0x74, 0x63, 0x68, 0x4f, 0x6e, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, - 0x65, 0x12, 0x4b, 0x0a, 0x09, 0x6a, 0x77, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x0c, - 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4a, 0x57, 0x54, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x54, - 0x79, 0x70, 0x65, 0x52, 0x09, 0x6a, 0x77, 0x74, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x1c, - 0x0a, 0x09, 0x63, 0x61, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x0d, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x09, 0x63, 0x61, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, 0x1e, 0x0a, 0x0a, - 0x63, 0x61, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x0a, 0x63, 0x61, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x12, 0x22, 0x0a, 0x0c, - 0x64, 0x69, 0x73, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x0f, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0c, 0x64, 0x69, 0x73, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e, - 0x12, 0x60, 0x0a, 0x0d, 0x68, 0x74, 0x74, 0x70, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x45, 0x6e, 0x76, - 0x73, 0x18, 0x10, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3a, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, - 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x48, 0x54, 0x54, 0x50, 0x50, 0x72, 0x6f, - 0x78, 0x79, 0x45, 0x6e, 0x76, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, - 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x68, 0x74, 0x74, 0x70, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x45, 0x6e, - 0x76, 0x73, 0x12, 0x3f, 0x0a, 0x0a, 0x6d, 0x65, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x18, 0x11, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, - 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x73, - 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x6d, 0x65, 0x73, 0x68, 0x43, 0x6f, 0x6e, - 0x66, 0x69, 0x67, 0x12, 0x69, 0x0a, 0x13, 0x6b, 0x38, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, - 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x6c, 0x61, 0x79, 0x73, 0x18, 0x12, 0x20, 0x03, 0x28, 0x0b, - 0x32, 0x37, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x4b, 0x38, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, - 0x72, 0x6c, 0x61, 0x79, 0x50, 0x61, 0x74, 0x63, 0x68, 0x52, 0x13, 0x6b, 0x38, 0x73, 0x52, 0x65, - 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x6c, 0x61, 0x79, 0x73, 0x12, 0x16, - 0x0a, 0x06, 0x6d, 0x65, 0x73, 0x68, 0x49, 0x44, 0x18, 0x13, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, - 0x6d, 0x65, 0x73, 0x68, 0x49, 0x44, 0x12, 0x7d, 0x0a, 0x1b, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, - 0x6e, 0x65, 0x72, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x14, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3b, 0x2e, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x6f, 0x6e, - 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, - 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x1b, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, - 0x6e, 0x65, 0x72, 0x49, 0x6d, 0x61, 0x67, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x60, 0x0a, 0x0d, 0x6d, 0x65, 0x73, 0x68, 0x45, 0x78, 0x70, - 0x61, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x15, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3a, 0x2e, 0x69, - 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, - 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, - 0x73, 0x68, 0x45, 0x78, 0x70, 0x61, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, - 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0d, 0x6d, 0x65, 0x73, 0x68, 0x45, 0x78, - 0x70, 0x61, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, - 0x65, 0x72, 0x49, 0x44, 0x18, 0x16, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, - 0x74, 0x65, 0x72, 0x49, 0x44, 0x12, 0x20, 0x0a, 0x0b, 0x6e, 0x65, 0x74, 0x77, 0x6f, 0x72, 0x6b, - 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x17, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x6e, 0x65, 0x74, 0x77, - 0x6f, 0x72, 0x6b, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x66, 0x0a, 0x0f, 0x73, 0x69, 0x64, 0x65, 0x63, - 0x61, 0x72, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x18, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x3c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x53, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x6f, - 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0f, - 0x73, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, - 0x34, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x63, 0x65, 0x72, 0x18, 0x19, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x1c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x52, 0x06, 0x74, - 0x72, 0x61, 0x63, 0x65, 0x72, 0x22, 0x98, 0x02, 0x0a, 0x1c, 0x53, 0x69, 0x64, 0x65, 0x63, 0x61, - 0x72, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, - 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x5c, 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, - 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3c, 0x2e, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, - 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x42, 0x61, 0x73, 0x65, - 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, - 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, - 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x41, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, - 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, - 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x52, 0x07, - 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x57, 0x0a, 0x09, 0x74, 0x65, 0x6d, 0x70, 0x6c, - 0x61, 0x74, 0x65, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x39, 0x2e, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, - 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, 0x69, 0x64, 0x65, - 0x63, 0x61, 0x72, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x65, 0x6d, 0x70, - 0x6c, 0x61, 0x74, 0x65, 0x73, 0x52, 0x09, 0x74, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x74, 0x65, 0x73, - 0x22, 0xba, 0x01, 0x0a, 0x19, 0x53, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x49, 0x6e, 0x6a, 0x65, - 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x74, 0x65, 0x73, 0x12, 0x18, - 0x0a, 0x07, 0x73, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x07, 0x73, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x67, 0x61, 0x74, 0x65, - 0x77, 0x61, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x67, 0x61, 0x74, 0x65, 0x77, - 0x61, 0x79, 0x12, 0x69, 0x0a, 0x0f, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x54, 0x65, 0x6d, 0x70, - 0x6c, 0x61, 0x74, 0x65, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x3f, 0x2e, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x75, 0x73, - 0x74, 0x6f, 0x6d, 0x53, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, - 0x69, 0x6f, 0x6e, 0x54, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x74, 0x65, 0x73, 0x52, 0x0f, 0x63, 0x75, - 0x73, 0x74, 0x6f, 0x6d, 0x54, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x74, 0x65, 0x73, 0x22, 0x51, 0x0a, - 0x1f, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x53, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x49, 0x6e, - 0x6a, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x54, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x74, 0x65, 0x73, - 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, - 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x1a, 0x0a, 0x08, 0x74, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x74, 0x65, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x74, 0x65, 0x6d, 0x70, 0x6c, 0x61, 0x74, 0x65, - 0x22, 0xf7, 0x08, 0x0a, 0x1a, 0x4d, 0x65, 0x73, 0x68, 0x45, 0x78, 0x70, 0x61, 0x6e, 0x73, 0x69, - 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, - 0x34, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, - 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x07, 0x65, 0x6e, - 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x72, 0x0a, 0x07, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x58, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, - 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x45, 0x78, 0x70, 0x61, - 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x2e, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, - 0x77, 0x61, 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, - 0x52, 0x07, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x12, 0x59, 0x0a, 0x06, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x41, 0x2e, 0x69, 0x73, 0x74, 0x69, - 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, - 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x45, - 0x78, 0x70, 0x61, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x64, 0x52, 0x06, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x64, 0x12, 0x5c, 0x0a, 0x07, 0x77, 0x65, 0x62, 0x68, 0x6f, 0x6f, 0x6b, 0x18, - 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x42, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, - 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, - 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x45, 0x78, 0x70, 0x61, 0x6e, - 0x73, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x2e, 0x57, 0x65, 0x62, 0x68, 0x6f, 0x6f, 0x6b, 0x52, 0x07, 0x77, 0x65, 0x62, 0x68, 0x6f, - 0x6f, 0x6b, 0x12, 0x74, 0x0a, 0x0f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x53, 0x65, 0x72, - 0x76, 0x69, 0x63, 0x65, 0x73, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x4a, 0x2e, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x73, - 0x68, 0x45, 0x78, 0x70, 0x61, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x53, - 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x52, 0x0f, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, - 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x1a, 0x3c, 0x0a, 0x06, 0x49, 0x73, 0x74, 0x69, - 0x6f, 0x64, 0x12, 0x32, 0x0a, 0x06, 0x65, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, - 0x65, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x1a, 0x3d, 0x0a, 0x07, 0x57, 0x65, 0x62, 0x68, 0x6f, 0x6f, - 0x6b, 0x12, 0x32, 0x0a, 0x06, 0x65, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x65, - 0x78, 0x70, 0x6f, 0x73, 0x65, 0x1a, 0x45, 0x0a, 0x0f, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, - 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x73, 0x12, 0x32, 0x0a, 0x06, 0x65, 0x78, 0x70, 0x6f, - 0x73, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x52, 0x06, 0x65, 0x78, 0x70, 0x6f, 0x73, 0x65, 0x1a, 0xbb, 0x03, 0x0a, - 0x1d, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, - 0x79, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x49, - 0x0a, 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x4b, 0x38, 0x73, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x65, 0x74, 0x61, 0x52, - 0x08, 0x6d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0x12, 0x5c, 0x0a, 0x0a, 0x64, 0x65, 0x70, - 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3c, 0x2e, - 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, - 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x42, - 0x61, 0x73, 0x65, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, - 0x6f, 0x75, 0x72, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x0a, 0x64, 0x65, 0x70, - 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x4c, 0x0a, 0x07, 0x73, 0x65, 0x72, 0x76, 0x69, - 0x63, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x32, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, - 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, - 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x55, 0x6e, 0x70, 0x72, 0x6f, 0x74, - 0x65, 0x63, 0x74, 0x65, 0x64, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x52, 0x07, 0x73, 0x65, - 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x38, 0x0a, 0x09, 0x72, 0x75, 0x6e, 0x41, 0x73, 0x52, 0x6f, - 0x6f, 0x74, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x52, 0x09, 0x72, 0x75, 0x6e, 0x41, 0x73, 0x52, 0x6f, 0x6f, 0x74, 0x12, - 0x69, 0x0a, 0x13, 0x6b, 0x38, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, - 0x65, 0x72, 0x6c, 0x61, 0x79, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x69, - 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, - 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4b, 0x38, - 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x6c, 0x61, 0x79, - 0x50, 0x61, 0x74, 0x63, 0x68, 0x52, 0x13, 0x6b, 0x38, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, - 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x6c, 0x61, 0x79, 0x73, 0x22, 0x2c, 0x0a, 0x14, 0x4c, 0x6f, - 0x67, 0x67, 0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x05, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x22, 0x38, 0x0a, 0x10, 0x53, 0x44, 0x53, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x24, 0x0a, 0x0d, - 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x09, 0x52, 0x0d, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x41, 0x75, 0x64, 0x69, 0x65, 0x6e, - 0x63, 0x65, 0x22, 0xa2, 0x06, 0x0a, 0x12, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x69, 0x6d, 0x61, - 0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x12, - 0x3a, 0x0a, 0x0a, 0x70, 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x64, 0x18, 0x02, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, - 0x0a, 0x70, 0x72, 0x69, 0x76, 0x69, 0x6c, 0x65, 0x67, 0x65, 0x64, 0x12, 0x42, 0x0a, 0x0e, 0x65, - 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x43, 0x6f, 0x72, 0x65, 0x44, 0x75, 0x6d, 0x70, 0x18, 0x03, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, - 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, - 0x0e, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x43, 0x6f, 0x72, 0x65, 0x44, 0x75, 0x6d, 0x70, 0x12, - 0x49, 0x0a, 0x08, 0x6c, 0x6f, 0x67, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x04, 0x20, 0x01, 0x28, - 0x0e, 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, - 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x31, 0x2e, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x4c, 0x6f, 0x67, 0x4c, 0x65, 0x76, 0x65, 0x6c, - 0x52, 0x08, 0x6c, 0x6f, 0x67, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x2c, 0x0a, 0x11, 0x63, 0x6f, - 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, 0x4c, 0x6f, 0x67, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x18, - 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x63, 0x6f, 0x6d, 0x70, 0x6f, 0x6e, 0x65, 0x6e, 0x74, - 0x4c, 0x6f, 0x67, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x24, 0x0a, 0x0d, 0x63, 0x6c, 0x75, 0x73, - 0x74, 0x65, 0x72, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0d, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x64, - 0x0a, 0x1f, 0x68, 0x6f, 0x6c, 0x64, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x55, 0x6e, 0x74, 0x69, 0x6c, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x74, 0x61, 0x72, 0x74, - 0x73, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x52, 0x1f, 0x68, 0x6f, 0x6c, 0x64, 0x41, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, - 0x74, 0x69, 0x6f, 0x6e, 0x55, 0x6e, 0x74, 0x69, 0x6c, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x53, 0x74, - 0x61, 0x72, 0x74, 0x73, 0x12, 0x3b, 0x0a, 0x09, 0x6c, 0x69, 0x66, 0x65, 0x63, 0x79, 0x63, 0x6c, - 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1d, 0x2e, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, - 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x63, 0x6f, 0x72, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x4c, 0x69, 0x66, - 0x65, 0x63, 0x79, 0x63, 0x6c, 0x65, 0x52, 0x09, 0x6c, 0x69, 0x66, 0x65, 0x63, 0x79, 0x63, 0x6c, - 0x65, 0x12, 0x52, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x09, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, - 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, 0x73, 0x52, 0x09, 0x72, 0x65, 0x73, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x28, 0x0a, 0x0f, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, - 0x49, 0x50, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, - 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x49, 0x50, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x12, - 0x28, 0x0a, 0x0f, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x49, 0x50, 0x52, 0x61, 0x6e, 0x67, - 0x65, 0x73, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, - 0x65, 0x49, 0x50, 0x52, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x12, 0x30, 0x0a, 0x13, 0x65, 0x78, 0x63, - 0x6c, 0x75, 0x64, 0x65, 0x49, 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x50, 0x6f, 0x72, 0x74, 0x73, - 0x18, 0x0c, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x49, - 0x6e, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x50, 0x6f, 0x72, 0x74, 0x73, 0x12, 0x32, 0x0a, 0x14, 0x65, - 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x50, 0x6f, - 0x72, 0x74, 0x73, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x09, 0x52, 0x14, 0x65, 0x78, 0x63, 0x6c, 0x75, - 0x64, 0x65, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x50, 0x6f, 0x72, 0x74, 0x73, 0x12, - 0x1b, 0x0a, 0x06, 0x74, 0x72, 0x61, 0x63, 0x65, 0x72, 0x18, 0x0e, 0x20, 0x01, 0x28, 0x09, 0x48, - 0x00, 0x52, 0x06, 0x74, 0x72, 0x61, 0x63, 0x65, 0x72, 0x88, 0x01, 0x01, 0x42, 0x09, 0x0a, 0x07, - 0x5f, 0x74, 0x72, 0x61, 0x63, 0x65, 0x72, 0x22, 0xc6, 0x01, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x78, - 0x79, 0x49, 0x6e, 0x69, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x12, 0x14, 0x0a, 0x05, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x05, 0x69, 0x6d, 0x61, 0x67, 0x65, 0x12, 0x52, 0x0a, 0x09, 0x72, 0x65, 0x73, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x34, 0x2e, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x52, 0x65, 0x73, - 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x65, 0x71, 0x75, 0x69, 0x72, 0x65, 0x6d, 0x65, 0x6e, 0x74, - 0x73, 0x52, 0x09, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x73, 0x12, 0x42, 0x0a, 0x03, - 0x63, 0x6e, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x69, 0x73, 0x74, 0x69, - 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, - 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x4e, 0x49, 0x43, 0x6f, - 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x03, 0x63, 0x6e, 0x69, - 0x22, 0x84, 0x0b, 0x0a, 0x10, 0x43, 0x4e, 0x49, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x34, 0x0a, 0x07, 0x63, - 0x68, 0x61, 0x69, 0x6e, 0x65, 0x64, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, - 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, - 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x07, 0x63, 0x68, 0x61, 0x69, 0x6e, 0x65, - 0x64, 0x12, 0x16, 0x0a, 0x06, 0x62, 0x69, 0x6e, 0x44, 0x69, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x06, 0x62, 0x69, 0x6e, 0x44, 0x69, 0x72, 0x12, 0x18, 0x0a, 0x07, 0x63, 0x6f, 0x6e, - 0x66, 0x44, 0x69, 0x72, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x63, 0x6f, 0x6e, 0x66, - 0x44, 0x69, 0x72, 0x12, 0x2c, 0x0a, 0x11, 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x4e, 0x61, - 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x11, - 0x65, 0x78, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, - 0x73, 0x12, 0x2c, 0x0a, 0x11, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, - 0x73, 0x70, 0x61, 0x63, 0x65, 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x11, 0x69, 0x6e, - 0x63, 0x6c, 0x75, 0x64, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x73, 0x12, - 0x1a, 0x0a, 0x08, 0x6c, 0x6f, 0x67, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x08, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x08, 0x6c, 0x6f, 0x67, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x22, 0x0a, 0x0c, 0x63, - 0x6f, 0x6e, 0x66, 0x46, 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x0c, 0x63, 0x6f, 0x6e, 0x66, 0x46, 0x69, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, - 0x2e, 0x0a, 0x12, 0x70, 0x73, 0x70, 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x6c, - 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x12, 0x70, 0x73, 0x70, - 0x43, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x52, 0x6f, 0x6c, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, - 0x5c, 0x0a, 0x06, 0x72, 0x65, 0x70, 0x61, 0x69, 0x72, 0x18, 0x0b, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x44, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, - 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0x2e, 0x43, 0x4e, 0x49, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x2e, 0x52, 0x65, 0x70, 0x61, 0x69, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x72, 0x65, 0x70, 0x61, 0x69, 0x72, 0x12, 0x59, 0x0a, - 0x05, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x18, 0x0c, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x43, 0x2e, 0x69, - 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, - 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x4e, - 0x49, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x54, - 0x61, 0x69, 0x6e, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, - 0x6e, 0x52, 0x05, 0x74, 0x61, 0x69, 0x6e, 0x74, 0x12, 0x67, 0x0a, 0x0e, 0x72, 0x65, 0x73, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x51, 0x75, 0x6f, 0x74, 0x61, 0x73, 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x3f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x43, 0x4e, 0x49, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, - 0x6f, 0x6e, 0x2e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x51, 0x75, 0x6f, 0x74, 0x61, - 0x73, 0x52, 0x0e, 0x72, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x51, 0x75, 0x6f, 0x74, 0x61, - 0x73, 0x12, 0x5a, 0x0a, 0x09, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x73, 0x65, 0x74, 0x18, 0x0e, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, - 0x65, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x52, 0x09, 0x64, 0x61, 0x65, 0x6d, 0x6f, 0x6e, 0x73, 0x65, 0x74, 0x1a, 0xcf, 0x02, - 0x0a, 0x13, 0x52, 0x65, 0x70, 0x61, 0x69, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, - 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x38, 0x0a, 0x09, 0x6c, - 0x61, 0x62, 0x65, 0x6c, 0x50, 0x6f, 0x64, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, - 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, - 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x09, 0x6c, 0x61, 0x62, 0x65, - 0x6c, 0x50, 0x6f, 0x64, 0x73, 0x12, 0x3a, 0x0a, 0x0a, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x50, - 0x6f, 0x64, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, - 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0a, 0x64, 0x65, 0x6c, 0x65, 0x74, 0x65, 0x50, 0x6f, 0x64, - 0x73, 0x12, 0x2c, 0x0a, 0x11, 0x69, 0x6e, 0x69, 0x74, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, - 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x69, 0x6e, - 0x69, 0x74, 0x43, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, - 0x2c, 0x0a, 0x11, 0x62, 0x72, 0x6f, 0x6b, 0x65, 0x6e, 0x50, 0x6f, 0x64, 0x4c, 0x61, 0x62, 0x65, - 0x6c, 0x4b, 0x65, 0x79, 0x18, 0x05, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x62, 0x72, 0x6f, 0x6b, - 0x65, 0x6e, 0x50, 0x6f, 0x64, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x4b, 0x65, 0x79, 0x12, 0x30, 0x0a, - 0x13, 0x62, 0x72, 0x6f, 0x6b, 0x65, 0x6e, 0x50, 0x6f, 0x64, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x18, 0x06, 0x20, 0x01, 0x28, 0x09, 0x52, 0x13, 0x62, 0x72, 0x6f, 0x6b, - 0x65, 0x6e, 0x50, 0x6f, 0x64, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x1a, - 0xae, 0x01, 0x0a, 0x12, 0x54, 0x61, 0x69, 0x6e, 0x74, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, - 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, - 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x62, 0x0a, 0x09, - 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, - 0x44, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, - 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0x2e, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x65, 0x73, 0x43, - 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x09, 0x63, 0x6f, 0x6e, 0x74, 0x61, 0x69, 0x6e, 0x65, 0x72, - 0x1a, 0x84, 0x01, 0x0a, 0x0e, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x51, 0x75, 0x6f, - 0x74, 0x61, 0x73, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, - 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x12, 0x12, 0x0a, 0x04, 0x70, 0x6f, 0x64, - 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x70, 0x6f, 0x64, 0x73, 0x12, 0x28, 0x0a, - 0x0f, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x43, 0x6c, 0x61, 0x73, 0x73, 0x65, 0x73, - 0x18, 0x03, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x70, 0x72, 0x69, 0x6f, 0x72, 0x69, 0x74, 0x79, - 0x43, 0x6c, 0x61, 0x73, 0x73, 0x65, 0x73, 0x22, 0x93, 0x06, 0x0a, 0x13, 0x49, 0x73, 0x74, 0x69, - 0x6f, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, - 0x5c, 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, - 0x01, 0x28, 0x0b, 0x32, 0x3c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, - 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, - 0x70, 0x68, 0x61, 0x31, 0x2e, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, - 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, - 0x67, 0x52, 0x0a, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x42, 0x0a, - 0x0e, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, 0x73, 0x18, - 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, - 0x65, 0x52, 0x0e, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x73, 0x69, - 0x73, 0x12, 0x3e, 0x0a, 0x0c, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x52, 0x0c, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x12, 0x63, 0x0a, 0x0e, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x49, 0x73, 0x74, - 0x69, 0x6f, 0x64, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3b, 0x2e, 0x69, 0x73, 0x74, 0x69, - 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, - 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x78, 0x74, 0x65, 0x72, - 0x6e, 0x61, 0x6c, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x64, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, - 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0e, 0x65, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, - 0x49, 0x73, 0x74, 0x69, 0x6f, 0x64, 0x12, 0x47, 0x0a, 0x0d, 0x74, 0x72, 0x61, 0x63, 0x65, 0x53, - 0x61, 0x6d, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x18, 0x05, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, - 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, - 0x46, 0x6c, 0x6f, 0x61, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x03, - 0x52, 0x0d, 0x74, 0x72, 0x61, 0x63, 0x65, 0x53, 0x61, 0x6d, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x12, - 0x62, 0x0a, 0x1e, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x63, 0x6f, - 0x6c, 0x53, 0x6e, 0x69, 0x66, 0x66, 0x69, 0x6e, 0x67, 0x4f, 0x75, 0x74, 0x62, 0x6f, 0x75, 0x6e, - 0x64, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x52, 0x1e, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x50, 0x72, 0x6f, 0x74, 0x6f, - 0x63, 0x6f, 0x6c, 0x53, 0x6e, 0x69, 0x66, 0x66, 0x69, 0x6e, 0x67, 0x4f, 0x75, 0x74, 0x62, 0x6f, - 0x75, 0x6e, 0x64, 0x12, 0x60, 0x0a, 0x1d, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x50, 0x72, 0x6f, - 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x53, 0x6e, 0x69, 0x66, 0x66, 0x69, 0x6e, 0x67, 0x49, 0x6e, 0x62, - 0x6f, 0x75, 0x6e, 0x64, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, - 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, - 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x1d, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x50, 0x72, - 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x53, 0x6e, 0x69, 0x66, 0x66, 0x69, 0x6e, 0x67, 0x49, 0x6e, - 0x62, 0x6f, 0x75, 0x6e, 0x64, 0x12, 0x59, 0x0a, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x50, 0x72, 0x6f, - 0x76, 0x69, 0x64, 0x65, 0x72, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x35, 0x2e, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, - 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x69, 0x6c, - 0x6f, 0x74, 0x43, 0x65, 0x72, 0x74, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x54, 0x79, - 0x70, 0x65, 0x52, 0x0c, 0x63, 0x65, 0x72, 0x74, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, - 0x12, 0x4b, 0x0a, 0x06, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, - 0x32, 0x33, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, - 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x73, 0x70, 0x69, 0x66, 0x66, 0x65, 0x22, 0x53, 0x0a, - 0x1b, 0x45, 0x78, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x64, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, - 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, - 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, - 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, - 0x65, 0x64, 0x22, 0x83, 0x01, 0x0a, 0x13, 0x53, 0x50, 0x49, 0x46, 0x46, 0x45, 0x43, 0x6f, 0x6e, - 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x6c, 0x0a, 0x11, 0x6f, 0x70, - 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x18, - 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3e, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, - 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, - 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, - 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, - 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x11, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, - 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x22, 0x56, 0x0a, 0x1e, 0x4f, 0x70, 0x65, 0x72, - 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x64, 0x70, 0x6f, 0x69, 0x6e, 0x74, 0x73, 0x43, 0x6f, 0x6e, - 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x6e, - 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, - 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, - 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, - 0x22, 0x50, 0x0a, 0x18, 0x54, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x56, 0x32, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, - 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, - 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, - 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, - 0x65, 0x64, 0x22, 0x4e, 0x0a, 0x16, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x57, 0x61, 0x73, 0x6d, 0x43, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, - 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, - 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, - 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, - 0x65, 0x64, 0x22, 0x48, 0x0a, 0x10, 0x50, 0x44, 0x42, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x75, - 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x34, 0x0a, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, - 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, - 0x6c, 0x75, 0x65, 0x52, 0x07, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x64, 0x22, 0x74, 0x0a, 0x1a, - 0x48, 0x54, 0x54, 0x50, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x45, 0x6e, 0x76, 0x73, 0x43, 0x6f, 0x6e, - 0x66, 0x69, 0x67, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x1c, 0x0a, 0x09, 0x68, 0x74, - 0x74, 0x70, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x68, - 0x74, 0x74, 0x70, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x12, 0x1e, 0x0a, 0x0a, 0x68, 0x74, 0x74, 0x70, - 0x73, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x68, 0x74, - 0x74, 0x70, 0x73, 0x50, 0x72, 0x6f, 0x78, 0x79, 0x12, 0x18, 0x0a, 0x07, 0x6e, 0x6f, 0x50, 0x72, - 0x6f, 0x78, 0x79, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x6e, 0x6f, 0x50, 0x72, 0x6f, - 0x78, 0x79, 0x22, 0x98, 0x04, 0x0a, 0x17, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x43, 0x6f, 0x6e, 0x74, - 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x43, - 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2b, - 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, - 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, - 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, 0x06, 0x73, 0x74, 0x61, - 0x74, 0x75, 0x73, 0x12, 0x1c, 0x0a, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, 0x44, - 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x63, 0x6c, 0x75, 0x73, 0x74, 0x65, 0x72, 0x49, - 0x44, 0x12, 0x34, 0x0a, 0x15, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, - 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, - 0x52, 0x15, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x43, 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, - 0x61, 0x6e, 0x65, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x26, 0x0a, 0x0e, 0x67, 0x61, 0x74, 0x65, 0x77, - 0x61, 0x79, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x04, 0x20, 0x03, 0x28, 0x09, 0x52, - 0x0e, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, - 0x28, 0x0a, 0x0f, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x64, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, - 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0f, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x64, - 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x65, 0x73, 0x12, 0x30, 0x0a, 0x13, 0x69, 0x6e, 0x6a, - 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x73, - 0x18, 0x06, 0x20, 0x03, 0x28, 0x09, 0x52, 0x13, 0x69, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x69, 0x6f, - 0x6e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x73, 0x12, 0x2c, 0x0a, 0x11, 0x63, - 0x61, 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, - 0x18, 0x07, 0x20, 0x01, 0x28, 0x09, 0x52, 0x11, 0x63, 0x61, 0x52, 0x6f, 0x6f, 0x74, 0x43, 0x65, - 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x12, 0x22, 0x0a, 0x0c, 0x65, 0x72, 0x72, - 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, - 0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x12, 0x3f, 0x0a, - 0x0a, 0x6d, 0x65, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x09, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x1f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, - 0x69, 0x67, 0x52, 0x0a, 0x6d, 0x65, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x4d, - 0x0a, 0x09, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x73, 0x18, 0x0a, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x2f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, - 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x31, 0x2e, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, - 0x6d, 0x73, 0x52, 0x09, 0x63, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x73, 0x22, 0x5b, 0x0a, - 0x0f, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x75, 0x6d, 0x73, - 0x12, 0x1e, 0x0a, 0x0a, 0x6d, 0x65, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, - 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x6d, 0x65, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x12, 0x28, 0x0a, 0x0f, 0x73, 0x69, 0x64, 0x65, 0x63, 0x61, 0x72, 0x49, 0x6e, 0x6a, 0x65, 0x63, - 0x74, 0x6f, 0x72, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0f, 0x73, 0x69, 0x64, 0x65, 0x63, - 0x61, 0x72, 0x49, 0x6e, 0x6a, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x2a, 0x3d, 0x0a, 0x08, 0x4d, 0x6f, - 0x64, 0x65, 0x54, 0x79, 0x70, 0x65, 0x12, 0x18, 0x0a, 0x14, 0x4d, 0x6f, 0x64, 0x65, 0x54, 0x79, - 0x70, 0x65, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, - 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x43, 0x54, 0x49, 0x56, 0x45, 0x10, 0x01, 0x12, 0x0b, 0x0a, 0x07, - 0x50, 0x41, 0x53, 0x53, 0x49, 0x56, 0x45, 0x10, 0x02, 0x2a, 0x7d, 0x0a, 0x0d, 0x50, 0x72, 0x6f, - 0x78, 0x79, 0x4c, 0x6f, 0x67, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x12, 0x1d, 0x0a, 0x19, 0x50, 0x72, - 0x6f, 0x78, 0x79, 0x4c, 0x6f, 0x67, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x5f, 0x55, 0x4e, 0x53, 0x50, - 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x54, 0x52, 0x41, - 0x43, 0x45, 0x10, 0x01, 0x12, 0x09, 0x0a, 0x05, 0x44, 0x45, 0x42, 0x55, 0x47, 0x10, 0x02, 0x12, - 0x08, 0x0a, 0x04, 0x49, 0x4e, 0x46, 0x4f, 0x10, 0x03, 0x12, 0x0b, 0x0a, 0x07, 0x57, 0x41, 0x52, - 0x4e, 0x49, 0x4e, 0x47, 0x10, 0x04, 0x12, 0x09, 0x0a, 0x05, 0x45, 0x52, 0x52, 0x4f, 0x52, 0x10, - 0x05, 0x12, 0x0c, 0x0a, 0x08, 0x43, 0x52, 0x49, 0x54, 0x49, 0x43, 0x41, 0x4c, 0x10, 0x06, 0x12, - 0x07, 0x0a, 0x03, 0x4f, 0x46, 0x46, 0x10, 0x07, 0x2a, 0x5a, 0x0a, 0x15, 0x50, 0x69, 0x6c, 0x6f, - 0x74, 0x43, 0x65, 0x72, 0x74, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70, - 0x65, 0x12, 0x25, 0x0a, 0x21, 0x50, 0x69, 0x6c, 0x6f, 0x74, 0x43, 0x65, 0x72, 0x74, 0x50, 0x72, - 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x54, 0x79, 0x70, 0x65, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, - 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0e, 0x0a, 0x0a, 0x4b, 0x55, 0x42, 0x45, - 0x52, 0x4e, 0x45, 0x54, 0x45, 0x53, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x49, 0x53, 0x54, 0x49, - 0x4f, 0x44, 0x10, 0x02, 0x2a, 0x58, 0x0a, 0x0d, 0x4a, 0x57, 0x54, 0x50, 0x6f, 0x6c, 0x69, 0x63, - 0x79, 0x54, 0x79, 0x70, 0x65, 0x12, 0x1d, 0x0a, 0x19, 0x4a, 0x57, 0x54, 0x50, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x54, 0x79, 0x70, 0x65, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, - 0x45, 0x44, 0x10, 0x00, 0x12, 0x13, 0x0a, 0x0f, 0x54, 0x48, 0x49, 0x52, 0x44, 0x5f, 0x50, 0x41, - 0x52, 0x54, 0x59, 0x5f, 0x4a, 0x57, 0x54, 0x10, 0x01, 0x12, 0x13, 0x0a, 0x0f, 0x46, 0x49, 0x52, - 0x53, 0x54, 0x5f, 0x50, 0x41, 0x52, 0x54, 0x59, 0x5f, 0x4a, 0x57, 0x54, 0x10, 0x02, 0x42, 0x37, - 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x62, 0x61, 0x6e, - 0x7a, 0x61, 0x69, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x2f, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2d, 0x6f, - 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} - -var ( - file_api_v1alpha1_istiocontrolplane_proto_rawDescOnce sync.Once - file_api_v1alpha1_istiocontrolplane_proto_rawDescData = file_api_v1alpha1_istiocontrolplane_proto_rawDesc -) - -func file_api_v1alpha1_istiocontrolplane_proto_rawDescGZIP() []byte { - file_api_v1alpha1_istiocontrolplane_proto_rawDescOnce.Do(func() { - file_api_v1alpha1_istiocontrolplane_proto_rawDescData = protoimpl.X.CompressGZIP(file_api_v1alpha1_istiocontrolplane_proto_rawDescData) - }) - return file_api_v1alpha1_istiocontrolplane_proto_rawDescData -} - -var file_api_v1alpha1_istiocontrolplane_proto_enumTypes = make([]protoimpl.EnumInfo, 4) -var file_api_v1alpha1_istiocontrolplane_proto_msgTypes = make([]protoimpl.MessageInfo, 27) -var file_api_v1alpha1_istiocontrolplane_proto_goTypes = []interface{}{ - (ModeType)(0), // 0: istio_operator.v2.api.v1alpha1.ModeType - (ProxyLogLevel)(0), // 1: istio_operator.v2.api.v1alpha1.ProxyLogLevel - (PilotCertProviderType)(0), // 2: istio_operator.v2.api.v1alpha1.PilotCertProviderType - (JWTPolicyType)(0), // 3: istio_operator.v2.api.v1alpha1.JWTPolicyType - (*IstioControlPlaneSpec)(nil), // 4: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec - (*SidecarInjectorConfiguration)(nil), // 5: istio_operator.v2.api.v1alpha1.SidecarInjectorConfiguration - (*SidecarInjectionTemplates)(nil), // 6: istio_operator.v2.api.v1alpha1.SidecarInjectionTemplates - (*CustomSidecarInjectionTemplates)(nil), // 7: istio_operator.v2.api.v1alpha1.CustomSidecarInjectionTemplates - (*MeshExpansionConfiguration)(nil), // 8: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration - (*LoggingConfiguration)(nil), // 9: istio_operator.v2.api.v1alpha1.LoggingConfiguration - (*SDSConfiguration)(nil), // 10: istio_operator.v2.api.v1alpha1.SDSConfiguration - (*ProxyConfiguration)(nil), // 11: istio_operator.v2.api.v1alpha1.ProxyConfiguration - (*ProxyInitConfiguration)(nil), // 12: istio_operator.v2.api.v1alpha1.ProxyInitConfiguration - (*CNIConfiguration)(nil), // 13: istio_operator.v2.api.v1alpha1.CNIConfiguration - (*IstiodConfiguration)(nil), // 14: istio_operator.v2.api.v1alpha1.IstiodConfiguration - (*ExternalIstiodConfiguration)(nil), // 15: istio_operator.v2.api.v1alpha1.ExternalIstiodConfiguration - (*SPIFFEConfiguration)(nil), // 16: istio_operator.v2.api.v1alpha1.SPIFFEConfiguration - (*OperatorEndpointsConfiguration)(nil), // 17: istio_operator.v2.api.v1alpha1.OperatorEndpointsConfiguration - (*TelemetryV2Configuration)(nil), // 18: istio_operator.v2.api.v1alpha1.TelemetryV2Configuration - (*ProxyWasmConfiguration)(nil), // 19: istio_operator.v2.api.v1alpha1.ProxyWasmConfiguration - (*PDBConfiguration)(nil), // 20: istio_operator.v2.api.v1alpha1.PDBConfiguration - (*HTTPProxyEnvsConfiguration)(nil), // 21: istio_operator.v2.api.v1alpha1.HTTPProxyEnvsConfiguration - (*IstioControlPlaneStatus)(nil), // 22: istio_operator.v2.api.v1alpha1.IstioControlPlaneStatus - (*StatusChecksums)(nil), // 23: istio_operator.v2.api.v1alpha1.StatusChecksums - (*MeshExpansionConfiguration_Istiod)(nil), // 24: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Istiod - (*MeshExpansionConfiguration_Webhook)(nil), // 25: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Webhook - (*MeshExpansionConfiguration_ClusterServices)(nil), // 26: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.ClusterServices - (*MeshExpansionConfiguration_IstioMeshGatewayConfiguration)(nil), // 27: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration - (*CNIConfiguration_RepairConfiguration)(nil), // 28: istio_operator.v2.api.v1alpha1.CNIConfiguration.RepairConfiguration - (*CNIConfiguration_TaintConfiguration)(nil), // 29: istio_operator.v2.api.v1alpha1.CNIConfiguration.TaintConfiguration - (*CNIConfiguration_ResourceQuotas)(nil), // 30: istio_operator.v2.api.v1alpha1.CNIConfiguration.ResourceQuotas - (*wrappers.BoolValue)(nil), // 31: google.protobuf.BoolValue - (*v1alpha1.MeshConfig)(nil), // 32: istio.mesh.v1alpha1.MeshConfig - (*K8SResourceOverlayPatch)(nil), // 33: istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch - (*ContainerImageConfiguration)(nil), // 34: istio_operator.v2.api.v1alpha1.ContainerImageConfiguration - (*v1alpha1.Tracing)(nil), // 35: istio.mesh.v1alpha1.Tracing - (*BaseKubernetesResourceConfig)(nil), // 36: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig - (*Service)(nil), // 37: istio_operator.v2.api.v1alpha1.Service - (*v1.Lifecycle)(nil), // 38: k8s.io.api.core.v1.Lifecycle - (*ResourceRequirements)(nil), // 39: istio_operator.v2.api.v1alpha1.ResourceRequirements - (*wrappers.FloatValue)(nil), // 40: google.protobuf.FloatValue - (ConfigState)(0), // 41: istio_operator.v2.api.v1alpha1.ConfigState - (*K8SObjectMeta)(nil), // 42: istio_operator.v2.api.v1alpha1.K8sObjectMeta - (*UnprotectedService)(nil), // 43: istio_operator.v2.api.v1alpha1.UnprotectedService - (*BaseKubernetesContainerConfiguration)(nil), // 44: istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration -} -var file_api_v1alpha1_istiocontrolplane_proto_depIdxs = []int32{ - 0, // 0: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.mode:type_name -> istio_operator.v2.api.v1alpha1.ModeType - 9, // 1: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.logging:type_name -> istio_operator.v2.api.v1alpha1.LoggingConfiguration - 31, // 2: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.mountMtlsCerts:type_name -> google.protobuf.BoolValue - 14, // 3: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.istiod:type_name -> istio_operator.v2.api.v1alpha1.IstiodConfiguration - 11, // 4: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.proxy:type_name -> istio_operator.v2.api.v1alpha1.ProxyConfiguration - 12, // 5: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.proxyInit:type_name -> istio_operator.v2.api.v1alpha1.ProxyInitConfiguration - 18, // 6: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.telemetryV2:type_name -> istio_operator.v2.api.v1alpha1.TelemetryV2Configuration - 10, // 7: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.sds:type_name -> istio_operator.v2.api.v1alpha1.SDSConfiguration - 19, // 8: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.proxyWasm:type_name -> istio_operator.v2.api.v1alpha1.ProxyWasmConfiguration - 31, // 9: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.watchOneNamespace:type_name -> google.protobuf.BoolValue - 3, // 10: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.jwtPolicy:type_name -> istio_operator.v2.api.v1alpha1.JWTPolicyType - 21, // 11: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.httpProxyEnvs:type_name -> istio_operator.v2.api.v1alpha1.HTTPProxyEnvsConfiguration - 32, // 12: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.meshConfig:type_name -> istio.mesh.v1alpha1.MeshConfig - 33, // 13: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.k8sResourceOverlays:type_name -> istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch - 34, // 14: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.containerImageConfiguration:type_name -> istio_operator.v2.api.v1alpha1.ContainerImageConfiguration - 8, // 15: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.meshExpansion:type_name -> istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration - 5, // 16: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.sidecarInjector:type_name -> istio_operator.v2.api.v1alpha1.SidecarInjectorConfiguration - 35, // 17: istio_operator.v2.api.v1alpha1.IstioControlPlaneSpec.tracer:type_name -> istio.mesh.v1alpha1.Tracing - 36, // 18: istio_operator.v2.api.v1alpha1.SidecarInjectorConfiguration.deployment:type_name -> istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig - 37, // 19: istio_operator.v2.api.v1alpha1.SidecarInjectorConfiguration.service:type_name -> istio_operator.v2.api.v1alpha1.Service - 6, // 20: istio_operator.v2.api.v1alpha1.SidecarInjectorConfiguration.templates:type_name -> istio_operator.v2.api.v1alpha1.SidecarInjectionTemplates - 7, // 21: istio_operator.v2.api.v1alpha1.SidecarInjectionTemplates.customTemplates:type_name -> istio_operator.v2.api.v1alpha1.CustomSidecarInjectionTemplates - 31, // 22: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.enabled:type_name -> google.protobuf.BoolValue - 27, // 23: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.gateway:type_name -> istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration - 24, // 24: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.istiod:type_name -> istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Istiod - 25, // 25: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.webhook:type_name -> istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Webhook - 26, // 26: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.clusterServices:type_name -> istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.ClusterServices - 31, // 27: istio_operator.v2.api.v1alpha1.ProxyConfiguration.privileged:type_name -> google.protobuf.BoolValue - 31, // 28: istio_operator.v2.api.v1alpha1.ProxyConfiguration.enableCoreDump:type_name -> google.protobuf.BoolValue - 1, // 29: istio_operator.v2.api.v1alpha1.ProxyConfiguration.logLevel:type_name -> istio_operator.v2.api.v1alpha1.ProxyLogLevel - 31, // 30: istio_operator.v2.api.v1alpha1.ProxyConfiguration.holdApplicationUntilProxyStarts:type_name -> google.protobuf.BoolValue - 38, // 31: istio_operator.v2.api.v1alpha1.ProxyConfiguration.lifecycle:type_name -> k8s.io.api.core.v1.Lifecycle - 39, // 32: istio_operator.v2.api.v1alpha1.ProxyConfiguration.resources:type_name -> istio_operator.v2.api.v1alpha1.ResourceRequirements - 39, // 33: istio_operator.v2.api.v1alpha1.ProxyInitConfiguration.resources:type_name -> istio_operator.v2.api.v1alpha1.ResourceRequirements - 13, // 34: istio_operator.v2.api.v1alpha1.ProxyInitConfiguration.cni:type_name -> istio_operator.v2.api.v1alpha1.CNIConfiguration - 31, // 35: istio_operator.v2.api.v1alpha1.CNIConfiguration.enabled:type_name -> google.protobuf.BoolValue - 31, // 36: istio_operator.v2.api.v1alpha1.CNIConfiguration.chained:type_name -> google.protobuf.BoolValue - 28, // 37: istio_operator.v2.api.v1alpha1.CNIConfiguration.repair:type_name -> istio_operator.v2.api.v1alpha1.CNIConfiguration.RepairConfiguration - 29, // 38: istio_operator.v2.api.v1alpha1.CNIConfiguration.taint:type_name -> istio_operator.v2.api.v1alpha1.CNIConfiguration.TaintConfiguration - 30, // 39: istio_operator.v2.api.v1alpha1.CNIConfiguration.resourceQuotas:type_name -> istio_operator.v2.api.v1alpha1.CNIConfiguration.ResourceQuotas - 36, // 40: istio_operator.v2.api.v1alpha1.CNIConfiguration.daemonset:type_name -> istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig - 36, // 41: istio_operator.v2.api.v1alpha1.IstiodConfiguration.deployment:type_name -> istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig - 31, // 42: istio_operator.v2.api.v1alpha1.IstiodConfiguration.enableAnalysis:type_name -> google.protobuf.BoolValue - 31, // 43: istio_operator.v2.api.v1alpha1.IstiodConfiguration.enableStatus:type_name -> google.protobuf.BoolValue - 15, // 44: istio_operator.v2.api.v1alpha1.IstiodConfiguration.externalIstiod:type_name -> istio_operator.v2.api.v1alpha1.ExternalIstiodConfiguration - 40, // 45: istio_operator.v2.api.v1alpha1.IstiodConfiguration.traceSampling:type_name -> google.protobuf.FloatValue - 31, // 46: istio_operator.v2.api.v1alpha1.IstiodConfiguration.enableProtocolSniffingOutbound:type_name -> google.protobuf.BoolValue - 31, // 47: istio_operator.v2.api.v1alpha1.IstiodConfiguration.enableProtocolSniffingInbound:type_name -> google.protobuf.BoolValue - 2, // 48: istio_operator.v2.api.v1alpha1.IstiodConfiguration.certProvider:type_name -> istio_operator.v2.api.v1alpha1.PilotCertProviderType - 16, // 49: istio_operator.v2.api.v1alpha1.IstiodConfiguration.spiffe:type_name -> istio_operator.v2.api.v1alpha1.SPIFFEConfiguration - 31, // 50: istio_operator.v2.api.v1alpha1.ExternalIstiodConfiguration.enabled:type_name -> google.protobuf.BoolValue - 17, // 51: istio_operator.v2.api.v1alpha1.SPIFFEConfiguration.operatorEndpoints:type_name -> istio_operator.v2.api.v1alpha1.OperatorEndpointsConfiguration - 31, // 52: istio_operator.v2.api.v1alpha1.OperatorEndpointsConfiguration.enabled:type_name -> google.protobuf.BoolValue - 31, // 53: istio_operator.v2.api.v1alpha1.TelemetryV2Configuration.enabled:type_name -> google.protobuf.BoolValue - 31, // 54: istio_operator.v2.api.v1alpha1.ProxyWasmConfiguration.enabled:type_name -> google.protobuf.BoolValue - 31, // 55: istio_operator.v2.api.v1alpha1.PDBConfiguration.enabled:type_name -> google.protobuf.BoolValue - 41, // 56: istio_operator.v2.api.v1alpha1.IstioControlPlaneStatus.status:type_name -> istio_operator.v2.api.v1alpha1.ConfigState - 32, // 57: istio_operator.v2.api.v1alpha1.IstioControlPlaneStatus.meshConfig:type_name -> istio.mesh.v1alpha1.MeshConfig - 23, // 58: istio_operator.v2.api.v1alpha1.IstioControlPlaneStatus.checksums:type_name -> istio_operator.v2.api.v1alpha1.StatusChecksums - 31, // 59: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Istiod.expose:type_name -> google.protobuf.BoolValue - 31, // 60: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.Webhook.expose:type_name -> google.protobuf.BoolValue - 31, // 61: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.ClusterServices.expose:type_name -> google.protobuf.BoolValue - 42, // 62: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration.metadata:type_name -> istio_operator.v2.api.v1alpha1.K8sObjectMeta - 36, // 63: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration.deployment:type_name -> istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig - 43, // 64: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration.service:type_name -> istio_operator.v2.api.v1alpha1.UnprotectedService - 31, // 65: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration.runAsRoot:type_name -> google.protobuf.BoolValue - 33, // 66: istio_operator.v2.api.v1alpha1.MeshExpansionConfiguration.IstioMeshGatewayConfiguration.k8sResourceOverlays:type_name -> istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch - 31, // 67: istio_operator.v2.api.v1alpha1.CNIConfiguration.RepairConfiguration.enabled:type_name -> google.protobuf.BoolValue - 31, // 68: istio_operator.v2.api.v1alpha1.CNIConfiguration.RepairConfiguration.labelPods:type_name -> google.protobuf.BoolValue - 31, // 69: istio_operator.v2.api.v1alpha1.CNIConfiguration.RepairConfiguration.deletePods:type_name -> google.protobuf.BoolValue - 31, // 70: istio_operator.v2.api.v1alpha1.CNIConfiguration.TaintConfiguration.enabled:type_name -> google.protobuf.BoolValue - 44, // 71: istio_operator.v2.api.v1alpha1.CNIConfiguration.TaintConfiguration.container:type_name -> istio_operator.v2.api.v1alpha1.BaseKubernetesContainerConfiguration - 31, // 72: istio_operator.v2.api.v1alpha1.CNIConfiguration.ResourceQuotas.enabled:type_name -> google.protobuf.BoolValue - 73, // [73:73] is the sub-list for method output_type - 73, // [73:73] is the sub-list for method input_type - 73, // [73:73] is the sub-list for extension type_name - 73, // [73:73] is the sub-list for extension extendee - 0, // [0:73] is the sub-list for field type_name -} - -func init() { file_api_v1alpha1_istiocontrolplane_proto_init() } -func file_api_v1alpha1_istiocontrolplane_proto_init() { - if File_api_v1alpha1_istiocontrolplane_proto != nil { - return - } - file_api_v1alpha1_common_proto_init() - file_api_v1alpha1_istiomeshgateway_proto_init() - if !protoimpl.UnsafeEnabled { - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*IstioControlPlaneSpec); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SidecarInjectorConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SidecarInjectionTemplates); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*CustomSidecarInjectionTemplates); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*MeshExpansionConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*LoggingConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SDSConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ProxyConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ProxyInitConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*CNIConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[10].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*IstiodConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[11].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ExternalIstiodConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[12].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*SPIFFEConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[13].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*OperatorEndpointsConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[14].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*TelemetryV2Configuration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[15].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*ProxyWasmConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[16].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*PDBConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[17].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*HTTPProxyEnvsConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[18].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*IstioControlPlaneStatus); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[19].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*StatusChecksums); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[20].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*MeshExpansionConfiguration_Istiod); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[21].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*MeshExpansionConfiguration_Webhook); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[22].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*MeshExpansionConfiguration_ClusterServices); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[23].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*MeshExpansionConfiguration_IstioMeshGatewayConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[24].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*CNIConfiguration_RepairConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[25].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*CNIConfiguration_TaintConfiguration); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[26].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*CNIConfiguration_ResourceQuotas); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - file_api_v1alpha1_istiocontrolplane_proto_msgTypes[7].OneofWrappers = []interface{}{} - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_api_v1alpha1_istiocontrolplane_proto_rawDesc, - NumEnums: 4, - NumMessages: 27, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_api_v1alpha1_istiocontrolplane_proto_goTypes, - DependencyIndexes: file_api_v1alpha1_istiocontrolplane_proto_depIdxs, - EnumInfos: file_api_v1alpha1_istiocontrolplane_proto_enumTypes, - MessageInfos: file_api_v1alpha1_istiocontrolplane_proto_msgTypes, - }.Build() - File_api_v1alpha1_istiocontrolplane_proto = out.File - file_api_v1alpha1_istiocontrolplane_proto_rawDesc = nil - file_api_v1alpha1_istiocontrolplane_proto_goTypes = nil - file_api_v1alpha1_istiocontrolplane_proto_depIdxs = nil -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.pb.html b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.pb.html deleted file mode 100644 index 3bbb2fd9d..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.pb.html +++ /dev/null @@ -1,3085 +0,0 @@ ---- -title: Istio ControlPlane Spec -description: Istio control plane descriptor -layout: protoc-gen-docs -generator: protoc-gen-docs -schema: istio-operator.api.v1alpha1.IstioControlPlaneSpec -number_of_entries: 42 ---- -

IstioControlPlaneSpec

-
-

IstioControlPlane defines an Istio control plane

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
versionstring -

Contains the intended version for the Istio control plane. -+kubebuilder:validation:Pattern=^1.

- -		 -Yes -
modeModeType -

Configure the mode for this control plane. -Currently, two options are supported: “ACTIVE” and “PASSIVE”. -ACTIVE mode means that a full-fledged Istio control plane will be deployed and operated -(usually called primary cluster in upstream Istio terminology). -PASSIVE mode means that only a few resources will be installed for sidecar injection and cross-cluster -communication, it is used for multi cluster setups (this is the remote cluster in upstream Istio terminology). -+kubebuilder:validation:Enum=ACTIVE;PASSIVE

- -		 -Yes -
loggingLoggingConfiguration -

Logging configurations.

- -		 -No -
mountMtlsCertsBoolValue -

Use the user-specified, secret volume mounted key and certs for Pilot and workloads.

- -		 -No -
istiodIstiodConfiguration -

Istiod configuration.

- -		 -No -
proxyProxyConfiguration -

Proxy configuration options.

- -		 -No -
proxyInitProxyInitConfiguration -

Proxy Init configuration options.

- -		 -No -
telemetryV2TelemetryV2Configuration -

Telemetry V2 configuration.

- -		 -No -
sdsSDSConfiguration -

If SDS is configured, mTLS certificates for the sidecars will be distributed through the -SecretDiscoveryService instead of using K8S secrets to mount the certificates.

- -		 -No -
proxyWasmProxyWasmConfiguration -

ProxyWasm configuration options.

- -		 -No -
watchOneNamespaceBoolValue -

Whether to restrict the applications namespace the controller manages. -If not set, controller watches all namespaces

- -		 -No -
jwtPolicyJWTPolicyType -

Configure the policy for validating JWT. -Currently, two options are supported: “third-party-jwt” and “first-party-jwt”. -+kubebuilder:validation:Enum=THIRD_PARTY_JWT;FIRST_PARTY_JWT

- -		 -No -
caAddressstring -

The customized CA address to retrieve certificates for the pods in the cluster. -CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.

- -		 -No -
caProviderstring -

The name of the CA for workload certificates.

- -		 -No -
distributionstring -

Contains the intended distribution for the Istio control plane. -The official distribution is used by default unless special preserved distribution value is set. -The only preserved distribution is “cisco” as of now.

- -		 -No -
httpProxyEnvsHTTPProxyEnvsConfiguration -

Upstream HTTP proxy properties to be injected as environment variables to the pod containers.

- -		 -No -
meshConfigMeshConfig -

Defines mesh-wide settings for the Istio control plane.

- -		 -No -
k8sResourceOverlaysK8sResourceOverlayPatch[] -

K8s resource overlay patches

- -		 -No -
meshIDstring -

Name of the Mesh to which this control plane belongs.

- -		 -No -
containerImageConfigurationContainerImageConfiguration -

Global configuration for container images.

- -		 -No -
meshExpansionMeshExpansionConfiguration -

Mesh expansion configuration

- -		 -No -
clusterIDstring -

Cluster ID

- -		 -No -
networkNamestring -

Network defines the network this cluster belongs to. This name -corresponds to the networks in the map of mesh networks. -+default=network1

- -		 -No -
sidecarInjectorSidecarInjectorConfiguration -

Standalone sidecar injector configuration.

- -		 -No -
tracerTracing -

Tracing defines configuration for the tracing performed by Envoy instances.

- -		 -No -
-
-

SidecarInjectorConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
deploymentBaseKubernetesResourceConfig -

Deployment spec

- -		 -No -
serviceService -

Service spec

- -		 -No -
templatesSidecarInjectionTemplates -

Fields to introduce sidecar injection template customizations

- -		 -No -
-
-

SidecarInjectionTemplates

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
sidecarstring -

Overrides for the default “sidecar” injection template. This template will be merged with the default “sidecar” template, overwriting values, if existing.

- -		 -No -
gatewaystring -

Overrides for the default “gateway” injection template. This template will be merged with the default “gateway” template, overwriting values, if existing.

- -		 -No -
customTemplatesCustomSidecarInjectionTemplates[] -

Custom templates can be defined for sidecar injection. These templates can be applied by annotating pods with “inject.istio.io/templates=”. See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental.

- -		 -No -
-
-

CustomSidecarInjectionTemplates

-
- - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring - -No -
templatestring - -No -
-
-

MeshExpansionConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
enabledBoolValue - -No -
gatewayIstioMeshGatewayConfiguration - -No -
istiodIstiod -

istiod component configuration

- -		 -No -
webhookWebhook -

webhook component configuration

- -		 -No -
clusterServicesClusterServices -

cluster services configuration

- -		 -No -
-
-

LoggingConfiguration

-
-

Comma-separated minimum per-scope logging level of messages to output, in the form of :,: -The control plane has different scopes depending on component, but can configure default log level across all components -If empty, default scope and level will be used as configured in code

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
levelstring -

+kubebuilder:validation:Pattern=^([a-zA-Z]+:[a-zA-Z]+,?)+$

- -		 -No -
-
-

SDSConfiguration

-
-

SDSConfiguration defines Secret Discovery Service config options

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
tokenAudiencestring -

The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. -When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - JWT is intended for the CA.

- -		 -No -
-
-

ProxyConfiguration

-
-

ProxyConfiguration defines config options for Proxy

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
imagestring - -No -
privilegedBoolValue -

If set to true, istio-proxy container will have privileged securityContext

- -		 -No -
enableCoreDumpBoolValue -

If set, newly injected sidecars will have core dumps enabled.

- -		 -No -
logLevelProxyLogLevel -

Log level for proxy, applies to gateways and sidecars. If left empty, “warning” is used. -Expected values are: trace|debug|info|warning|error|critical|off -+kubebuilder:validation:Enum=TRACE;DEBUG;INFO;WARNING;ERROR;CRITICAL;OFF

- -		 -No -
componentLogLevelstring -

Per Component log level for proxy, applies to gateways and sidecars. If a component level is -not set, then the “LogLevel” will be used. If left empty, “misc:error” is used.

- -		 -No -
clusterDomainstring -

cluster domain. Default value is “cluster.local”

- -		 -No -
holdApplicationUntilProxyStartsBoolValue -

Controls if sidecar is injected at the front of the container list and blocks -the start of the other containers until the proxy is ready -Default value is ‘false’.

- -		 -No -
lifecycleLifecycle - -No -
resourcesResourceRequirements - -No -
includeIPRangesstring -

IncludeIPRanges the range where to capture egress traffic

- -		 -No -
excludeIPRangesstring -

ExcludeIPRanges the range where not to capture egress traffic

- -		 -No -
excludeInboundPortsstring -

ExcludeInboundPorts the comma separated list of inbound ports to be excluded from redirection to Envoy

- -		 -No -
excludeOutboundPortsstring -

ExcludeOutboundPorts the comma separated list of outbound ports to be excluded from redirection to Envoy

- -		 -No -
tracerstring (oneof) -

Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver

- -		 -No -
-
-

ProxyInitConfiguration

-
-

ProxyInitConfiguration defines config options for Proxy Init containers

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
imagestring - -No -
resourcesResourceRequirements - -No -
cniCNIConfiguration - -No -
-
-

CNIConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
enabledBoolValue - -No -
chainedBoolValue - -No -
binDirstring - -No -
confDirstring - -No -
excludeNamespacesstring[] - -No -
includeNamespacesstring[] - -No -
logLevelstring - -No -
confFileNamestring - -No -
pspClusterRoleNamestring - -No -
repairRepairConfiguration - -No -
taintTaintConfiguration - -No -
resourceQuotasResourceQuotas - -No -
daemonsetBaseKubernetesResourceConfig - -No -
-
-

IstiodConfiguration

-
-

IstiodConfiguration defines config options for Istiod

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
deploymentBaseKubernetesResourceConfig -

Deployment spec

- -		 -No -
enableAnalysisBoolValue -

If enabled, pilot will run Istio analyzers and write analysis errors to the Status field of any Istio Resources

- -		 -No -
enableStatusBoolValue -

If enabled, pilot will update the CRD Status field of all Istio resources with reconciliation status

- -		 -No -
externalIstiodExternalIstiodConfiguration -

Settings for local istiod to control remote clusters as well

- -		 -No -
traceSamplingFloatValue - -No -
enableProtocolSniffingOutboundBoolValue -

If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported

- -		 -No -
enableProtocolSniffingInboundBoolValue -

If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported

- -		 -No -
certProviderPilotCertProviderType -

Configure the certificate provider for control plane communication. -Currently, two providers are supported: “kubernetes” and “istiod”. -As some platforms may not have kubernetes signing APIs, -Istiod is the default -+kubebuilder:validation:Enum=KUBERNETES;ISTIOD

- -		 -No -
spiffeSPIFFEConfiguration -

SPIFFE configuration of Pilot

- -		 -No -
-
-

ExternalIstiodConfiguration

-
-

ExternalIstiodConfiguration defines settings for local istiod to control remote clusters as well

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
enabledBoolValue - -No -
-
-

SPIFFEConfiguration

-
-

SPIFFEConfiguration is for SPIFFE configuration of Pilot

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
operatorEndpointsOperatorEndpointsConfiguration - -No -
-
-

OperatorEndpointsConfiguration

-
-

OperatorEndpointsConfiguration defines config options for automatic SPIFFE endpoints

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
enabledBoolValue - -No -
-
-

TelemetryV2Configuration

-
- - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
enabledBoolValue - -No -
-
-

ProxyWasmConfiguration

-
-

ProxyWasmConfiguration defines config options for Envoy wasm

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
enabledBoolValue - -No -
-
-

PDBConfiguration

-
-

PDBConfiguration holds Pod Disruption Budget related config options

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
enabledBoolValue - -No -
-
-

HTTPProxyEnvsConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
httpProxystring - -No -
httpsProxystring - -No -
noProxystring - -No -
-
-

IstioControlPlaneStatus

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
statusConfigState -

Reconciliation status of the Istio control plane

- -		 -No -
clusterIDstring -

Cluster ID

- -		 -No -
istioControlPlaneNamestring -

Name of the IstioControlPlane resource -It is used on remote clusters in the PeerIstioControlPlane resource status -to identify the original Istio control plane

- -		 -No -
gatewayAddressstring[] -

Current addresses for the corresponding gateways

- -		 -No -
istiodAddressesstring[] -

Current addresses for the corresponding istiod pods

- -		 -No -
injectionNamespacesstring[] -

Namespaces which are set for injection for this control plane

- -		 -No -
caRootCertificatestring -

Istio CA root certificate

- -		 -No -
errorMessagestring -

Reconciliation error message if any

- -		 -No -
meshConfigMeshConfig - -No -
checksumsStatusChecksums - -No -
-
-

StatusChecksums

-
- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
meshConfigstring - -No -
sidecarInjectorstring - -No -
-
-

MeshExpansionConfiguration.Istiod

-
- - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
exposeBoolValue - -No -
-
-

MeshExpansionConfiguration.Webhook

-
- - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
exposeBoolValue - -No -
-
-

MeshExpansionConfiguration.ClusterServices

-
- - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
exposeBoolValue - -No -
-
-

MeshExpansionConfiguration.IstioMeshGatewayConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
metadataK8sObjectMeta -

Istio Mesh gateway metadata

- -		 -No -
deploymentBaseKubernetesResourceConfig -

Deployment spec

- -		 -No -
serviceUnprotectedService -

Service spec

- -		 -No -
runAsRootBoolValue -

Whether to run the gateway in a privileged container

- -		 -No -
k8sResourceOverlaysK8sResourceOverlayPatch[] -

K8s resource overlay patches

- -		 -No -
-
-

CNIConfiguration.RepairConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
enabledBoolValue - -No -
labelPodsBoolValue - -No -
deletePodsBoolValue - -No -
initContainerNamestring - -No -
brokenPodLabelKeystring - -No -
brokenPodLabelValuestring - -No -
-
-

CNIConfiguration.TaintConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
enabledBoolValue - -No -
containerBaseKubernetesContainerConfiguration - -No -
-
-

CNIConfiguration.ResourceQuotas

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
enabledBoolValue - -No -
podsstring - -No -
priorityClassesstring[] - -No -
-
-

K8sResourceOverlayPatch

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
groupVersionKindGroupVersionKind - -No -
objectKeyNamespacedName - -No -
patchesPatch[] - -No -
-
-

ContainerImageConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
hubstring -

Default hub for container images.

- -		 -No -
tagstring -

Default tag for container images.

- -		 -No -
imagePullPolicystring -

Image pull policy. -One of Always, Never, IfNotPresent. -Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. -+optional -+kubebuilder:validation:Enum=Always;Never;IfNotPresent

- -		 -No -
imagePullSecretsLocalObjectReference[] -

ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. -+optional

- -		 -No -
-
-

istio.mesh.v1alpha1.Tracing

-
-

Tracing defines configuration for the tracing performed by Envoy instances.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
zipkinZipkin (oneof) -

Use a Zipkin tracer.

- -		 -No -
lightstepLightstep (oneof) -

Use a Lightstep tracer. -NOTE: For Istio 1.15+, this configuration option will result -in using OpenTelemetry-based Lightstep integration.

- -		 -No -
datadogDatadog (oneof) -

Use a Datadog tracer.

- -		 -No -
stackdriverStackdriver (oneof) -

Use a Stackdriver tracer.

- -		 -No -
openCensusAgentOpenCensusAgent (oneof) -

Use an OpenCensus tracer exporting to an OpenCensus agent.

- -		 -No -
samplingdouble -

The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, -if not requested by the client or not forced. Default is 1.0.

- -		 -No -
tlsSettingsClientTLSSettings -

Use the tls_settings to specify the tls mode to use. If the remote tracing service -uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS -mode as ISTIO_MUTUAL.

- -		 -No -
-
-

BaseKubernetesResourceConfig

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
metadataK8sObjectMeta -

Generic k8s resource metadata

- -		 -No -
imagestring -

Standard Kubernetes container image configuration

- -		 -No -
envEnvVar[] -

If present will be appended to the environment variables of the container

- -		 -No -
resourcesResourceRequirements -

Standard Kubernetes resource configuration, memory and CPU resource requirements

- -		 -No -
nodeSelectormap<string, string> -

Standard Kubernetes node selector configuration

- -		 -No -
affinityAffinity -

Standard Kubernetes affinity configuration

- -		 -No -
securityContextSecurityContext -

Standard Kubernetes security context configuration

- -		 -No -
imagePullPolicystring -

Image pull policy. -One of Always, Never, IfNotPresent. -Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. -+optional

- -		 -No -
imagePullSecretsLocalObjectReference[] -

ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. -+optional

- -		 -No -
priorityClassNamestring -

If specified, indicates the pod’s priority. “system-node-critical” and -“system-cluster-critical” are two special keywords which indicate the -highest priorities with the former being the highest priority. Any other -name must be defined by creating a PriorityClass object with that name. -If not specified, the pod priority will be default or zero if there is no -default. -+optional

- -		 -No -
tolerationsToleration[] -

If specified, the pod’s tolerations. -+optional

- -		 -No -
volumesVolume[] -

List of volumes that can be mounted by containers belonging to the pod. -More info: https://kubernetes.io/docs/concepts/storage/volumes -+optional -+patchMergeKey=name -+patchStrategy=merge,retainKeys

- -		 -No -
volumeMountsVolumeMount[] -

Pod volumes to mount into the container’s filesystem. -Cannot be updated. -+optional -+patchMergeKey=mountPath -+patchStrategy=merge

- -		 -No -
replicasReplicas -

Replica configuration

- -		 -No -
podMetadataK8sObjectMeta -

Standard Kubernetes pod annotation and label configuration

- -		 -No -
podDisruptionBudgetPodDisruptionBudget -

PodDisruptionBudget configuration

- -		 -No -
deploymentStrategyDeploymentStrategy -

DeploymentStrategy configuration

- -		 -No -
podSecurityContextPodSecurityContext -

Standard Kubernetes pod security context configuration

- -		 -No -
livenessProbeProbe -

Periodic probe of container liveness. -Container will be restarted if the probe fails. -Cannot be updated. -More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes -+optional

- -		 -No -
readinessProbeProbe -

Periodic probe of container service readiness. -Container will be removed from service endpoints if the probe fails. -Cannot be updated. -More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes -+optional

- -		 -No -
topologySpreadConstraintsTopologySpreadConstraint[] -

Used to control how Pods are spread across a cluster among failure-domains. -This can help to achieve high availability as well as efficient resource utilization. -More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints -+optional

- -		 -No -
-
-

Service

-
-

Service describes the attributes that a user creates on a service.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
metadataK8sObjectMeta - -No -
portsServicePort[] -

The list of ports that are exposed by this service. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+patchMergeKey=port -+patchStrategy=merge -+listType=map -+listMapKey=port -+listMapKey=protocol -+kubebuilder:validation:MinItems=1

- -		 -Yes -
selectormap<string, string> -

Route service traffic to pods with label keys and values matching this -selector. If empty or not present, the service is assumed to have an -external process managing its endpoints, which Kubernetes will not -modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. -Ignored if type is ExternalName. -More info: https://kubernetes.io/docs/concepts/services-networking/service/ -+optional

- -		 -No -
clusterIPstring -

clusterIP is the IP address of the service and is usually assigned -randomly by the master. If an address is specified manually and is not in -use by others, it will be allocated to the service; otherwise, creation -of the service will fail. This field can not be changed through updates. -Valid values are “None”, empty string (“”), or a valid IP address. “None” -can be specified for headless services when proxying is not required. -Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if -type is ExternalName. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+optional

- -		 -No -
typestring -

type determines how the Service is exposed. Defaults to ClusterIP. Valid -options are ExternalName, ClusterIP, NodePort, and LoadBalancer. -“ExternalName” maps to the specified externalName. -“ClusterIP” allocates a cluster-internal IP address for load-balancing to -endpoints. Endpoints are determined by the selector or if that is not -specified, by manual construction of an Endpoints object. If clusterIP is -“None”, no virtual IP is allocated and the endpoints are published as a -set of endpoints rather than a stable IP. -“NodePort” builds on ClusterIP and allocates a port on every node which -routes to the clusterIP. -“LoadBalancer” builds on NodePort and creates an -external load-balancer (if supported in the current cloud) which routes -to the clusterIP. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types -+optional -+kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer

- -		 -Yes -
externalIPsstring[] -

externalIPs is a list of IP addresses for which nodes in the cluster -will also accept traffic for this service. These IPs are not managed by -Kubernetes. The user is responsible for ensuring that traffic arrives -at a node with this IP. A common example is external load-balancers -that are not part of the Kubernetes system. -+optional

- -		 -No -
sessionAffinitystring -

Supports “ClientIP” and “None”. Used to maintain session affinity. -Enable client IP based session affinity. -Must be ClientIP or None. -Defaults to None. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+optional

- -		 -No -
loadBalancerIPstring -

Only applies to Service Type: LoadBalancer -LoadBalancer will get created with the IP specified in this field. -This feature depends on whether the underlying cloud-provider supports specifying -the loadBalancerIP when a load balancer is created. -This field will be ignored if the cloud-provider does not support the feature. -+optional

- -		 -No -
loadBalancerSourceRangesstring[] -

If specified and supported by the platform, this will restrict traffic through the cloud-provider -load-balancer will be restricted to the specified client IPs. This field will be ignored if the -cloud-provider does not support the feature.” -More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ -+optional

- -		 -No -
externalNamestring -

externalName is the external reference that kubedns or equivalent will -return as a CNAME record for this service. No proxying will be involved. -Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) -and requires Type to be ExternalName. -+optional

- -		 -No -
externalTrafficPolicystring -

externalTrafficPolicy denotes if this Service desires to route external -traffic to node-local or cluster-wide endpoints. “Local” preserves the -client source IP and avoids a second hop for LoadBalancer and Nodeport -type services, but risks potentially imbalanced traffic spreading. -“Cluster” obscures the client source IP and may cause a second hop to -another node, but should have good overall load-spreading. -+optional

- -		 -No -
healthCheckNodePortint32 -

healthCheckNodePort specifies the healthcheck nodePort for the service. -If not specified, HealthCheckNodePort is created by the service api -backend with the allocated nodePort. Will use user-specified nodePort value -if specified by the client. Only effects when Type is set to LoadBalancer -and ExternalTrafficPolicy is set to Local. -+optional

- -		 -No -
publishNotReadyAddressesBoolValue -

publishNotReadyAddresses, when set to true, indicates that DNS implementations -must publish the notReadyAddresses of subsets for the Endpoints associated with -the Service. The default value is false. -The primary use case for setting this field is to use a StatefulSet’s Headless Service -to propagate SRV records for its Pods without respect to their readiness for purpose -of peer discovery. -+optional

- -		 -No -
sessionAffinityConfigSessionAffinityConfig -

sessionAffinityConfig contains the configurations of session affinity. -+optional

- -		 -No -
ipFamilystring -

ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. -IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is -available in the cluster. If no IP family is requested, the cluster’s primary IP family will be used. -Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which -allocate external load-balancers should use the same IP family. Endpoints for this Service will be of -this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the -cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. -+optional

- -		 -No -
-
-

k8s.io.api.core.v1.Lifecycle

-
-

Lifecycle describes actions that the management system should take in response to container lifecycle -events. For the PostStart and PreStop lifecycle handlers, management of the container blocks -until the action is complete, unless the container process fails, in which case the handler is aborted.

- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
postStartLifecycleHandler -

PostStart is called immediately after a container is created. If the handler fails, -the container is terminated and restarted according to its restart policy. -Other management of the container blocks until the hook completes. -More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks -+optional

- -		 -No -
preStopLifecycleHandler -

PreStop is called immediately before a container is terminated due to an -API request or management event such as liveness/startup probe failure, -preemption, resource contention, etc. The handler is not called if the -container crashes or exits. The Pod’s termination grace period countdown begins before the -PreStop hook is executed. Regardless of the outcome of the handler, the -container will eventually terminate within the Pod’s termination grace -period (unless delayed by finalizers). Other management of the container blocks until the hook completes -or until the termination grace period is reached. -More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks -+optional

- -		 -No -
-
-

ResourceRequirements

-
-

ResourceRequirements describes the compute resource requirements.

- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
limitsmap<string, Quantity> -

Limits describes the maximum amount of compute resources allowed. -More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -+optional

- -		 -No -
requestsmap<string, Quantity> -

Requests describes the minimum amount of compute resources required. -If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, -otherwise to an implementation-defined value. -More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/ -+optional

- -		 -No -
-
-

K8sObjectMeta

-
-

Generic k8s resource metadata

- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
labelsmap<string, string> -

Map of string keys and values that can be used to organize and categorize -(scope and select) objects. May match selectors of replication controllers -and services. -More info: http://kubernetes.io/docs/user-guide/labels -+optional

- -		 -No -
annotationsmap<string, string> -

Annotations is an unstructured key value map stored with a resource that may be -set by external tools to store and retrieve arbitrary metadata. They are not -queryable and should be preserved when modifying objects. -More info: http://kubernetes.io/docs/user-guide/annotations -+optional

- -		 -No -
-
-

UnprotectedService

-
-

Service describes the attributes that a user creates on a service.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
metadataK8sObjectMeta - -No -
portsServicePort[] -

The list of ports that are exposed by this service. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+patchMergeKey=port -+patchStrategy=merge -+listType=map -+listMapKey=port -+listMapKey=protocol

- -		 -No -
selectormap<string, string> -

Route service traffic to pods with label keys and values matching this -selector. If empty or not present, the service is assumed to have an -external process managing its endpoints, which Kubernetes will not -modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. -Ignored if type is ExternalName. -More info: https://kubernetes.io/docs/concepts/services-networking/service/ -+optional

- -		 -No -
clusterIPstring -

clusterIP is the IP address of the service and is usually assigned -randomly by the master. If an address is specified manually and is not in -use by others, it will be allocated to the service; otherwise, creation -of the service will fail. This field can not be changed through updates. -Valid values are “None”, empty string (“”), or a valid IP address. “None” -can be specified for headless services when proxying is not required. -Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if -type is ExternalName. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+optional

- -		 -No -
typestring -

type determines how the Service is exposed. Defaults to ClusterIP. Valid -options are ExternalName, ClusterIP, NodePort, and LoadBalancer. -“ExternalName” maps to the specified externalName. -“ClusterIP” allocates a cluster-internal IP address for load-balancing to -endpoints. Endpoints are determined by the selector or if that is not -specified, by manual construction of an Endpoints object. If clusterIP is -“None”, no virtual IP is allocated and the endpoints are published as a -set of endpoints rather than a stable IP. -“NodePort” builds on ClusterIP and allocates a port on every node which -routes to the clusterIP. -“LoadBalancer” builds on NodePort and creates an -external load-balancer (if supported in the current cloud) which routes -to the clusterIP. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types -+optional -+kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer

- -		 -No -
externalIPsstring[] -

externalIPs is a list of IP addresses for which nodes in the cluster -will also accept traffic for this service. These IPs are not managed by -Kubernetes. The user is responsible for ensuring that traffic arrives -at a node with this IP. A common example is external load-balancers -that are not part of the Kubernetes system. -+optional

- -		 -No -
sessionAffinitystring -

Supports “ClientIP” and “None”. Used to maintain session affinity. -Enable client IP based session affinity. -Must be ClientIP or None. -Defaults to None. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+optional

- -		 -No -
loadBalancerIPstring -

Only applies to Service Type: LoadBalancer -LoadBalancer will get created with the IP specified in this field. -This feature depends on whether the underlying cloud-provider supports specifying -the loadBalancerIP when a load balancer is created. -This field will be ignored if the cloud-provider does not support the feature. -+optional

- -		 -No -
loadBalancerSourceRangesstring[] -

If specified and supported by the platform, this will restrict traffic through the cloud-provider -load-balancer will be restricted to the specified client IPs. This field will be ignored if the -cloud-provider does not support the feature.” -More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ -+optional

- -		 -No -
externalNamestring -

externalName is the external reference that kubedns or equivalent will -return as a CNAME record for this service. No proxying will be involved. -Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) -and requires Type to be ExternalName. -+optional

- -		 -No -
externalTrafficPolicystring -

externalTrafficPolicy denotes if this Service desires to route external -traffic to node-local or cluster-wide endpoints. “Local” preserves the -client source IP and avoids a second hop for LoadBalancer and Nodeport -type services, but risks potentially imbalanced traffic spreading. -“Cluster” obscures the client source IP and may cause a second hop to -another node, but should have good overall load-spreading. -+optional

- -		 -No -
healthCheckNodePortint32 -

healthCheckNodePort specifies the healthcheck nodePort for the service. -If not specified, HealthCheckNodePort is created by the service api -backend with the allocated nodePort. Will use user-specified nodePort value -if specified by the client. Only effects when Type is set to LoadBalancer -and ExternalTrafficPolicy is set to Local. -+optional

- -		 -No -
publishNotReadyAddressesBoolValue -

publishNotReadyAddresses, when set to true, indicates that DNS implementations -must publish the notReadyAddresses of subsets for the Endpoints associated with -the Service. The default value is false. -The primary use case for setting this field is to use a StatefulSet’s Headless Service -to propagate SRV records for its Pods without respect to their readiness for purpose -of peer discovery. -+optional

- -		 -No -
sessionAffinityConfigSessionAffinityConfig -

sessionAffinityConfig contains the configurations of session affinity. -+optional

- -		 -No -
ipFamilystring -

ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. -IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is -available in the cluster. If no IP family is requested, the cluster’s primary IP family will be used. -Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which -allocate external load-balancers should use the same IP family. Endpoints for this Service will be of -this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the -cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. -+optional

- -		 -No -
-
-

BaseKubernetesContainerConfiguration

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
imagestring -

Standard Kubernetes container image configuration

- -		 -No -
envEnvVar[] -

If present will be appended to the environment variables of the container

- -		 -No -
resourcesResourceRequirements -

Standard Kubernetes resource configuration, memory and CPU resource requirements

- -		 -No -
securityContextSecurityContext -

Standard Kubernetes security context configuration

- -		 -No -
volumeMountsVolumeMount[] -

Pod volumes to mount into the container’s filesystem. -Cannot be updated. -+optional -+patchMergeKey=mountPath -+patchStrategy=merge

- -		 -No -
-
-

ModeType

-
- - - - - - - - - - - - - - - - - - - - - -
NameDescription
ModeType_UNSPECIFIED -
ACTIVE -
PASSIVE -
-
-

ProxyLogLevel

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameDescription
ProxyLogLevel_UNSPECIFIED -
TRACE -
DEBUG -
INFO -
WARNING -
ERROR -
CRITICAL -
OFF -
-
-

PilotCertProviderType

-
- - - - - - - - - - - - - - - - - - - - - -
NameDescription
PilotCertProviderType_UNSPECIFIED -
KUBERNETES -
ISTIOD -
-
-

JWTPolicyType

-
- - - - - - - - - - - - - - - - - - - - - -
NameDescription
JWTPolicyType_UNSPECIFIED -
THIRD_PARTY_JWT -
FIRST_PARTY_JWT -
-
-

ConfigState

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameDescription
Unspecified -
Created -
ReconcileFailed -
Reconciling -
Available -
Unmanaged -
-
diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.proto b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.proto deleted file mode 100644 index 4865d0535..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane.proto +++ /dev/null @@ -1,411 +0,0 @@ -// Copyright 2021 Cisco Systems, Inc. and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -import "api/v1alpha1/common.proto"; -import "api/v1alpha1/istiomeshgateway.proto"; -import "k8s.io/api/core/v1/generated.proto"; -import "mesh/v1alpha1/config.proto"; -import "mesh/v1alpha1/proxy.proto"; -import "google/api/field_behavior.proto"; -import "google/protobuf/wrappers.proto"; - -// $schema: istio-operator.api.v1alpha1.IstioControlPlaneSpec -// $title: Istio ControlPlane Spec -// $description: Istio control plane descriptor - -package istio_operator.v2.api.v1alpha1; - -option go_package = "github.com/banzaicloud/istio-operator/v2/api/v1alpha1"; - -// IstioControlPlane defines an Istio control plane -// -// -// -// -message IstioControlPlaneSpec { - // Contains the intended version for the Istio control plane. - // +kubebuilder:validation:Pattern=^1\. - string version = 1 [(google.api.field_behavior) = REQUIRED]; - // Configure the mode for this control plane. - // Currently, two options are supported: "ACTIVE" and "PASSIVE". - // ACTIVE mode means that a full-fledged Istio control plane will be deployed and operated - // (usually called primary cluster in upstream Istio terminology). - // PASSIVE mode means that only a few resources will be installed for sidecar injection and cross-cluster - // communication, it is used for multi cluster setups (this is the remote cluster in upstream Istio terminology). - // +kubebuilder:validation:Enum=ACTIVE;PASSIVE - ModeType mode = 2 [(google.api.field_behavior) = REQUIRED]; - // Logging configurations. - LoggingConfiguration logging = 3; - // Use the user-specified, secret volume mounted key and certs for Pilot and workloads. - google.protobuf.BoolValue mountMtlsCerts = 4; - // Istiod configuration. - IstiodConfiguration istiod = 5; - // Proxy configuration options. - ProxyConfiguration proxy = 6; - // Proxy Init configuration options. - ProxyInitConfiguration proxyInit = 7; - // Telemetry V2 configuration. - TelemetryV2Configuration telemetryV2 = 8; - // If SDS is configured, mTLS certificates for the sidecars will be distributed through the - // SecretDiscoveryService instead of using K8S secrets to mount the certificates. - SDSConfiguration sds = 9; - // ProxyWasm configuration options. - ProxyWasmConfiguration proxyWasm = 10; - // Whether to restrict the applications namespace the controller manages. - // If not set, controller watches all namespaces - google.protobuf.BoolValue watchOneNamespace = 11; - // Configure the policy for validating JWT. - // Currently, two options are supported: "third-party-jwt" and "first-party-jwt". - // +kubebuilder:validation:Enum=THIRD_PARTY_JWT;FIRST_PARTY_JWT - JWTPolicyType jwtPolicy = 12; - // The customized CA address to retrieve certificates for the pods in the cluster. - // CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint. - string caAddress = 13; - // The name of the CA for workload certificates. - string caProvider = 14; - // Contains the intended distribution for the Istio control plane. - // The official distribution is used by default unless special preserved distribution value is set. - // The only preserved distribution is "cisco" as of now. - string distribution = 15; - // Upstream HTTP proxy properties to be injected as environment variables to the pod containers. - HTTPProxyEnvsConfiguration httpProxyEnvs = 16; - // Defines mesh-wide settings for the Istio control plane. - istio.mesh.v1alpha1.MeshConfig meshConfig = 17; - // K8s resource overlay patches - repeated K8sResourceOverlayPatch k8sResourceOverlays = 18; - // Name of the Mesh to which this control plane belongs. - string meshID = 19; - // Global configuration for container images. - ContainerImageConfiguration containerImageConfiguration = 20; - // Mesh expansion configuration - MeshExpansionConfiguration meshExpansion = 21; - // Cluster ID - string clusterID = 22; - // Network defines the network this cluster belongs to. This name - // corresponds to the networks in the map of mesh networks. - // +default=network1 - string networkName = 23; - // Standalone sidecar injector configuration. - SidecarInjectorConfiguration sidecarInjector = 24; - // Tracing defines configuration for the tracing performed by Envoy instances. - istio.mesh.v1alpha1.Tracing tracer = 25; -} - -enum ModeType { - ModeType_UNSPECIFIED = 0; - ACTIVE = 1; - PASSIVE = 2; -} - -message SidecarInjectorConfiguration { - // Deployment spec - BaseKubernetesResourceConfig deployment = 1; - // Service spec - Service service = 2; - // Fields to introduce sidecar injection template customizations - SidecarInjectionTemplates templates = 3; -} - -message SidecarInjectionTemplates { - // Overrides for the default "sidecar" injection template. This template will be merged with the default "sidecar" template, overwriting values, if existing. - string sidecar = 1; - // Overrides for the default "gateway" injection template. This template will be merged with the default "gateway" template, overwriting values, if existing. - string gateway = 2; - // Custom templates can be defined for sidecar injection. These templates can be applied by annotating pods with "inject.istio.io/templates=". See https://istio.io/latest/docs/setup/additional-setup/sidecar-injection/#custom-templates-experimental. - repeated CustomSidecarInjectionTemplates customTemplates = 3; -} - -message CustomSidecarInjectionTemplates { - string name = 1; - string template = 2; -} - -message MeshExpansionConfiguration { - google.protobuf.BoolValue enabled = 1; - message Istiod { - google.protobuf.BoolValue expose = 1; - } - message Webhook { - google.protobuf.BoolValue expose = 1; - } - message ClusterServices { - google.protobuf.BoolValue expose = 1; - } - message IstioMeshGatewayConfiguration { - // Istio Mesh gateway metadata - K8sObjectMeta metadata = 1; - // Deployment spec - BaseKubernetesResourceConfig deployment = 2; - // Service spec - UnprotectedService service = 3; - // Whether to run the gateway in a privileged container - google.protobuf.BoolValue runAsRoot = 4; - // K8s resource overlay patches - repeated K8sResourceOverlayPatch k8sResourceOverlays = 5; - } - IstioMeshGatewayConfiguration gateway = 2; - // istiod component configuration - Istiod istiod = 3; - // webhook component configuration - Webhook webhook = 4; - // cluster services configuration - ClusterServices clusterServices = 5; -} - -// Comma-separated minimum per-scope logging level of messages to output, in the form of :,: -// The control plane has different scopes depending on component, but can configure default log level across all components -// If empty, default scope and level will be used as configured in code -message LoggingConfiguration { - // +kubebuilder:validation:Pattern=`^([a-zA-Z]+:[a-zA-Z]+,?)+$` - string level = 1; -} - -// SDSConfiguration defines Secret Discovery Service config options -message SDSConfiguration { - // The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3. - // When a CSR is sent from Citadel Agent to the CA (e.g. Citadel), this aud is to make sure the - // JWT is intended for the CA. - string tokenAudience = 1; -} - -// ProxyConfiguration defines config options for Proxy -message ProxyConfiguration { - string image = 1; - // If set to true, istio-proxy container will have privileged securityContext - google.protobuf.BoolValue privileged = 2; - // If set, newly injected sidecars will have core dumps enabled. - google.protobuf.BoolValue enableCoreDump = 3; - // Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. - // Expected values are: trace|debug|info|warning|error|critical|off - // +kubebuilder:validation:Enum=TRACE;DEBUG;INFO;WARNING;ERROR;CRITICAL;OFF - ProxyLogLevel logLevel = 4; - // Per Component log level for proxy, applies to gateways and sidecars. If a component level is - // not set, then the "LogLevel" will be used. If left empty, "misc:error" is used. - string componentLogLevel = 5; - // cluster domain. Default value is "cluster.local" - string clusterDomain = 6; - // Controls if sidecar is injected at the front of the container list and blocks - // the start of the other containers until the proxy is ready - // Default value is 'false'. - google.protobuf.BoolValue holdApplicationUntilProxyStarts = 7; - k8s.io.api.core.v1.Lifecycle lifecycle = 8; - ResourceRequirements resources = 9; - // IncludeIPRanges the range where to capture egress traffic - string includeIPRanges = 10; - // ExcludeIPRanges the range where not to capture egress traffic - string excludeIPRanges = 11; - // ExcludeInboundPorts the comma separated list of inbound ports to be excluded from redirection to Envoy - string excludeInboundPorts = 12; - // ExcludeOutboundPorts the comma separated list of outbound ports to be excluded from redirection to Envoy - string excludeOutboundPorts = 13; - // Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver - optional string tracer = 14; -} - -enum ProxyLogLevel { - ProxyLogLevel_UNSPECIFIED = 0; - TRACE = 1; - DEBUG = 2; - INFO = 3; - WARNING = 4; - ERROR = 5; - CRITICAL = 6; - OFF = 7; -} - -// ProxyInitConfiguration defines config options for Proxy Init containers -message ProxyInitConfiguration { - string image = 1; - ResourceRequirements resources = 2; - CNIConfiguration cni = 3; -} - -message CNIConfiguration { - google.protobuf.BoolValue enabled = 1; - google.protobuf.BoolValue chained = 2; - string binDir = 4; - string confDir = 5; - repeated string excludeNamespaces = 6; - repeated string includeNamespaces = 7; - string logLevel = 8; - string confFileName = 9; - string pspClusterRoleName = 10; - - message RepairConfiguration { - google.protobuf.BoolValue enabled = 1; - google.protobuf.BoolValue labelPods = 2; - google.protobuf.BoolValue deletePods = 3; - string initContainerName = 4; - string brokenPodLabelKey = 5; - string brokenPodLabelValue = 6; - } - RepairConfiguration repair = 11; - - message TaintConfiguration { - google.protobuf.BoolValue enabled = 1; - BaseKubernetesContainerConfiguration container = 2; - } - TaintConfiguration taint = 12; - - message ResourceQuotas { - google.protobuf.BoolValue enabled = 1; - string pods = 2; - repeated string priorityClasses = 3; - } - ResourceQuotas resourceQuotas = 13; - - BaseKubernetesResourceConfig daemonset = 14; -} - -// IstiodConfiguration defines config options for Istiod -message IstiodConfiguration { - // Deployment spec - BaseKubernetesResourceConfig deployment = 1; - // If enabled, pilot will run Istio analyzers and write analysis errors to the Status field of any Istio Resources - google.protobuf.BoolValue enableAnalysis = 2; - // If enabled, pilot will update the CRD Status field of all Istio resources with reconciliation status - google.protobuf.BoolValue enableStatus = 3; - // Settings for local istiod to control remote clusters as well - ExternalIstiodConfiguration externalIstiod = 4; - google.protobuf.FloatValue traceSampling = 5 [(google.api.field_behavior) = OUTPUT_ONLY]; - // If enabled, protocol sniffing will be used for outbound listeners whose port protocol is not specified or unsupported - google.protobuf.BoolValue enableProtocolSniffingOutbound = 6; - // If enabled, protocol sniffing will be used for inbound listeners whose port protocol is not specified or unsupported - google.protobuf.BoolValue enableProtocolSniffingInbound = 7; - // Configure the certificate provider for control plane communication. - // Currently, two providers are supported: "kubernetes" and "istiod". - // As some platforms may not have kubernetes signing APIs, - // Istiod is the default - // +kubebuilder:validation:Enum=KUBERNETES;ISTIOD - PilotCertProviderType certProvider = 8; - // SPIFFE configuration of Pilot - SPIFFEConfiguration spiffe = 9; -} - -// ExternalIstiodConfiguration defines settings for local istiod to control remote clusters as well -message ExternalIstiodConfiguration { - google.protobuf.BoolValue enabled = 1; -} - -enum PilotCertProviderType { - PilotCertProviderType_UNSPECIFIED = 0; - KUBERNETES = 1; - ISTIOD = 2; -} - -// SPIFFEConfiguration is for SPIFFE configuration of Pilot -message SPIFFEConfiguration { - OperatorEndpointsConfiguration operatorEndpoints = 1; -} - -// OperatorEndpointsConfiguration defines config options for automatic SPIFFE endpoints -message OperatorEndpointsConfiguration { - google.protobuf.BoolValue enabled = 1; -} - -message TelemetryV2Configuration { - google.protobuf.BoolValue enabled = 1; -} - -// ProxyWasmConfiguration defines config options for Envoy wasm -message ProxyWasmConfiguration { - google.protobuf.BoolValue enabled = 1; -} - -// PDBConfiguration holds Pod Disruption Budget related config options -message PDBConfiguration { - google.protobuf.BoolValue enabled = 1; -} - -enum JWTPolicyType { - JWTPolicyType_UNSPECIFIED = 0; - THIRD_PARTY_JWT = 1; - FIRST_PARTY_JWT = 2; -} - -message HTTPProxyEnvsConfiguration { - string httpProxy = 1; - string httpsProxy = 2; - string noProxy = 3; -} - -// -message IstioControlPlaneStatus { - // Reconciliation status of the Istio control plane - ConfigState status = 1; - - // Cluster ID - string clusterID = 2; - - // Name of the IstioControlPlane resource - // It is used on remote clusters in the PeerIstioControlPlane resource status - // to identify the original Istio control plane - string istioControlPlaneName = 3; - - // Current addresses for the corresponding gateways - repeated string gatewayAddress = 4; - - // Current addresses for the corresponding istiod pods - repeated string istiodAddresses = 5; - - // Namespaces which are set for injection for this control plane - repeated string injectionNamespaces = 6; - - // Istio CA root certificate - string caRootCertificate = 7; - - // Reconciliation error message if any - string errorMessage = 8; - - istio.mesh.v1alpha1.MeshConfig meshConfig = 9; - - StatusChecksums checksums = 10; -} - -// -message StatusChecksums { - string meshConfig = 1; - string sidecarInjector = 2; -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane_deepcopy.gen.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane_deepcopy.gen.go deleted file mode 100644 index d037fbf5e..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane_deepcopy.gen.go +++ /dev/null @@ -1,573 +0,0 @@ -// Code generated by protoc-gen-deepcopy. DO NOT EDIT. -package v1alpha1 - -import ( - proto "github.com/golang/protobuf/proto" -) - -// DeepCopyInto supports using IstioControlPlaneSpec within kubernetes types, where deepcopy-gen is used. -func (in *IstioControlPlaneSpec) DeepCopyInto(out *IstioControlPlaneSpec) { - p := proto.Clone(in).(*IstioControlPlaneSpec) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioControlPlaneSpec. Required by controller-gen. -func (in *IstioControlPlaneSpec) DeepCopy() *IstioControlPlaneSpec { - if in == nil { - return nil - } - out := new(IstioControlPlaneSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstioControlPlaneSpec. Required by controller-gen. -func (in *IstioControlPlaneSpec) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using SidecarInjectorConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *SidecarInjectorConfiguration) DeepCopyInto(out *SidecarInjectorConfiguration) { - p := proto.Clone(in).(*SidecarInjectorConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SidecarInjectorConfiguration. Required by controller-gen. -func (in *SidecarInjectorConfiguration) DeepCopy() *SidecarInjectorConfiguration { - if in == nil { - return nil - } - out := new(SidecarInjectorConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new SidecarInjectorConfiguration. Required by controller-gen. -func (in *SidecarInjectorConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using SidecarInjectionTemplates within kubernetes types, where deepcopy-gen is used. -func (in *SidecarInjectionTemplates) DeepCopyInto(out *SidecarInjectionTemplates) { - p := proto.Clone(in).(*SidecarInjectionTemplates) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SidecarInjectionTemplates. Required by controller-gen. -func (in *SidecarInjectionTemplates) DeepCopy() *SidecarInjectionTemplates { - if in == nil { - return nil - } - out := new(SidecarInjectionTemplates) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new SidecarInjectionTemplates. Required by controller-gen. -func (in *SidecarInjectionTemplates) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using CustomSidecarInjectionTemplates within kubernetes types, where deepcopy-gen is used. -func (in *CustomSidecarInjectionTemplates) DeepCopyInto(out *CustomSidecarInjectionTemplates) { - p := proto.Clone(in).(*CustomSidecarInjectionTemplates) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomSidecarInjectionTemplates. Required by controller-gen. -func (in *CustomSidecarInjectionTemplates) DeepCopy() *CustomSidecarInjectionTemplates { - if in == nil { - return nil - } - out := new(CustomSidecarInjectionTemplates) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new CustomSidecarInjectionTemplates. Required by controller-gen. -func (in *CustomSidecarInjectionTemplates) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using MeshExpansionConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *MeshExpansionConfiguration) DeepCopyInto(out *MeshExpansionConfiguration) { - p := proto.Clone(in).(*MeshExpansionConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshExpansionConfiguration. Required by controller-gen. -func (in *MeshExpansionConfiguration) DeepCopy() *MeshExpansionConfiguration { - if in == nil { - return nil - } - out := new(MeshExpansionConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new MeshExpansionConfiguration. Required by controller-gen. -func (in *MeshExpansionConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using MeshExpansionConfiguration_Istiod within kubernetes types, where deepcopy-gen is used. -func (in *MeshExpansionConfiguration_Istiod) DeepCopyInto(out *MeshExpansionConfiguration_Istiod) { - p := proto.Clone(in).(*MeshExpansionConfiguration_Istiod) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshExpansionConfiguration_Istiod. Required by controller-gen. -func (in *MeshExpansionConfiguration_Istiod) DeepCopy() *MeshExpansionConfiguration_Istiod { - if in == nil { - return nil - } - out := new(MeshExpansionConfiguration_Istiod) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new MeshExpansionConfiguration_Istiod. Required by controller-gen. -func (in *MeshExpansionConfiguration_Istiod) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using MeshExpansionConfiguration_Webhook within kubernetes types, where deepcopy-gen is used. -func (in *MeshExpansionConfiguration_Webhook) DeepCopyInto(out *MeshExpansionConfiguration_Webhook) { - p := proto.Clone(in).(*MeshExpansionConfiguration_Webhook) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshExpansionConfiguration_Webhook. Required by controller-gen. -func (in *MeshExpansionConfiguration_Webhook) DeepCopy() *MeshExpansionConfiguration_Webhook { - if in == nil { - return nil - } - out := new(MeshExpansionConfiguration_Webhook) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new MeshExpansionConfiguration_Webhook. Required by controller-gen. -func (in *MeshExpansionConfiguration_Webhook) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using MeshExpansionConfiguration_ClusterServices within kubernetes types, where deepcopy-gen is used. -func (in *MeshExpansionConfiguration_ClusterServices) DeepCopyInto(out *MeshExpansionConfiguration_ClusterServices) { - p := proto.Clone(in).(*MeshExpansionConfiguration_ClusterServices) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshExpansionConfiguration_ClusterServices. Required by controller-gen. -func (in *MeshExpansionConfiguration_ClusterServices) DeepCopy() *MeshExpansionConfiguration_ClusterServices { - if in == nil { - return nil - } - out := new(MeshExpansionConfiguration_ClusterServices) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new MeshExpansionConfiguration_ClusterServices. Required by controller-gen. -func (in *MeshExpansionConfiguration_ClusterServices) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using MeshExpansionConfiguration_IstioMeshGatewayConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) DeepCopyInto(out *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) { - p := proto.Clone(in).(*MeshExpansionConfiguration_IstioMeshGatewayConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshExpansionConfiguration_IstioMeshGatewayConfiguration. Required by controller-gen. -func (in *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) DeepCopy() *MeshExpansionConfiguration_IstioMeshGatewayConfiguration { - if in == nil { - return nil - } - out := new(MeshExpansionConfiguration_IstioMeshGatewayConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new MeshExpansionConfiguration_IstioMeshGatewayConfiguration. Required by controller-gen. -func (in *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using LoggingConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *LoggingConfiguration) DeepCopyInto(out *LoggingConfiguration) { - p := proto.Clone(in).(*LoggingConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingConfiguration. Required by controller-gen. -func (in *LoggingConfiguration) DeepCopy() *LoggingConfiguration { - if in == nil { - return nil - } - out := new(LoggingConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new LoggingConfiguration. Required by controller-gen. -func (in *LoggingConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using SDSConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *SDSConfiguration) DeepCopyInto(out *SDSConfiguration) { - p := proto.Clone(in).(*SDSConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SDSConfiguration. Required by controller-gen. -func (in *SDSConfiguration) DeepCopy() *SDSConfiguration { - if in == nil { - return nil - } - out := new(SDSConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new SDSConfiguration. Required by controller-gen. -func (in *SDSConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using ProxyConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *ProxyConfiguration) DeepCopyInto(out *ProxyConfiguration) { - p := proto.Clone(in).(*ProxyConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfiguration. Required by controller-gen. -func (in *ProxyConfiguration) DeepCopy() *ProxyConfiguration { - if in == nil { - return nil - } - out := new(ProxyConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfiguration. Required by controller-gen. -func (in *ProxyConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using ProxyInitConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *ProxyInitConfiguration) DeepCopyInto(out *ProxyInitConfiguration) { - p := proto.Clone(in).(*ProxyInitConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyInitConfiguration. Required by controller-gen. -func (in *ProxyInitConfiguration) DeepCopy() *ProxyInitConfiguration { - if in == nil { - return nil - } - out := new(ProxyInitConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ProxyInitConfiguration. Required by controller-gen. -func (in *ProxyInitConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using CNIConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *CNIConfiguration) DeepCopyInto(out *CNIConfiguration) { - p := proto.Clone(in).(*CNIConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CNIConfiguration. Required by controller-gen. -func (in *CNIConfiguration) DeepCopy() *CNIConfiguration { - if in == nil { - return nil - } - out := new(CNIConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new CNIConfiguration. Required by controller-gen. -func (in *CNIConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using CNIConfiguration_RepairConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *CNIConfiguration_RepairConfiguration) DeepCopyInto(out *CNIConfiguration_RepairConfiguration) { - p := proto.Clone(in).(*CNIConfiguration_RepairConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CNIConfiguration_RepairConfiguration. Required by controller-gen. -func (in *CNIConfiguration_RepairConfiguration) DeepCopy() *CNIConfiguration_RepairConfiguration { - if in == nil { - return nil - } - out := new(CNIConfiguration_RepairConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new CNIConfiguration_RepairConfiguration. Required by controller-gen. -func (in *CNIConfiguration_RepairConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using CNIConfiguration_TaintConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *CNIConfiguration_TaintConfiguration) DeepCopyInto(out *CNIConfiguration_TaintConfiguration) { - p := proto.Clone(in).(*CNIConfiguration_TaintConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CNIConfiguration_TaintConfiguration. Required by controller-gen. -func (in *CNIConfiguration_TaintConfiguration) DeepCopy() *CNIConfiguration_TaintConfiguration { - if in == nil { - return nil - } - out := new(CNIConfiguration_TaintConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new CNIConfiguration_TaintConfiguration. Required by controller-gen. -func (in *CNIConfiguration_TaintConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using CNIConfiguration_ResourceQuotas within kubernetes types, where deepcopy-gen is used. -func (in *CNIConfiguration_ResourceQuotas) DeepCopyInto(out *CNIConfiguration_ResourceQuotas) { - p := proto.Clone(in).(*CNIConfiguration_ResourceQuotas) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CNIConfiguration_ResourceQuotas. Required by controller-gen. -func (in *CNIConfiguration_ResourceQuotas) DeepCopy() *CNIConfiguration_ResourceQuotas { - if in == nil { - return nil - } - out := new(CNIConfiguration_ResourceQuotas) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new CNIConfiguration_ResourceQuotas. Required by controller-gen. -func (in *CNIConfiguration_ResourceQuotas) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using IstiodConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *IstiodConfiguration) DeepCopyInto(out *IstiodConfiguration) { - p := proto.Clone(in).(*IstiodConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstiodConfiguration. Required by controller-gen. -func (in *IstiodConfiguration) DeepCopy() *IstiodConfiguration { - if in == nil { - return nil - } - out := new(IstiodConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstiodConfiguration. Required by controller-gen. -func (in *IstiodConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using ExternalIstiodConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *ExternalIstiodConfiguration) DeepCopyInto(out *ExternalIstiodConfiguration) { - p := proto.Clone(in).(*ExternalIstiodConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalIstiodConfiguration. Required by controller-gen. -func (in *ExternalIstiodConfiguration) DeepCopy() *ExternalIstiodConfiguration { - if in == nil { - return nil - } - out := new(ExternalIstiodConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ExternalIstiodConfiguration. Required by controller-gen. -func (in *ExternalIstiodConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using SPIFFEConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *SPIFFEConfiguration) DeepCopyInto(out *SPIFFEConfiguration) { - p := proto.Clone(in).(*SPIFFEConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SPIFFEConfiguration. Required by controller-gen. -func (in *SPIFFEConfiguration) DeepCopy() *SPIFFEConfiguration { - if in == nil { - return nil - } - out := new(SPIFFEConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new SPIFFEConfiguration. Required by controller-gen. -func (in *SPIFFEConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using OperatorEndpointsConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *OperatorEndpointsConfiguration) DeepCopyInto(out *OperatorEndpointsConfiguration) { - p := proto.Clone(in).(*OperatorEndpointsConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperatorEndpointsConfiguration. Required by controller-gen. -func (in *OperatorEndpointsConfiguration) DeepCopy() *OperatorEndpointsConfiguration { - if in == nil { - return nil - } - out := new(OperatorEndpointsConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new OperatorEndpointsConfiguration. Required by controller-gen. -func (in *OperatorEndpointsConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using TelemetryV2Configuration within kubernetes types, where deepcopy-gen is used. -func (in *TelemetryV2Configuration) DeepCopyInto(out *TelemetryV2Configuration) { - p := proto.Clone(in).(*TelemetryV2Configuration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TelemetryV2Configuration. Required by controller-gen. -func (in *TelemetryV2Configuration) DeepCopy() *TelemetryV2Configuration { - if in == nil { - return nil - } - out := new(TelemetryV2Configuration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new TelemetryV2Configuration. Required by controller-gen. -func (in *TelemetryV2Configuration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using ProxyWasmConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *ProxyWasmConfiguration) DeepCopyInto(out *ProxyWasmConfiguration) { - p := proto.Clone(in).(*ProxyWasmConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyWasmConfiguration. Required by controller-gen. -func (in *ProxyWasmConfiguration) DeepCopy() *ProxyWasmConfiguration { - if in == nil { - return nil - } - out := new(ProxyWasmConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ProxyWasmConfiguration. Required by controller-gen. -func (in *ProxyWasmConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using PDBConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *PDBConfiguration) DeepCopyInto(out *PDBConfiguration) { - p := proto.Clone(in).(*PDBConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PDBConfiguration. Required by controller-gen. -func (in *PDBConfiguration) DeepCopy() *PDBConfiguration { - if in == nil { - return nil - } - out := new(PDBConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PDBConfiguration. Required by controller-gen. -func (in *PDBConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using HTTPProxyEnvsConfiguration within kubernetes types, where deepcopy-gen is used. -func (in *HTTPProxyEnvsConfiguration) DeepCopyInto(out *HTTPProxyEnvsConfiguration) { - p := proto.Clone(in).(*HTTPProxyEnvsConfiguration) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPProxyEnvsConfiguration. Required by controller-gen. -func (in *HTTPProxyEnvsConfiguration) DeepCopy() *HTTPProxyEnvsConfiguration { - if in == nil { - return nil - } - out := new(HTTPProxyEnvsConfiguration) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new HTTPProxyEnvsConfiguration. Required by controller-gen. -func (in *HTTPProxyEnvsConfiguration) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using IstioControlPlaneStatus within kubernetes types, where deepcopy-gen is used. -func (in *IstioControlPlaneStatus) DeepCopyInto(out *IstioControlPlaneStatus) { - p := proto.Clone(in).(*IstioControlPlaneStatus) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioControlPlaneStatus. Required by controller-gen. -func (in *IstioControlPlaneStatus) DeepCopy() *IstioControlPlaneStatus { - if in == nil { - return nil - } - out := new(IstioControlPlaneStatus) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstioControlPlaneStatus. Required by controller-gen. -func (in *IstioControlPlaneStatus) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using StatusChecksums within kubernetes types, where deepcopy-gen is used. -func (in *StatusChecksums) DeepCopyInto(out *StatusChecksums) { - p := proto.Clone(in).(*StatusChecksums) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatusChecksums. Required by controller-gen. -func (in *StatusChecksums) DeepCopy() *StatusChecksums { - if in == nil { - return nil - } - out := new(StatusChecksums) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new StatusChecksums. Required by controller-gen. -func (in *StatusChecksums) DeepCopyInterface() interface{} { - return in.DeepCopy() -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane_json.gen.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane_json.gen.go deleted file mode 100644 index 9067310c9..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane_json.gen.go +++ /dev/null @@ -1,309 +0,0 @@ -// Code generated by protoc-gen-jsonshim. DO NOT EDIT. -package v1alpha1 - -import ( - bytes "bytes" - jsonpb "github.com/golang/protobuf/jsonpb" -) - -// MarshalJSON is a custom marshaler for IstioControlPlaneSpec -func (this *IstioControlPlaneSpec) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for IstioControlPlaneSpec -func (this *IstioControlPlaneSpec) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for SidecarInjectorConfiguration -func (this *SidecarInjectorConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for SidecarInjectorConfiguration -func (this *SidecarInjectorConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for SidecarInjectionTemplates -func (this *SidecarInjectionTemplates) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for SidecarInjectionTemplates -func (this *SidecarInjectionTemplates) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for CustomSidecarInjectionTemplates -func (this *CustomSidecarInjectionTemplates) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for CustomSidecarInjectionTemplates -func (this *CustomSidecarInjectionTemplates) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for MeshExpansionConfiguration -func (this *MeshExpansionConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for MeshExpansionConfiguration -func (this *MeshExpansionConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for MeshExpansionConfiguration_Istiod -func (this *MeshExpansionConfiguration_Istiod) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for MeshExpansionConfiguration_Istiod -func (this *MeshExpansionConfiguration_Istiod) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for MeshExpansionConfiguration_Webhook -func (this *MeshExpansionConfiguration_Webhook) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for MeshExpansionConfiguration_Webhook -func (this *MeshExpansionConfiguration_Webhook) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for MeshExpansionConfiguration_ClusterServices -func (this *MeshExpansionConfiguration_ClusterServices) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for MeshExpansionConfiguration_ClusterServices -func (this *MeshExpansionConfiguration_ClusterServices) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for MeshExpansionConfiguration_IstioMeshGatewayConfiguration -func (this *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for MeshExpansionConfiguration_IstioMeshGatewayConfiguration -func (this *MeshExpansionConfiguration_IstioMeshGatewayConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for LoggingConfiguration -func (this *LoggingConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for LoggingConfiguration -func (this *LoggingConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for SDSConfiguration -func (this *SDSConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for SDSConfiguration -func (this *SDSConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for ProxyConfiguration -func (this *ProxyConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for ProxyConfiguration -func (this *ProxyConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for ProxyInitConfiguration -func (this *ProxyInitConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for ProxyInitConfiguration -func (this *ProxyInitConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for CNIConfiguration -func (this *CNIConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for CNIConfiguration -func (this *CNIConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for CNIConfiguration_RepairConfiguration -func (this *CNIConfiguration_RepairConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for CNIConfiguration_RepairConfiguration -func (this *CNIConfiguration_RepairConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for CNIConfiguration_TaintConfiguration -func (this *CNIConfiguration_TaintConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for CNIConfiguration_TaintConfiguration -func (this *CNIConfiguration_TaintConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for CNIConfiguration_ResourceQuotas -func (this *CNIConfiguration_ResourceQuotas) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for CNIConfiguration_ResourceQuotas -func (this *CNIConfiguration_ResourceQuotas) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for IstiodConfiguration -func (this *IstiodConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for IstiodConfiguration -func (this *IstiodConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for ExternalIstiodConfiguration -func (this *ExternalIstiodConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for ExternalIstiodConfiguration -func (this *ExternalIstiodConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for SPIFFEConfiguration -func (this *SPIFFEConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for SPIFFEConfiguration -func (this *SPIFFEConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for OperatorEndpointsConfiguration -func (this *OperatorEndpointsConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for OperatorEndpointsConfiguration -func (this *OperatorEndpointsConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for TelemetryV2Configuration -func (this *TelemetryV2Configuration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for TelemetryV2Configuration -func (this *TelemetryV2Configuration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for ProxyWasmConfiguration -func (this *ProxyWasmConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for ProxyWasmConfiguration -func (this *ProxyWasmConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for PDBConfiguration -func (this *PDBConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for PDBConfiguration -func (this *PDBConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for HTTPProxyEnvsConfiguration -func (this *HTTPProxyEnvsConfiguration) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for HTTPProxyEnvsConfiguration -func (this *HTTPProxyEnvsConfiguration) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for IstioControlPlaneStatus -func (this *IstioControlPlaneStatus) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for IstioControlPlaneStatus -func (this *IstioControlPlaneStatus) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for StatusChecksums -func (this *StatusChecksums) MarshalJSON() ([]byte, error) { - str, err := IstiocontrolplaneMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for StatusChecksums -func (this *StatusChecksums) UnmarshalJSON(b []byte) error { - return IstiocontrolplaneUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -var ( - IstiocontrolplaneMarshaler = &jsonpb.Marshaler{} - IstiocontrolplaneUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} -) diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane_types.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane_types.go deleted file mode 100644 index 8822b43c3..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiocontrolplane_types.go +++ /dev/null @@ -1,243 +0,0 @@ -/* -Copyright 2021 Cisco Systems, Inc. and/or its affiliates. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - fmt "fmt" - "strings" - - v1alpha1 "istio.io/api/mesh/v1alpha1" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "k8s.io/apimachinery/pkg/types" -) - -const ( - RevisionedAutoInjectionLabel = "istio.io/rev" - DeprecatedAutoInjectionLabel = "istio-injection" - NamespaceInjectionSourceAnnotation = "controlplane.istio.servicemesh.cisco.com/namespace-injection-source" -) - -type SortableIstioControlPlaneItems []IstioControlPlane - -func (list SortableIstioControlPlaneItems) Len() int { - return len(list) -} - -func (list SortableIstioControlPlaneItems) Swap(i, j int) { - list[i], list[j] = list[j], list[i] -} - -func (list SortableIstioControlPlaneItems) Less(i, j int) bool { - return list[i].CreationTimestamp.Time.Before(list[j].CreationTimestamp.Time) -} - -// +kubebuilder:object:root=true - -// IstioControlPlane is the Schema for the istiocontrolplanes API -// +kubebuilder:resource:path=istiocontrolplanes,shortName=icp;istiocp -type IstioControlPlane struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec *IstioControlPlaneSpec `json:"spec,omitempty"` - Status *IstioControlPlaneStatus `json:"status,omitempty"` -} - -func (icp *IstioControlPlane) SetStatus(status ConfigState, errorMessage string) { - icp.GetStatus().Status = status - icp.GetStatus().ErrorMessage = errorMessage -} - -func (icp *IstioControlPlane) GetStatus() *IstioControlPlaneStatus { - if icp.Status == nil { - icp.Status = &IstioControlPlaneStatus{} - } - - return icp.Status -} - -func (icp *IstioControlPlane) GetSpec() *IstioControlPlaneSpec { - if icp.Spec != nil { - return icp.Spec - } - - return nil -} - -func (r *ResourceRequirements) ConvertToK8sRR() *corev1.ResourceRequirements { - rr := &corev1.ResourceRequirements{ - Limits: make(corev1.ResourceList), - Requests: make(corev1.ResourceList), - } - - if r == nil { - return rr - } - - for k, v := range r.Limits { - rr.Limits[corev1.ResourceName(k)] = v.Quantity - } - - for k, v := range r.Requests { - rr.Requests[corev1.ResourceName(k)] = v.Quantity - } - - return rr -} - -func InitResourceRequirementsFromK8sRR(rr *corev1.ResourceRequirements) *ResourceRequirements { - r := &ResourceRequirements{ - Limits: make(map[string]*Quantity), - Requests: make(map[string]*Quantity), - } - - if rr == nil { - return r - } - - for k, v := range rr.Limits { - r.Limits[string(k)] = &Quantity{ - Quantity: v, - } - } - - for k, v := range rr.Requests { - r.Requests[string(k)] = &Quantity{ - Quantity: v, - } - } - - return r -} - -func (icp *IstioControlPlane) Revision() string { - return strings.ReplaceAll(icp.GetName(), ".", "-") -} - -func (icp *IstioControlPlane) NamespacedRevision() string { - return NamespacedRevision(icp.Revision(), icp.GetNamespace()) -} - -func (icp *IstioControlPlane) RevisionLabels() map[string]string { - return map[string]string{ - RevisionedAutoInjectionLabel: icp.NamespacedRevision(), - } -} - -func (icp *IstioControlPlane) MeshExpansionGatewayLabels() map[string]string { - return map[string]string{ - RevisionedAutoInjectionLabel: icp.NamespacedRevision(), - "app": "istio-meshexpansion-gateway", - } -} - -func (icp *IstioControlPlane) WithRevision(s string) string { - return fmt.Sprintf("%s-%s", s, icp.Revision()) -} - -func (icp *IstioControlPlane) WithRevisionIf(s string, condition bool) string { - if !condition { - return s - } - - return icp.WithRevision(s) -} - -func (icp *IstioControlPlane) WithNamespacedRevision(s string) string { - return fmt.Sprintf("%s-%s", icp.WithRevision(s), icp.GetNamespace()) -} - -func NamespacedRevision(revision, namespace string) string { - return fmt.Sprintf("%s.%s", revision, namespace) -} - -func NamespacedNameFromRevision(revision string) types.NamespacedName { - nn := types.NamespacedName{} - p := strings.SplitN(revision, ".", 2) - if len(p) == 2 { - nn.Name = p[0] - nn.Namespace = p[1] - } - - return nn -} - -// +kubebuilder:object:generate=false -type IstioControlPlaneWithProperties struct { - *IstioControlPlane `json:"istioControlPlane,omitempty"` - Properties IstioControlPlaneProperties `json:"properties,omitempty"` -} - -// Properties of the IstioControlPlane -// +kubebuilder:object:generate=false -type IstioControlPlaneProperties struct { - Mesh *IstioMesh `json:"mesh,omitempty"` - MeshNetworks *v1alpha1.MeshNetworks `json:"meshNetworks,omitempty"` - TrustedRootCACertificatePEMs []string `json:"trustedRootCACertificatePEMs,omitempty"` -} - -func (p IstioControlPlaneProperties) GetMesh() *IstioMesh { - return p.Mesh -} - -// +kubebuilder:object:root=true - -// IstioControlPlaneList contains a list of IstioControlPlane -type IstioControlPlaneList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty"` - Items []IstioControlPlane `json:"items"` -} - -// PeerIstioControlPlane is the Schema for the clone of the istiocontrolplanes API -// +kubebuilder:object:root=true -type PeerIstioControlPlane struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty"` - - Spec *IstioControlPlaneSpec `json:"spec,omitempty"` - Status *IstioControlPlaneStatus `json:"status,omitempty"` -} - -func (icp *PeerIstioControlPlane) GetStatus() *IstioControlPlaneStatus { - if icp.Status == nil { - icp.Status = &IstioControlPlaneStatus{} - } - - return icp.Status -} - -func (icp *PeerIstioControlPlane) GetSpec() *IstioControlPlaneSpec { - if icp.Spec != nil { - return icp.Spec - } - - return nil -} - -// PeerIstioControlPlaneList contains a list of PeerIstioControlPlane -// +kubebuilder:object:root=true -type PeerIstioControlPlaneList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty"` - Items []PeerIstioControlPlane `json:"items"` -} - -func init() { - SchemeBuilder.Register(&IstioControlPlane{}, &IstioControlPlaneList{}, &PeerIstioControlPlane{}, &PeerIstioControlPlaneList{}) -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.gen.json b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.gen.json deleted file mode 100644 index ff1d12871..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.gen.json +++ /dev/null @@ -1,1971 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "Istio Mesh descriptor", - "version": "v1alpha1" - }, - "components": { - "schemas": { - "istio.mesh.v1alpha1.AuthenticationPolicy": { - "description": "AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane. It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation. Mesh policy cannot be INHERIT.", - "type": "string", - "enum": [ - "NONE", - "MUTUAL_TLS", - "INHERIT" - ] - }, - "istio.mesh.v1alpha1.Certificate": { - "type": "object", - "properties": { - "secretName": { - "description": "Name of the secret the certificate and its key will be stored into. If it is empty, it will not be stored into a secret. Instead, the certificate and its key will be stored into a hard-coded directory.", - "type": "string" - }, - "dnsNames": { - "description": "The DNS names for the certificate. A certificate may contain multiple DNS names.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.mesh.v1alpha1.ConfigSource": { - "description": "ConfigSource describes information about a configuration store inside a mesh. A single control plane instance can interact with one or more data sources.", - "type": "object", - "properties": { - "address": { - "description": "Address of the server implementing the Istio Mesh Configuration protocol (MCP). Can be IP address or a fully qualified DNS name. Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or fs:/// to specify a file-based backend with absolute path to the directory.", - "type": "string" - }, - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - }, - "subscribedResources": { - "description": "Describes the source of configuration, if nothing is specified default is MCP", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Resource" - } - } - } - }, - "istio.mesh.v1alpha1.MeshConfig": { - "description": "MeshConfig defines mesh-wide settings for the Istio service mesh.", - "type": "object", - "properties": { - "localityLbSetting": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.LocalityLoadBalancerSetting" - }, - "connectTimeout": { - "description": "Connection timeout used by Envoy. (MUST BE \u003e=1ms) Default timeout is 10s.", - "type": "string" - }, - "tcpKeepalive": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive" - }, - "h2UpgradePolicy": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicy" - }, - "caCertificates": { - "description": "The extra root certificates for workload-to-workload communication. The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret) are automatically added by Istiod. The CA certificate that signs the workload certificates is automatically added by Istio Agent.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.CertificateData" - } - }, - "proxyListenPort": { - "description": "Port on which Envoy should listen for incoming connections from other services. Default port is 15001.", - "type": "integer", - "format": "int32" - }, - "proxyHttpPort": { - "description": "Port on which Envoy should listen for HTTP PROXY requests if set.", - "type": "integer", - "format": "int32" - }, - "protocolDetectionTimeout": { - "description": "Automatic protocol detection uses a set of heuristics to determine whether the connection is using TLS or not (on the server side), as well as the application protocol being used (e.g., http vs tcp). These heuristics rely on the client sending the first bits of data. For server first protocols like MySQL, MongoDB, etc. Envoy will timeout on the protocol detection after the specified period, defaulting to non mTLS plain TCP traffic. Set this field to tweak the period that Envoy will wait for the client to send the first bits of data. (MUST BE \u003e=1ms or 0s to disable). Default detection timeout is 0s (no timeout).", - "type": "string" - }, - "ingressClass": { - "description": "Class of ingress resources to be processed by Istio ingress controller. This corresponds to the value of `kubernetes.io/ingress.class` annotation.", - "type": "string" - }, - "ingressService": { - "description": "Name of the Kubernetes service used for the istio ingress controller. If no ingress controller is specified, the default value `istio-ingressgateway` is used.", - "type": "string" - }, - "ingressControllerMode": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.IngressControllerMode" - }, - "ingressSelector": { - "description": "Defines which gateway deployment to use as the Ingress controller. This field corresponds to the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`. By default, `ingressgateway` is used, which will select the default IngressGateway as it has the `istio: ingressgateway` labels. It is recommended that this is the same value as ingress_service.", - "type": "string" - }, - "enableTracing": { - "description": "Flag to control generation of trace spans and request IDs. Requires a trace span collector defined in the proxy configuration.", - "type": "boolean" - }, - "accessLogFile": { - "description": "File address for the proxy access log (e.g. /dev/stdout). Empty value disables access logging.", - "type": "string" - }, - "accessLogFormat": { - "description": "Format for the proxy access log Empty value results in proxy's default access log format", - "type": "string" - }, - "accessLogEncoding": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.AccessLogEncoding" - }, - "enableEnvoyAccessLogService": { - "description": "This flag enables Envoy's gRPC Access Log Service. See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto) for details about Envoy's gRPC Access Log Service API. Default value is `false`.", - "type": "boolean" - }, - "disableEnvoyListenerLog": { - "description": "This flag disables Envoy Listener logs. See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log) Istio Enables Envoy's listener access logs on \"NoRoute\" response flag. Default value is `false`.", - "type": "boolean" - }, - "defaultConfig": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig" - }, - "outboundTrafficPolicy": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy" - }, - "configSources": { - "description": "ConfigSource describes a source of configuration data for networking rules, and other Istio configuration artifacts. Multiple data sources can be configured for a single control plane.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ConfigSource" - } - }, - "enableAutoMtls": { - "description": "This flag is used to enable mutual `TLS` automatically for service to service communication within the mesh, default true. If set to true, and a given service does not have a corresponding `DestinationRule` configured, or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side TLS configuration appropriately. More specifically, If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate for mutual `TLS` to connect to upstream. If upstream service is in plain text mode, use plain text. If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic. If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead.", - "type": "boolean", - "nullable": true - }, - "trustDomain": { - "description": "The trust domain corresponds to the trust root of a system. Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain)", - "type": "string" - }, - "trustDomainAliases": { - "description": "The trust domain aliases represent the aliases of `trust_domain`. For example, if we have ```yaml trustDomain: td1 trustDomainAliases: [\"td2\", \"td3\"] ``` Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`, or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh.", - "type": "array", - "items": { - "type": "string" - } - }, - "defaultServiceExportTo": { - "description": "The default value for the ServiceEntry.export_to field and services imported through container registry integrations, e.g. this applies to Kubernetes Service resources. The value is a list of namespace names and reserved namespace aliases. The allowed namespace aliases are: ``` * - All Namespaces . - Current Namespace ~ - No Namespace ``` If not set the system will use \"*\" as the default value which implies that services are exported to all namespaces. `All namespaces` is a reasonable default for implementations that don't need to restrict access or visibility of services across namespace boundaries. If that requirement is present it is generally good practice to make the default `Current namespace` so that services are only visible within their own namespaces by default. Operators can then expand the visibility of services to other namespaces as needed. Use of `No Namespace` is expected to be rare but can have utility for deployments where dependency management needs to be precise even within the scope of a single namespace. For further discussion see the reference documentation for `ServiceEntry`, `Sidecar`, and `Gateway`.", - "type": "array", - "items": { - "type": "string" - } - }, - "defaultVirtualServiceExportTo": { - "description": "The default value for the VirtualService.export_to field. Has the same syntax as `default_service_export_to`. If not set the system will use \"*\" as the default value which implies that virtual services are exported to all namespaces", - "type": "array", - "items": { - "type": "string" - } - }, - "defaultDestinationRuleExportTo": { - "description": "The default value for the `DestinationRule.export_to` field. Has the same syntax as `default_service_export_to`. If not set the system will use \"*\" as the default value which implies that destination rules are exported to all namespaces", - "type": "array", - "items": { - "type": "string" - } - }, - "rootNamespace": { - "description": "The namespace to treat as the administrative root namespace for Istio configuration. When processing a leaf namespace Istio will search for declarations in that namespace first and if none are found it will search in the root namespace. Any matching declaration found in the root namespace is processed as if it were declared in the leaf namespace. The precise semantics of this processing are documented on each resource type.", - "type": "string" - }, - "dnsRefreshRate": { - "description": "Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS` Default refresh rate is `5s`.", - "type": "string" - }, - "inboundClusterStatName": { - "description": "Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern `inbound|\u003cport\u003e|\u003cport-name\u003e|\u003cservice-FQDN\u003e`. For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern. A Pattern can be composed of various pre-defined variables. The following variables are supported. - `%SERVICE%` - Will be substituted with name of the service. - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. - `%SERVICE_PORT%` - Will be substituted with port of the service. - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. Following are some examples of supported patterns for reviews: - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name. - `%SERVICE%` will use reviews.prod as the stats name.", - "type": "string" - }, - "outboundClusterStatName": { - "description": "Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for network filters like TCP and Redis. By default, Istio emits statistics with the pattern `outbound|\u003cport\u003e|\u003csubsetname\u003e|\u003cservice-FQDN\u003e`. For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern. A Pattern can be composed of various pre-defined variables. The following variables are supported. - `%SERVICE%` - Will be substituted with name of the service. - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service. - `%SERVICE_PORT%` - Will be substituted with port of the service. - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service. - `%SUBSET_NAME%` - Will be substituted with subset. Following are some examples of supported patterns for reviews: - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name. - `%SERVICE%` will use reviews.prod as the stats name.", - "type": "string" - }, - "certificates": { - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Certificate" - } - }, - "serviceSettings": { - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ServiceSettings" - } - }, - "enablePrometheusMerge": { - "description": "If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics. This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and `prometheus.io/path` annotations. If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide. In this case, it is recommended to disable aggregation on that deployment with the `prometheus.istio.io/merge-metrics: \"false\"` annotation. If not specified, this will be enabled by default.", - "type": "boolean", - "nullable": true - }, - "verifyCertificateAtClient": { - "type": "boolean", - "deprecated": true, - "nullable": true - }, - "ca": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.CA" - }, - "extensionProviders": { - "description": "Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy can be used with an extension provider to delegate the authorization decision to a custom authorization system.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider" - } - }, - "defaultProviders": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.DefaultProviders" - }, - "discoverySelectors": { - "description": "A list of Kubernetes selectors that specify the set of namespaces that Istio considers when computing configuration updates for sidecars. This can be used to reduce Istio's computational load by limiting the number of entities (including services, pods, and endpoints) that are watched and processed. If omitted, Istio will use the default behavior of processing all namespaces in the cluster. Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector. The following example selects any namespace that matches either below: 1. The namespace has both of these labels: `env: prod` and `region: us-east1` 2. The namespace has label `app` equal to `cassandra` or `spark`. ```yaml discoverySelectors: - matchLabels: env: prod region: us-east1 - matchExpressions: - key: app operator: In values: - cassandra - spark ``` Refer to the [kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for additional detail on selector semantics.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - } - }, - "pathNormalization": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization" - }, - "defaultHttpRetryPolicy": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPRetry" - }, - "meshMTLS": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.TLSConfig" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.AccessLogEncoding": { - "type": "string", - "enum": [ - "TEXT", - "JSON" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.CA": { - "type": "object", - "properties": { - "address": { - "description": "REQUIRED. Address of the CA server implementing the Istio CA gRPC API. Can be IP address or a fully qualified DNS name with port Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000", - "type": "string" - }, - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - }, - "requestTimeout": { - "description": "timeout for forward CSR requests from Istiod to External CA Default: 10s", - "type": "string" - }, - "istiodSide": { - "description": "Use istiod_side to specify CA Server integrate to Istiod side or Agent side Default: true", - "type": "boolean" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.CertificateData": { - "type": "object", - "properties": { - "certSigners": { - "description": "Optional. Specify the kubernetes signers (External CA) that use this trustAnchor when Istiod is acting as RA(registration authority) If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.", - "type": "array", - "items": { - "type": "string" - } - }, - "trustDomains": { - "description": "Optional. Specify the list of trust domains to which this trustAnchor data belongs. If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain and its aliases. Note that we can have multiple trustAnchor data for a same trust_domain. In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates. If neither cert_signers nor trust_domains is set, this trustAnchor is used for all trust domains and all signers. If only trust_domains is set, this trustAnchor is used for these trust_domains and all signers. If only cert_signers is set, this trustAnchor is used for these cert_signers and all trust domains. If both cert_signers and trust_domains is set, this trustAnchor is only used for these signers and trust domains.", - "type": "array", - "items": { - "type": "string" - } - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "pem" - ], - "properties": { - "pem": { - "description": "The PEM data of the certificate.", - "type": "string" - } - } - }, - { - "required": [ - "spiffeBundleUrl" - ], - "properties": { - "spiffeBundleUrl": { - "description": "The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint.", - "type": "string" - } - } - } - ] - } - }, - { - "required": [ - "pem" - ], - "properties": { - "pem": { - "description": "The PEM data of the certificate.", - "type": "string" - } - } - }, - { - "required": [ - "spiffeBundleUrl" - ], - "properties": { - "spiffeBundleUrl": { - "description": "The SPIFFE bundle endpoint URL that complies to: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle The endpoint should support authentication based on Web PKI: https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki The certificate is retrieved from the endpoint.", - "type": "string" - } - } - } - ] - }, - "istio.mesh.v1alpha1.MeshConfig.DefaultProviders": { - "description": "Holds the name references to the providers that will be used by default in other Istio configuration resources if the provider is not specified. These names must match a provider defined in `extension_providers` that is one of the supported tracing providers.", - "type": "object", - "properties": { - "tracing": { - "description": "Name of the default provider(s) for tracing.", - "type": "array", - "items": { - "type": "string" - } - }, - "metrics": { - "description": "Name of the default provider(s) for metrics.", - "type": "array", - "items": { - "type": "string" - } - }, - "accessLogging": { - "description": "Name of the default provider(s) for access logging.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider": { - "type": "object", - "properties": { - "name": { - "description": "REQUIRED. A unique name identifying the extension provider.", - "type": "string" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "envoyExtAuthzHttp" - ], - "properties": { - "envoyExtAuthzHttp": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - } - } - }, - { - "required": [ - "envoyExtAuthzGrpc" - ], - "properties": { - "envoyExtAuthzGrpc": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - } - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider", - "deprecated": true - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - } - } - }, - { - "required": [ - "opencensus" - ], - "properties": { - "opencensus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - } - } - }, - { - "required": [ - "skywalking" - ], - "properties": { - "skywalking": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - } - } - }, - { - "required": [ - "opentelemetry" - ], - "properties": { - "opentelemetry": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider" - } - } - }, - { - "required": [ - "prometheus" - ], - "properties": { - "prometheus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - } - } - }, - { - "required": [ - "envoyFileAccessLog" - ], - "properties": { - "envoyFileAccessLog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - } - } - }, - { - "required": [ - "envoyHttpAls" - ], - "properties": { - "envoyHttpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyTcpAls" - ], - "properties": { - "envoyTcpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyOtelAls" - ], - "properties": { - "envoyOtelAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider" - } - } - }, - {} - ] - } - }, - { - "required": [ - "envoyExtAuthzHttp" - ], - "properties": { - "envoyExtAuthzHttp": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - } - } - }, - { - "required": [ - "envoyExtAuthzGrpc" - ], - "properties": { - "envoyExtAuthzGrpc": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - } - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider", - "deprecated": true - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - } - } - }, - { - "required": [ - "opencensus" - ], - "properties": { - "opencensus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - } - } - }, - { - "required": [ - "skywalking" - ], - "properties": { - "skywalking": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - } - } - }, - { - "required": [ - "opentelemetry" - ], - "properties": { - "opentelemetry": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider" - } - } - }, - { - "required": [ - "prometheus" - ], - "properties": { - "prometheus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - } - } - }, - { - "required": [ - "envoyFileAccessLog" - ], - "properties": { - "envoyFileAccessLog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - } - } - }, - { - "required": [ - "envoyHttpAls" - ], - "properties": { - "envoyHttpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyTcpAls" - ], - "properties": { - "envoyTcpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyOtelAls" - ], - "properties": { - "envoyOtelAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider" - } - } - }, - { - "not": { - "anyOf": [ - {}, - { - "required": [ - "envoyExtAuthzHttp" - ], - "properties": { - "envoyExtAuthzHttp": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - } - } - }, - { - "required": [ - "envoyExtAuthzGrpc" - ], - "properties": { - "envoyExtAuthzGrpc": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - } - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider", - "deprecated": true - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - } - } - }, - { - "required": [ - "opencensus" - ], - "properties": { - "opencensus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - } - } - }, - { - "required": [ - "skywalking" - ], - "properties": { - "skywalking": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - } - } - }, - { - "required": [ - "opentelemetry" - ], - "properties": { - "opentelemetry": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider" - } - } - }, - { - "required": [ - "prometheus" - ], - "properties": { - "prometheus": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - } - } - }, - { - "required": [ - "envoyFileAccessLog" - ], - "properties": { - "envoyFileAccessLog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - } - } - }, - { - "required": [ - "envoyHttpAls" - ], - "properties": { - "envoyHttpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyTcpAls" - ], - "properties": { - "envoyTcpAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider" - } - } - }, - { - "required": [ - "envoyOtelAls" - ], - "properties": { - "envoyOtelAls": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider" - } - } - } - ] - } - } - ] - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.DatadogTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationGrpcProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyExternalAuthorizationHttpProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyFileAccessLogProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyHttpGrpcV3LogProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyOpenTelemetryLogProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.EnvoyTcpGrpcV3LogProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.LightstepTracingProvider", - "deprecated": true - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenCensusAgentTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.OpenTelemetryTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.PrometheusMetricsProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.SkyWalkingTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.StackdriverProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ExtensionProvider.ZipkinTracingProvider" - }, - "istio.mesh.v1alpha1.MeshConfig.H2UpgradePolicy": { - "description": "Default Policy for upgrading http1.1 connections to http2.", - "type": "string", - "enum": [ - "DO_NOT_UPGRADE", - "UPGRADE" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.IngressControllerMode": { - "type": "string", - "enum": [ - "UNSPECIFIED", - "OFF", - "DEFAULT", - "STRICT" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy": { - "type": "object", - "properties": { - "mode": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.Mode" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.OutboundTrafficPolicy.Mode": { - "type": "string", - "enum": [ - "REGISTRY_ONLY", - "ALLOW_ANY" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization": { - "type": "object", - "properties": { - "normalization": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization.NormalizationType" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ProxyPathNormalization.NormalizationType": { - "type": "string", - "enum": [ - "DEFAULT", - "NONE", - "BASE", - "MERGE_SLASHES", - "DECODE_AND_MERGE_SLASHES" - ] - }, - "istio.mesh.v1alpha1.MeshConfig.ServiceSettings": { - "type": "object", - "properties": { - "hosts": { - "description": "The services to which the Settings should be applied. Services are selected using the hostname matching rules used by DestinationRule. For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local", - "type": "array", - "items": { - "type": "string" - } - }, - "settings": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.ServiceSettings.Settings" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.ServiceSettings.Settings": { - "description": "Settings for the selected services.", - "type": "object", - "properties": { - "clusterLocal": { - "description": "If true, specifies that the client and service endpoints must reside in the same cluster. By default, in multi-cluster deployments, the Istio control plane assumes all service endpoints to be reachable from any client in any of the clusters which are part of the mesh. This configuration option limits the set of service endpoints visible to a client to be cluster scoped. There are some common scenarios when this can be useful: - A service (or group of services) is inherently local to the cluster and has local storage for that cluster. For example, the kube-system namespace (e.g. the Kube API Server). - A mesh administrator wants to slowly migrate services to Istio. They might start by first having services cluster-local and then slowly transition them to mesh-wide. They could do this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group (e.g. *.myns.svc.cluster.local). By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all services in the kube-system namespace to be cluster-local, unless explicitly overridden here.", - "type": "boolean" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.TLSConfig": { - "type": "object", - "properties": { - "minProtocolVersion": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig.TLSConfig.TLSProtocol" - } - } - }, - "istio.mesh.v1alpha1.MeshConfig.TLSConfig.TLSProtocol": { - "description": "TLS protocol versions.", - "type": "string", - "enum": [ - "TLS_AUTO", - "TLSV1_2", - "TLSV1_3" - ] - }, - "istio.mesh.v1alpha1.PrivateKeyProvider": { - "description": "PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured mesh wide or individual per-workload basis.", - "type": "object", - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "cryptomb" - ], - "properties": { - "cryptomb": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb" - } - } - }, - { - "required": [ - "qat" - ], - "properties": { - "qat": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT" - } - } - } - ] - } - }, - { - "required": [ - "cryptomb" - ], - "properties": { - "cryptomb": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb" - } - } - }, - { - "required": [ - "qat" - ], - "properties": { - "qat": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT" - } - } - } - ] - }, - "istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb" - }, - "istio.mesh.v1alpha1.PrivateKeyProvider.QAT": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider.QAT" - }, - "istio.mesh.v1alpha1.ProxyConfig": { - "description": "ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis as well as by the mesh-wide defaults. To set the mesh wide defaults, configure the `defaultConfig` section of `meshConfig`. For example: ``` meshConfig: defaultConfig: discoveryAddress: istiod:15012 ``` This can also be configured on a per-workload basis by configuring the `proxy.istio.io/config` annotation on the pod. For example: ``` annotations: proxy.istio.io/config: | discoveryAddress: istiod:15012 ``` If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults. This is different than a deep merge provided by protobuf. For example, `\"tracing\": { \"sampling\": 5 }` would completely override a setting configuring a tracing provider such as `\"tracing\": { \"zipkin\": { \"address\": \"...\" } }`. Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.", - "type": "object", - "properties": { - "image": { - "$ref": "#/components/schemas/istio.networking.v1beta1.ProxyImage" - }, - "readinessProbe": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ReadinessProbe" - }, - "tracing": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing" - }, - "concurrency": { - "description": "The number of worker threads to run. If unset, this will be automatically determined based on CPU requests/limits. If set to 0, all cores on the machine will be used. Default is 2 worker threads.", - "type": "integer", - "nullable": true - }, - "configPath": { - "description": "Path to the generated configuration file directory. Proxy agent generates the actual configuration and stores it in this directory.", - "type": "string" - }, - "binaryPath": { - "description": "Path to the proxy binary", - "type": "string" - }, - "drainDuration": { - "description": "The time in seconds that Envoy will drain connections during a hot restart. MUST be \u003e=1s (e.g., _1s/1m/1h_) Default drain duration is `45s`.", - "type": "string" - }, - "discoveryAddress": { - "description": "Address of the discovery service exposing xDS with mTLS connection. The inject configuration may override this value.", - "type": "string" - }, - "discoveryRefreshDelay": { - "type": "string", - "deprecated": true - }, - "zipkinAddress": { - "description": "Address of the Zipkin service (e.g. _zipkin:9411_). DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.", - "type": "string", - "deprecated": true - }, - "statsdUdpAddress": { - "description": "IP Address and Port of a statsd UDP listener (e.g. `10.75.241.127:9125`).", - "type": "string" - }, - "envoyMetricsServiceAddress": { - "type": "string", - "deprecated": true - }, - "proxyAdminPort": { - "description": "Port on which Envoy should listen for administrative commands. Default port is `15000`.", - "type": "integer", - "format": "int32" - }, - "availabilityZone": { - "type": "string", - "deprecated": true - }, - "controlPlaneAuthPolicy": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.AuthenticationPolicy" - }, - "customConfigFile": { - "description": "File path of custom proxy configuration, currently used by proxies in front of Mixer and Pilot.", - "type": "string" - }, - "statNameLength": { - "description": "Maximum length of name field in Envoy's metrics. The length of the name field is determined by the length of a name field in a service and the set of labels that comprise a particular version of the service. The default value is set to 189 characters. Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric. Increase the value of this field if you find that the metrics from Envoys are truncated.", - "type": "integer", - "format": "int32" - }, - "proxyBootstrapTemplatePath": { - "description": "Path to the proxy bootstrap template file", - "type": "string" - }, - "interceptionMode": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.InboundInterceptionMode" - }, - "sds": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.SDS", - "deprecated": true - }, - "envoyAccessLogService": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.RemoteService" - }, - "envoyMetricsService": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.RemoteService" - }, - "proxyMetadata": { - "description": "Additional environment variables for the proxy. Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "runtimeValues": { - "description": "Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping. This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "statusPort": { - "description": "Port on which the agent should listen for administrative commands such as readiness probe. Default is set to port `15020`.", - "type": "integer", - "format": "int32" - }, - "extraStatTags": { - "description": "An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be added by configuring the telemetry extension. Each additional tag needs to be present in this list. Extra tags emitted by the telemetry extensions must be listed here so that they can be processed and exposed as Prometheus metrics.", - "type": "array", - "items": { - "type": "string" - } - }, - "gatewayTopology": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Topology" - }, - "terminationDrainDuration": { - "description": "The amount of time allowed for connections to complete on proxy shutdown. On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start draining, preventing any new connections and allowing existing connections to complete. It then sleeps for the `termination_drain_duration` and then kills any remaining active Envoy processes. If not set, a default of `5s` will be applied.", - "type": "string" - }, - "meshId": { - "description": "The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh) All control planes running in the same service mesh should specify the same mesh ID. Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.", - "type": "string" - }, - "proxyStatsMatcher": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.ProxyStatsMatcher" - }, - "holdApplicationUntilProxyStarts": { - "description": "Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior. This feature adds hooks to delay application startup until the pod proxy is ready to accept traffic, mitigating some startup race conditions. Default value is 'false'.", - "type": "boolean", - "nullable": true - }, - "caCertificatesPem": { - "description": "The PEM data of the extra root certificates for workload-to-workload communication. This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA. The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret) are added automatically by Istiod.", - "type": "array", - "items": { - "type": "string" - } - }, - "privateKeyProvider": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.PrivateKeyProvider" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "serviceCluster" - ], - "properties": { - "serviceCluster": { - "description": "Service cluster defines the name for the `service_cluster` that is shared by all Envoy instances. This setting corresponds to `--service-cluster` flag in Envoy. In a typical Envoy deployment, the `service-cluster` flag is used to identify the caller, for source-based routing scenarios. Since Istio does not assign a local `service/service` version to each Envoy instance, the name is same for all of them. However, the source/caller's identity (e.g., IP address) is encoded in the `--service-node` flag when launching Envoy. When the RDS service receives API calls from Envoy, it uses the value of the `service-node` flag to compute routes that are relative to the service instances located at that IP address.", - "type": "string" - } - } - }, - { - "required": [ - "tracingServiceName" - ], - "properties": { - "tracingServiceName": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.TracingServiceName" - } - } - } - ] - } - }, - { - "required": [ - "serviceCluster" - ], - "properties": { - "serviceCluster": { - "description": "Service cluster defines the name for the `service_cluster` that is shared by all Envoy instances. This setting corresponds to `--service-cluster` flag in Envoy. In a typical Envoy deployment, the `service-cluster` flag is used to identify the caller, for source-based routing scenarios. Since Istio does not assign a local `service/service` version to each Envoy instance, the name is same for all of them. However, the source/caller's identity (e.g., IP address) is encoded in the `--service-node` flag when launching Envoy. When the RDS service receives API calls from Envoy, it uses the value of the `service-node` flag to compute routes that are relative to the service instances located at that IP address.", - "type": "string" - } - } - }, - { - "required": [ - "tracingServiceName" - ], - "properties": { - "tracingServiceName": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.TracingServiceName" - } - } - } - ] - }, - "istio.mesh.v1alpha1.ProxyConfig.InboundInterceptionMode": { - "description": "The mode used to redirect inbound traffic to Envoy. This setting has no effect on outbound traffic: iptables `REDIRECT` is always used for outbound connections.", - "type": "string", - "enum": [ - "REDIRECT", - "TPROXY", - "NONE" - ] - }, - "istio.mesh.v1alpha1.ProxyConfig.ProxyStatsMatcher": { - "description": "Proxy stats name matchers for stats creation. Note this is in addition to the minimum Envoy stats that Istio generates by default.", - "type": "object", - "properties": { - "inclusionPrefixes": { - "description": "Proxy stats name prefix matcher for inclusion.", - "type": "array", - "items": { - "type": "string" - } - }, - "inclusionSuffixes": { - "description": "Proxy stats name suffix matcher for inclusion.", - "type": "array", - "items": { - "type": "string" - } - }, - "inclusionRegexps": { - "description": "Proxy stats name regexps matcher for inclusion.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.mesh.v1alpha1.ProxyConfig.TracingServiceName": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.ProxyConfig.TracingServiceName" - }, - "istio.mesh.v1alpha1.RemoteService": { - "type": "object", - "properties": { - "address": { - "description": "Address of a remove service used for various purposes (access log receiver, metrics receiver, etc.). Can be IP address or a fully qualified DNS name.", - "type": "string" - }, - "tcpKeepalive": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive" - }, - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - } - } - }, - "istio.mesh.v1alpha1.Resource": { - "description": "Resource describes the source of configuration", - "type": "string", - "enum": [ - "SERVICE_REGISTRY" - ] - }, - "istio.mesh.v1alpha1.SDS": { - "description": "SDS defines secret discovery service(SDS) configuration to be used by the proxy. For workload, its values are set in sidecar injector(passed as arguments to istio-proxy container). For pilot/mixer, it's passed as arguments to istio-proxy container in pilot/mixer deployment yaml files directly. $hide_from_docs", - "type": "object", - "properties": { - "enabled": { - "description": "True if SDS is enabled.", - "type": "boolean" - }, - "k8sSaJwtPath": { - "description": "Path of k8s service account JWT path.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Topology": { - "type": "object", - "properties": { - "numTrustedProxies": { - "type": "integer" - }, - "forwardClientCertDetails": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Topology.ForwardClientCertDetails" - } - } - }, - "istio.mesh.v1alpha1.Topology.ForwardClientCertDetails": { - "type": "string", - "enum": [ - "UNDEFINED", - "SANITIZE", - "FORWARD_ONLY", - "APPEND_FORWARD", - "SANITIZE_SET", - "ALWAYS_FORWARD_ONLY" - ] - }, - "istio.mesh.v1alpha1.Tracing": { - "description": "Tracing defines configuration for the tracing performed by Envoy instances.", - "type": "object", - "properties": { - "tlsSettings": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings" - }, - "customTags": { - "description": "Configures the custom tags to be added to active span by all proxies (i.e. sidecars and gateways). The key represents the name of the tag. Ex: ```yaml custom_tags: new_tag_name: header: name: custom-http-header-name default_value: defaulted-value-from-custom-header ``` $hide_from_docs", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.CustomTag" - } - }, - "maxPathTagLength": { - "description": "Configures the maximum length of the request path to extract and include in the HttpUrl tag. Used to truncate length request paths to meet the needs of tracing backend. If not set, then a length of 256 will be used. $hide_from_docs", - "type": "integer" - }, - "sampling": { - "description": "The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation, if not requested by the client or not forced. Default is 1.0.", - "type": "number", - "format": "double" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Zipkin" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Lightstep" - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Datadog" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Stackdriver" - } - } - }, - { - "required": [ - "openCensusAgent" - ], - "properties": { - "openCensusAgent": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.OpenCensusAgent" - } - } - } - ] - } - }, - { - "required": [ - "zipkin" - ], - "properties": { - "zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Zipkin" - } - } - }, - { - "required": [ - "lightstep" - ], - "properties": { - "lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Lightstep" - } - } - }, - { - "required": [ - "datadog" - ], - "properties": { - "datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Datadog" - } - } - }, - { - "required": [ - "stackdriver" - ], - "properties": { - "stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Stackdriver" - } - } - }, - { - "required": [ - "openCensusAgent" - ], - "properties": { - "openCensusAgent": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.OpenCensusAgent" - } - } - } - ] - }, - "istio.mesh.v1alpha1.Tracing.CustomTag": { - "description": "Configure custom tags that will be added to any active span. Tags can be generated via literals, environment variables or an incoming request header. $hide_from_docs", - "type": "object", - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "literal" - ], - "properties": { - "literal": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Literal" - } - } - }, - { - "required": [ - "environment" - ], - "properties": { - "environment": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Environment" - } - } - }, - { - "required": [ - "header" - ], - "properties": { - "header": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.RequestHeader" - } - } - } - ] - } - }, - { - "required": [ - "literal" - ], - "properties": { - "literal": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Literal" - } - } - }, - { - "required": [ - "environment" - ], - "properties": { - "environment": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Environment" - } - } - }, - { - "required": [ - "header" - ], - "properties": { - "header": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.RequestHeader" - } - } - } - ] - }, - "istio.mesh.v1alpha1.Tracing.Datadog": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Datadog" - }, - "istio.mesh.v1alpha1.Tracing.Environment": { - "description": "Environment is the proxy's environment variable to be used for populating the custom span tag. $hide_from_docs", - "type": "object", - "properties": { - "name": { - "description": "Name of the environment variable used to populate the tag's value", - "type": "string" - }, - "defaultValue": { - "description": "When the environment variable is not found, the tag's value will be populated with this default value if specified, otherwise the tag will not be populated.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Tracing.Lightstep": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Lightstep" - }, - "istio.mesh.v1alpha1.Tracing.Literal": { - "description": "Literal type represents a static value. $hide_from_docs", - "type": "object", - "properties": { - "value": { - "description": "Static literal value used to populate the tag value.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Tracing.OpenCensusAgent": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.OpenCensusAgent" - }, - "istio.mesh.v1alpha1.Tracing.RequestHeader": { - "description": "RequestHeader is the HTTP request header which will be used to populate the span tag. A default value can be configured if the header does not exist. $hide_from_docs", - "type": "object", - "properties": { - "name": { - "description": "HTTP header name used to obtain the value from to populate the tag value.", - "type": "string" - }, - "defaultValue": { - "description": "Default value to be used for the tag when the named HTTP header does not exist. The tag will be skipped if no default value is provided.", - "type": "string" - } - } - }, - "istio.mesh.v1alpha1.Tracing.Stackdriver": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Stackdriver" - }, - "istio.mesh.v1alpha1.Tracing.Zipkin": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.Tracing.Zipkin" - }, - "istio.networking.v1alpha3.ClientTLSSettings": { - "description": "SSL/TLS related settings for upstream connections. See Envoy's [TLS context](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto.html#common-tls-configuration) for more details. These settings are common to both HTTP and TCP upstreams. For example, the following rule configures a client to use mutual TLS for connections to upstream database cluster. {{\u003ctabset category-name=\"example\"\u003e}} {{\u003ctab name=\"v1alpha3\" category-value=\"v1alpha3\"\u003e}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: db-mtls spec: host: mydbserver.prod.svc.cluster.local trafficPolicy: tls: mode: MUTUAL clientCertificate: /etc/certs/myclientcert.pem privateKey: /etc/certs/client_private_key.pem caCertificates: /etc/certs/rootcacerts.pem ``` {{\u003c/tab\u003e}} {{\u003ctab name=\"v1beta1\" category-value=\"v1beta1\"\u003e}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: db-mtls spec: host: mydbserver.prod.svc.cluster.local trafficPolicy: tls: mode: MUTUAL clientCertificate: /etc/certs/myclientcert.pem privateKey: /etc/certs/client_private_key.pem caCertificates: /etc/certs/rootcacerts.pem ``` {{\u003c/tab\u003e}} {{\u003c/tabset\u003e}} The following rule configures a client to use TLS when talking to a foreign service whose domain matches *.foo.com. {{\u003ctabset category-name=\"example\"\u003e}} {{\u003ctab name=\"v1alpha3\" category-value=\"v1alpha3\"\u003e}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: tls-foo spec: host: \"*.foo.com\" trafficPolicy: tls: mode: SIMPLE ``` {{\u003c/tab\u003e}} {{\u003ctab name=\"v1beta1\" category-value=\"v1beta1\"\u003e}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: tls-foo spec: host: \"*.foo.com\" trafficPolicy: tls: mode: SIMPLE ``` {{\u003c/tab\u003e}} {{\u003c/tabset\u003e}} The following rule configures a client to use Istio mutual TLS when talking to rating services. {{\u003ctabset category-name=\"example\"\u003e}} {{\u003ctab name=\"v1alpha3\" category-value=\"v1alpha3\"\u003e}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: ratings-istio-mtls spec: host: ratings.prod.svc.cluster.local trafficPolicy: tls: mode: ISTIO_MUTUAL ``` {{\u003c/tab\u003e}} {{\u003ctab name=\"v1beta1\" category-value=\"v1beta1\"\u003e}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: ratings-istio-mtls spec: host: ratings.prod.svc.cluster.local trafficPolicy: tls: mode: ISTIO_MUTUAL ``` {{\u003c/tab\u003e}} {{\u003c/tabset\u003e}}", - "type": "object", - "properties": { - "mode": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ClientTLSSettings.TLSmode" - }, - "clientCertificate": { - "description": "REQUIRED if mode is `MUTUAL`. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is `ISTIO_MUTUAL`.", - "type": "string" - }, - "privateKey": { - "description": "REQUIRED if mode is `MUTUAL`. The path to the file holding the client's private key. Should be empty if mode is `ISTIO_MUTUAL`.", - "type": "string" - }, - "caCertificates": { - "description": "OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will not verify the server's certificate. Should be empty if mode is `ISTIO_MUTUAL`.", - "type": "string" - }, - "credentialName": { - "description": "The name of the secret that holds the TLS certs for the client including the CA certificates. Secret must exist in the same namespace with the proxy using the certificates. The secret (of type `generic`)should contain the following keys and values: `key: \u003cprivateKey\u003e`, `cert: \u003cclientCert\u003e`, `cacert: \u003cCACertificate\u003e`. Here CACertificate is used to verify the server certificate. For mutual TLS, `cacert: \u003cCACertificate\u003e` can be provided in the same secret or a separate secret named `\u003csecret\u003e-cacert`. Secret of type tls for client certificates along with ca.crt key for CA certificates is also supported. Only one of client certificates and CA certificate or credentialName can be specified. **NOTE:** This field is applicable at sidecars only if `DestinationRule` has a `workloadSelector` specified. Otherwise the field will be applicable only at gateways, and sidecars will continue to use the certificate paths.", - "type": "string" - }, - "subjectAltNames": { - "description": "A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry. If unspecified, automatic validation of upstream presented certificate for new upstream connections will be done based on the downstream HTTP host/authority header, provided `VERIFY_CERTIFICATE_AT_CLIENT` and `ENABLE_AUTO_SNI` environmental variables are set to `true`.", - "type": "array", - "items": { - "type": "string" - } - }, - "sni": { - "description": "SNI string to present to the server during TLS handshake. If unspecified, SNI will be automatically set based on downstream HTTP host/authority header for SIMPLE and MUTUAL TLS modes, provided `ENABLE_AUTO_SNI` environmental variable is set to `true`.", - "type": "string" - }, - "insecureSkipVerify": { - "description": "InsecureSkipVerify specifies whether the proxy should skip verifying the CA signature and SAN for the server certificate corresponding to the host. This flag should only be set if global CA signature verifcation is enabled, `VerifyCertAtClient` environmental variable is set to `true`, but no verification is desired for a specific host. If enabled with or without `VerifyCertAtClient` enabled, verification of the CA signature and SAN will be skipped. `InsecureSkipVerify` is `false` by default. `VerifyCertAtClient` is `false` by default in Istio version 1.9 but will be `true` by default in a later version where, going forward, it will be enabled by default.", - "type": "boolean", - "nullable": true - } - } - }, - "istio.networking.v1alpha3.ClientTLSSettings.TLSmode": { - "description": "TLS connection mode", - "type": "string", - "enum": [ - "DISABLE", - "SIMPLE", - "MUTUAL", - "ISTIO_MUTUAL" - ] - }, - "istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive": { - "description": "TCP keepalive.", - "type": "object", - "properties": { - "time": { - "description": "The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)", - "type": "string" - }, - "probes": { - "description": "Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)", - "type": "integer" - }, - "interval": { - "description": "The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)", - "type": "string" - } - } - }, - "istio.networking.v1alpha3.ExecHealthCheckConfig": { - "type": "object", - "properties": { - "command": { - "description": "Command to run. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "istio.networking.v1alpha3.HTTPHeader": { - "type": "object", - "properties": { - "name": { - "description": "The header field name", - "type": "string" - }, - "value": { - "description": "The header field value", - "type": "string" - } - } - }, - "istio.networking.v1alpha3.HTTPHealthCheckConfig": { - "type": "object", - "properties": { - "path": { - "description": "Path to access on the HTTP server.", - "type": "string" - }, - "port": { - "description": "Port on which the endpoint lives.", - "type": "integer" - }, - "host": { - "description": "Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.", - "type": "string" - }, - "scheme": { - "description": "HTTP or HTTPS, defaults to HTTP", - "type": "string" - }, - "httpHeaders": { - "description": "Headers the proxy will pass on to make the request. Allows repeated headers.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPHeader" - } - } - } - }, - "istio.networking.v1alpha3.HTTPRetry": { - "description": "Describes the retry policy to use when a HTTP request fails. For example, the following rule sets the maximum number of retries to 3 when calling ratings:v1 service, with a 2s timeout per retry attempt. A retry will be attempted if there is a connect-failure, refused_stream or when the upstream server responds with Service Unavailable(503). {{\u003ctabset category-name=\"example\"\u003e}} {{\u003ctab name=\"v1alpha3\" category-value=\"v1alpha3\"\u003e}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings-route spec: hosts: - ratings.prod.svc.cluster.local http: - route: - destination: host: ratings.prod.svc.cluster.local subset: v1 retries: attempts: 3 perTryTimeout: 2s retryOn: connect-failure,refused-stream,503 ``` {{\u003c/tab\u003e}} {{\u003ctab name=\"v1beta1\" category-value=\"v1beta1\"\u003e}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: ratings-route spec: hosts: - ratings.prod.svc.cluster.local http: - route: - destination: host: ratings.prod.svc.cluster.local subset: v1 retries: attempts: 3 perTryTimeout: 2s retryOn: gateway-error,connect-failure,refused-stream ``` {{\u003c/tab\u003e}} {{\u003c/tabset\u003e}}", - "type": "object", - "properties": { - "attempts": { - "description": "Number of retries to be allowed for a given request. The interval between retries will be determined automatically (25ms+). When request `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute) or `per_try_timeout` is configured, the actual number of retries attempted also depends on the specified request `timeout` and `per_try_timeout` values.", - "type": "integer", - "format": "int32" - }, - "perTryTimeout": { - "description": "Timeout per attempt for a given request, including the initial call and any retries. Format: 1h/1m/1s/1ms. MUST BE \u003e=1ms. Default is same value as request `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute), which means no timeout.", - "type": "string" - }, - "retryOn": { - "description": "Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. If `retry_on` specifies a valid HTTP status, it will be added to retriable_status_codes retry policy. See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on) and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details.", - "type": "string" - }, - "retryRemoteLocalities": { - "description": "Flag to specify whether the retries should retry to other localities. See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details.", - "type": "boolean", - "nullable": true - } - } - }, - "istio.networking.v1alpha3.LocalityLoadBalancerSetting": { - "description": "Locality-weighted load balancing allows administrators to control the distribution of traffic to endpoints based on the localities of where the traffic originates and where it will terminate. These localities are specified using arbitrary labels that designate a hierarchy of localities in {region}/{zone}/{sub-zone} form. For additional detail refer to [Locality Weight](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) The following example shows how to setup locality weights mesh-wide. Given a mesh with workloads and their service deployed to \"us-west/zone1/*\" and \"us-west/zone2/*\". This example specifies that when traffic accessing a service originates from workloads in \"us-west/zone1/*\", 80% of the traffic will be sent to endpoints in \"us-west/zone1/*\", i.e the same zone, and the remaining 20% will go to endpoints in \"us-west/zone2/*\". This setup is intended to favor routing traffic to endpoints in the same locality. A similar setting is specified for traffic originating in \"us-west/zone2/*\". ```yaml distribute: - from: us-west/zone1/* to: \"us-west/zone1/*\": 80 \"us-west/zone2/*\": 20 - from: us-west/zone2/* to: \"us-west/zone1/*\": 20 \"us-west/zone2/*\": 80 ``` If the goal of the operator is not to distribute load across zones and regions but rather to restrict the regionality of failover to meet other operational requirements an operator can set a 'failover' policy instead of a 'distribute' policy. The following example sets up a locality failover policy for regions. Assume a service resides in zones within us-east, us-west \u0026 eu-west this example specifies that when endpoints within us-east become unhealthy traffic should failover to endpoints in any zone or sub-zone within eu-west and similarly us-west should failover to us-east. ```yaml failover: - from: us-east to: eu-west - from: us-west to: us-east ``` Locality load balancing settings.", - "type": "object", - "properties": { - "distribute": { - "description": "Optional: only one of distribute, failover or failoverPriority can be set. Explicitly specify loadbalancing weight across different zones and geographical locations. Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) If empty, the locality weight is set according to the endpoints number within it.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute" - } - }, - "failover": { - "description": "Optional: only one of distribute, failover or failoverPriority can be set. Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.LocalityLoadBalancerSetting.Failover" - } - }, - "failoverPriority": { - "description": "failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing. This is to support traffic failover across different groups of endpoints. Suppose there are total N labels specified: 1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority. 2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority. 3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority. 4. All the other endpoints have priority P(N) i.e. lowest priority. Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match. It can be any label specified on both client and server workloads. The following labels which have special semantic meaning are also supported: - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks. - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`. - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`. - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`. - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`. The below topology config indicates the following priority levels: ```yaml failoverPriority: - \"topology.istio.io/network\" - \"topology.kubernetes.io/region\" - \"topology.kubernetes.io/zone\" - \"topology.istio.io/subzone\" ``` 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority. 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority. 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority. 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority. 5. all the other endpoints have the same lowest priority. Optional: only one of distribute, failover or failoverPriority can be set. And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect.", - "type": "array", - "items": { - "type": "string" - } - }, - "enabled": { - "description": "enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.", - "type": "boolean", - "nullable": true - } - } - }, - "istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute": { - "description": "Describes how traffic originating in the 'from' zone or sub-zone is distributed over a set of 'to' zones. Syntax for specifying a zone is {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any segment of the specification. Examples: `*` - matches all localities `us-west/*` - all zones and sub-zones within the us-west region `us-west/zone-1/*` - all sub-zones within us-west/zone-1", - "type": "object", - "properties": { - "from": { - "description": "Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.", - "type": "string" - }, - "to": { - "description": "Map of upstream localities to traffic distribution weights. The sum of all weights should be 100. Any locality not present will receive no traffic.", - "type": "object", - "additionalProperties": { - "type": "integer" - } - } - } - }, - "istio.networking.v1alpha3.LocalityLoadBalancerSetting.Failover": { - "description": "Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.", - "type": "object", - "properties": { - "from": { - "description": "Originating region.", - "type": "string" - }, - "to": { - "description": "Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy.", - "type": "string" - } - } - }, - "istio.networking.v1alpha3.ReadinessProbe": { - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1 second.", - "type": "integer", - "format": "int32" - }, - "initialDelaySeconds": { - "description": "Number of seconds after the container has started before readiness probes are initiated.", - "type": "integer", - "format": "int32" - }, - "periodSeconds": { - "description": "How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1 second.", - "type": "integer", - "format": "int32" - }, - "successThreshold": { - "description": "Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1 second.", - "type": "integer", - "format": "int32" - }, - "failureThreshold": { - "description": "Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3 seconds.", - "type": "integer", - "format": "int32" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPHealthCheckConfig" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.TCPHealthCheckConfig" - } - } - }, - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ExecHealthCheckConfig" - } - } - } - ] - } - }, - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.HTTPHealthCheckConfig" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.TCPHealthCheckConfig" - } - } - }, - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/istio.networking.v1alpha3.ExecHealthCheckConfig" - } - } - } - ] - }, - "istio.networking.v1alpha3.TCPHealthCheckConfig": { - "type": "object", - "properties": { - "port": { - "description": "Port of host", - "type": "integer" - }, - "host": { - "description": "Host to connect to, defaults to localhost", - "type": "string" - } - } - }, - "istio.networking.v1beta1.ProxyImage": { - "description": "The following values are used to construct proxy image url. format: `${hub}/${image_name}/${tag}-${image_type}`, example: `docker.io/istio/proxyv2:1.11.1` or `docker.io/istio/proxyv2:1.11.1-distroless`. This information was previously part of the Values API.", - "type": "object", - "properties": { - "imageType": { - "description": "The image type of the image. Istio publishes default, debug, and distroless images. Other values are allowed if those image types (example: centos) are published to the specified hub. supported values: default, debug, distroless.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.ConfigState": { - "type": "string", - "enum": [ - "Unspecified", - "Created", - "ReconcileFailed", - "Reconciling", - "Available", - "Unmanaged" - ] - }, - "istio_operator.v2.api.v1alpha1.IstioMeshSpec": { - "description": "Mesh defines an Istio service mesh", - "type": "object", - "properties": { - "config": { - "$ref": "#/components/schemas/istio.mesh.v1alpha1.MeshConfig" - } - } - }, - "istio_operator.v2.api.v1alpha1.IstioMeshStatus": { - "type": "object", - "properties": { - "status": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ConfigState" - }, - "errorMessage": { - "description": "Reconciliation error message if any", - "type": "string" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector": { - "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", - "type": "object", - "properties": { - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", - "type": "object", - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - } - } - } -} \ No newline at end of file diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.pb.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.pb.go deleted file mode 100644 index d8675300e..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.pb.go +++ /dev/null @@ -1,286 +0,0 @@ -// Copyright 2021 Cisco Systems, Inc. and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.28.0 -// protoc (unknown) -// source: api/v1alpha1/istiomesh.proto - -// $schema: istio-operator.api.v1alpha1.IstioMeshSpec -// $title: Istio Mesh Spec -// $description: Istio Mesh descriptor - -package v1alpha1 - -import ( - _ "github.com/golang/protobuf/ptypes/wrappers" - _ "google.golang.org/genproto/googleapis/api/annotations" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - v1alpha1 "istio.io/api/mesh/v1alpha1" - _ "k8s.io/api/core/v1" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -// Mesh defines an Istio service mesh -// -// -// -// -type IstioMeshSpec struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Config *v1alpha1.MeshConfig `protobuf:"bytes,1,opt,name=config,proto3" json:"config,omitempty"` -} - -func (x *IstioMeshSpec) Reset() { - *x = IstioMeshSpec{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiomesh_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *IstioMeshSpec) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*IstioMeshSpec) ProtoMessage() {} - -func (x *IstioMeshSpec) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiomesh_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use IstioMeshSpec.ProtoReflect.Descriptor instead. -func (*IstioMeshSpec) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiomesh_proto_rawDescGZIP(), []int{0} -} - -func (x *IstioMeshSpec) GetConfig() *v1alpha1.MeshConfig { - if x != nil { - return x.Config - } - return nil -} - -// -type IstioMeshStatus struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Reconciliation status of the Istio mesh - Status ConfigState `protobuf:"varint,1,opt,name=status,proto3,enum=istio_operator.v2.api.v1alpha1.ConfigState" json:"status,omitempty"` - // Reconciliation error message if any - ErrorMessage string `protobuf:"bytes,2,opt,name=errorMessage,proto3" json:"errorMessage,omitempty"` -} - -func (x *IstioMeshStatus) Reset() { - *x = IstioMeshStatus{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiomesh_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *IstioMeshStatus) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*IstioMeshStatus) ProtoMessage() {} - -func (x *IstioMeshStatus) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiomesh_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use IstioMeshStatus.ProtoReflect.Descriptor instead. -func (*IstioMeshStatus) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiomesh_proto_rawDescGZIP(), []int{1} -} - -func (x *IstioMeshStatus) GetStatus() ConfigState { - if x != nil { - return x.Status - } - return ConfigState_Unspecified -} - -func (x *IstioMeshStatus) GetErrorMessage() string { - if x != nil { - return x.ErrorMessage - } - return "" -} - -var File_api_v1alpha1_istiomesh_proto protoreflect.FileDescriptor - -var file_api_v1alpha1_istiomesh_proto_rawDesc = []byte{ - 0x0a, 0x1c, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x69, - 0x73, 0x74, 0x69, 0x6f, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1e, - 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, - 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, - 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, - 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, - 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6d, - 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1a, 0x6d, 0x65, 0x73, 0x68, 0x2f, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, - 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x22, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x61, - 0x70, 0x69, 0x2f, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x67, 0x65, 0x6e, 0x65, 0x72, - 0x61, 0x74, 0x65, 0x64, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x48, 0x0a, 0x0d, 0x49, 0x73, - 0x74, 0x69, 0x6f, 0x4d, 0x65, 0x73, 0x68, 0x53, 0x70, 0x65, 0x63, 0x12, 0x37, 0x0a, 0x06, 0x63, - 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x69, 0x73, - 0x74, 0x69, 0x6f, 0x2e, 0x6d, 0x65, 0x73, 0x68, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, - 0x31, 0x2e, 0x4d, 0x65, 0x73, 0x68, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x06, 0x63, 0x6f, - 0x6e, 0x66, 0x69, 0x67, 0x22, 0x7a, 0x0a, 0x0f, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x4d, 0x65, 0x73, - 0x68, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x43, 0x0a, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, - 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, - 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, - 0x74, 0x61, 0x74, 0x65, 0x52, 0x06, 0x73, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x22, 0x0a, 0x0c, - 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, 0x02, 0x20, 0x01, - 0x28, 0x09, 0x52, 0x0c, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, - 0x42, 0x37, 0x5a, 0x35, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x62, - 0x61, 0x6e, 0x7a, 0x61, 0x69, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x2f, 0x69, 0x73, 0x74, 0x69, 0x6f, - 0x2d, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x61, 0x70, 0x69, - 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x33, -} - -var ( - file_api_v1alpha1_istiomesh_proto_rawDescOnce sync.Once - file_api_v1alpha1_istiomesh_proto_rawDescData = file_api_v1alpha1_istiomesh_proto_rawDesc -) - -func file_api_v1alpha1_istiomesh_proto_rawDescGZIP() []byte { - file_api_v1alpha1_istiomesh_proto_rawDescOnce.Do(func() { - file_api_v1alpha1_istiomesh_proto_rawDescData = protoimpl.X.CompressGZIP(file_api_v1alpha1_istiomesh_proto_rawDescData) - }) - return file_api_v1alpha1_istiomesh_proto_rawDescData -} - -var file_api_v1alpha1_istiomesh_proto_msgTypes = make([]protoimpl.MessageInfo, 2) -var file_api_v1alpha1_istiomesh_proto_goTypes = []interface{}{ - (*IstioMeshSpec)(nil), // 0: istio_operator.v2.api.v1alpha1.IstioMeshSpec - (*IstioMeshStatus)(nil), // 1: istio_operator.v2.api.v1alpha1.IstioMeshStatus - (*v1alpha1.MeshConfig)(nil), // 2: istio.mesh.v1alpha1.MeshConfig - (ConfigState)(0), // 3: istio_operator.v2.api.v1alpha1.ConfigState -} -var file_api_v1alpha1_istiomesh_proto_depIdxs = []int32{ - 2, // 0: istio_operator.v2.api.v1alpha1.IstioMeshSpec.config:type_name -> istio.mesh.v1alpha1.MeshConfig - 3, // 1: istio_operator.v2.api.v1alpha1.IstioMeshStatus.status:type_name -> istio_operator.v2.api.v1alpha1.ConfigState - 2, // [2:2] is the sub-list for method output_type - 2, // [2:2] is the sub-list for method input_type - 2, // [2:2] is the sub-list for extension type_name - 2, // [2:2] is the sub-list for extension extendee - 0, // [0:2] is the sub-list for field type_name -} - -func init() { file_api_v1alpha1_istiomesh_proto_init() } -func file_api_v1alpha1_istiomesh_proto_init() { - if File_api_v1alpha1_istiomesh_proto != nil { - return - } - file_api_v1alpha1_common_proto_init() - if !protoimpl.UnsafeEnabled { - file_api_v1alpha1_istiomesh_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*IstioMeshSpec); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiomesh_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*IstioMeshStatus); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_api_v1alpha1_istiomesh_proto_rawDesc, - NumEnums: 0, - NumMessages: 2, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_api_v1alpha1_istiomesh_proto_goTypes, - DependencyIndexes: file_api_v1alpha1_istiomesh_proto_depIdxs, - MessageInfos: file_api_v1alpha1_istiomesh_proto_msgTypes, - }.Build() - File_api_v1alpha1_istiomesh_proto = out.File - file_api_v1alpha1_istiomesh_proto_rawDesc = nil - file_api_v1alpha1_istiomesh_proto_goTypes = nil - file_api_v1alpha1_istiomesh_proto_depIdxs = nil -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.pb.html b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.pb.html deleted file mode 100644 index 72c05fffc..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.pb.html +++ /dev/null @@ -1,115 +0,0 @@ ---- -title: Istio Mesh Spec -description: Istio Mesh descriptor -layout: protoc-gen-docs -generator: protoc-gen-docs -schema: istio-operator.api.v1alpha1.IstioMeshSpec -number_of_entries: 3 ---- -

IstioMeshSpec

-
-

Mesh defines an Istio service mesh

- - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
configMeshConfig - -No -
-
-

IstioMeshStatus

-
- - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
statusConfigState -

Reconciliation status of the Istio mesh

- -		 -No -
errorMessagestring -

Reconciliation error message if any

- -		 -No -
-
-

ConfigState

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameDescription
Unspecified -
Created -
ReconcileFailed -
Reconciling -
Available -
Unmanaged -
-
diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.proto b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.proto deleted file mode 100644 index f82fc58ee..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh.proto +++ /dev/null @@ -1,63 +0,0 @@ -// Copyright 2021 Cisco Systems, Inc. and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -import "google/protobuf/wrappers.proto"; -import "api/v1alpha1/common.proto"; -import "mesh/v1alpha1/config.proto"; -import "google/api/field_behavior.proto"; -import "k8s.io/api/core/v1/generated.proto"; - -// $schema: istio-operator.api.v1alpha1.IstioMeshSpec -// $title: Istio Mesh Spec -// $description: Istio Mesh descriptor - -package istio_operator.v2.api.v1alpha1; - -option go_package = "github.com/banzaicloud/istio-operator/v2/api/v1alpha1"; - -// Mesh defines an Istio service mesh -// -// -// -// -message IstioMeshSpec { - istio.mesh.v1alpha1.MeshConfig config = 1; -} - -// -message IstioMeshStatus { - // Reconciliation status of the Istio mesh - ConfigState status = 1; - - // Reconciliation error message if any - string errorMessage = 2; -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh_deepcopy.gen.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh_deepcopy.gen.go deleted file mode 100644 index dee3cc568..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh_deepcopy.gen.go +++ /dev/null @@ -1,48 +0,0 @@ -// Code generated by protoc-gen-deepcopy. DO NOT EDIT. -package v1alpha1 - -import ( - proto "github.com/golang/protobuf/proto" -) - -// DeepCopyInto supports using IstioMeshSpec within kubernetes types, where deepcopy-gen is used. -func (in *IstioMeshSpec) DeepCopyInto(out *IstioMeshSpec) { - p := proto.Clone(in).(*IstioMeshSpec) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshSpec. Required by controller-gen. -func (in *IstioMeshSpec) DeepCopy() *IstioMeshSpec { - if in == nil { - return nil - } - out := new(IstioMeshSpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshSpec. Required by controller-gen. -func (in *IstioMeshSpec) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using IstioMeshStatus within kubernetes types, where deepcopy-gen is used. -func (in *IstioMeshStatus) DeepCopyInto(out *IstioMeshStatus) { - p := proto.Clone(in).(*IstioMeshStatus) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshStatus. Required by controller-gen. -func (in *IstioMeshStatus) DeepCopy() *IstioMeshStatus { - if in == nil { - return nil - } - out := new(IstioMeshStatus) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshStatus. Required by controller-gen. -func (in *IstioMeshStatus) DeepCopyInterface() interface{} { - return in.DeepCopy() -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh_json.gen.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh_json.gen.go deleted file mode 100644 index 9a516cd51..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh_json.gen.go +++ /dev/null @@ -1,34 +0,0 @@ -// Code generated by protoc-gen-jsonshim. DO NOT EDIT. -package v1alpha1 - -import ( - bytes "bytes" - jsonpb "github.com/golang/protobuf/jsonpb" -) - -// MarshalJSON is a custom marshaler for IstioMeshSpec -func (this *IstioMeshSpec) MarshalJSON() ([]byte, error) { - str, err := IstiomeshMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for IstioMeshSpec -func (this *IstioMeshSpec) UnmarshalJSON(b []byte) error { - return IstiomeshUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for IstioMeshStatus -func (this *IstioMeshStatus) MarshalJSON() ([]byte, error) { - str, err := IstiomeshMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for IstioMeshStatus -func (this *IstioMeshStatus) UnmarshalJSON(b []byte) error { - return IstiomeshUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -var ( - IstiomeshMarshaler = &jsonpb.Marshaler{} - IstiomeshUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} -) diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh_types.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh_types.go deleted file mode 100644 index 9a44b779a..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomesh_types.go +++ /dev/null @@ -1,66 +0,0 @@ -/* -Copyright 2021 Cisco Systems, Inc. and/or its affiliates. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// +kubebuilder:object:root=true - -// IstioMesh is the Schema for the mesh API -type IstioMesh struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` - - Spec *IstioMeshSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` - Status *IstioMeshStatus `json:"status,omitempty"` -} - -func (m *IstioMesh) SetStatus(status ConfigState, errorMessage string) { - m.GetStatus().Status = status - m.GetStatus().ErrorMessage = errorMessage -} - -func (m *IstioMesh) GetStatus() *IstioMeshStatus { - if m.Status == nil { - m.Status = &IstioMeshStatus{} - } - - return m.Status -} - -func (m *IstioMesh) GetSpec() *IstioMeshSpec { - if m.Spec != nil { - return m.Spec - } - - return nil -} - -// +kubebuilder:object:root=true - -// IstioMeshList contains a list of IstioMesh -type IstioMeshList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` - Items []IstioMesh `json:"items" protobuf:"bytes,2,rep,name=items"` -} - -func init() { - SchemeBuilder.Register(&IstioMesh{}, &IstioMeshList{}) -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.gen.json b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.gen.json deleted file mode 100644 index 72d8b7904..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.gen.json +++ /dev/null @@ -1,2503 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "Istio Mesh Gateway descriptor", - "version": "v1alpha1" - }, - "components": { - "schemas": { - "istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig": { - "type": "object", - "properties": { - "env": { - "description": "If present will be appended to the environment variables of the container", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVar" - } - }, - "resources": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ResourceRequirements" - }, - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "image": { - "description": "Standard Kubernetes container image configuration", - "type": "string" - }, - "volumeMounts": { - "description": "Pod volumes to mount into the container's filesystem. Cannot be updated.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeMount" - } - }, - "livenessProbe": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Probe" - }, - "readinessProbe": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Probe" - }, - "imagePullPolicy": { - "description": "Image pull policy. One of Always, Never, IfNotPresent. Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.", - "type": "string" - }, - "securityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecurityContext" - }, - "volumes": { - "description": "List of volumes that can be mounted by containers belonging to the pod. More info: https://kubernetes.io/docs/concepts/storage/volumes", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Volume" - } - }, - "nodeSelector": { - "description": "Standard Kubernetes node selector configuration", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "imagePullSecrets": { - "description": "ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - }, - "affinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Affinity" - }, - "tolerations": { - "description": "If specified, the pod's tolerations.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Toleration" - } - }, - "priorityClassName": { - "description": "If specified, indicates the pod's priority. \"system-node-critical\" and \"system-cluster-critical\" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default.", - "type": "string" - }, - "topologySpreadConstraints": { - "description": "Used to control how Pods are spread across a cluster among failure-domains. This can help to achieve high availability as well as efficient resource utilization. More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TopologySpreadConstraint" - } - }, - "replicas": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Replicas" - }, - "podMetadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "podDisruptionBudget": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.PodDisruptionBudget" - }, - "deploymentStrategy": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.DeploymentStrategy" - }, - "podSecurityContext": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodSecurityContext" - } - } - }, - "istio_operator.v2.api.v1alpha1.ConfigState": { - "type": "string", - "enum": [ - "Unspecified", - "Created", - "ReconcileFailed", - "Reconciling", - "Available", - "Unmanaged" - ] - }, - "istio_operator.v2.api.v1alpha1.DeploymentStrategy": { - "type": "object", - "properties": { - "type": { - "description": "Type of deployment. Can be \"Recreate\" or \"RollingUpdate\". Default is RollingUpdate.", - "type": "string" - }, - "rollingUpdate": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment" - } - } - }, - "istio_operator.v2.api.v1alpha1.DeploymentStrategy.RollingUpdateDeployment": { - "type": "object", - "properties": { - "maxUnavailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "maxSurge": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - } - } - }, - "istio_operator.v2.api.v1alpha1.GatewayType": { - "type": "string", - "enum": [ - "unspecified", - "ingress", - "egress" - ] - }, - "istio_operator.v2.api.v1alpha1.HTTPGetAction": { - "description": "HTTPGetAction describes an action based on HTTP Get requests.", - "type": "object", - "properties": { - "path": { - "description": "Path to access on the HTTP server.", - "type": "string" - }, - "port": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "host": { - "description": "Host name to connect to, defaults to the pod IP. You probably want to set \"Host\" in httpHeaders instead.", - "type": "string" - }, - "scheme": { - "description": "Scheme to use for connecting to the host. Defaults to HTTP.", - "type": "string" - }, - "httpHeaders": { - "description": "Custom headers to set in the request. HTTP allows repeated headers.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HTTPHeader" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.IntOrString": { - "description": "IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number. GOTYPE: *IntOrString", - "oneOf": [ - { - "type": "string" - }, - { - "type": "integer" - } - ] - }, - "istio_operator.v2.api.v1alpha1.IstioMeshGatewaySpec": { - "description": "IstioMeshGateway defines an Istio ingress or egress gateway", - "type": "object", - "properties": { - "type": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.GatewayType" - }, - "service": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Service" - }, - "k8sResourceOverlays": { - "description": "K8s resource overlay patches", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch" - } - }, - "deployment": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig" - }, - "runAsRoot": { - "description": "Whether to run the gateway in a privileged container", - "type": "boolean", - "nullable": true - }, - "istioControlPlane": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.NamespacedName" - } - } - }, - "istio_operator.v2.api.v1alpha1.IstioMeshGatewayStatus": { - "type": "object", - "properties": { - "Status": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ConfigState" - }, - "GatewayAddress": { - "description": "Current address for the gateway", - "type": "array", - "items": { - "type": "string" - } - }, - "ErrorMessage": { - "description": "Reconciliation error message if any", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sObjectMeta": { - "description": "Generic k8s resource metadata", - "type": "object", - "properties": { - "labels": { - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch": { - "type": "object", - "properties": { - "groupVersionKind": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.GroupVersionKind" - }, - "objectKey": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.NamespacedName" - }, - "patches": { - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.GroupVersionKind": { - "type": "object", - "properties": { - "kind": { - "type": "string" - }, - "group": { - "type": "string" - }, - "version": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Patch": { - "type": "object", - "properties": { - "path": { - "type": "string" - }, - "type": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Type" - }, - "value": { - "type": "string" - }, - "parseValue": { - "type": "boolean" - } - } - }, - "istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch.Type": { - "type": "string", - "enum": [ - "unspecified", - "replace", - "remove" - ] - }, - "istio_operator.v2.api.v1alpha1.NamespacedName": { - "type": "object", - "properties": { - "name": { - "description": "Name of the referenced Kubernetes resource", - "type": "string" - }, - "namespace": { - "description": "Namespace of the referenced Kubernetes resource", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.PodDisruptionBudget": { - "description": "PodDisruptionBudget is a description of a PodDisruptionBudget", - "type": "object", - "properties": { - "maxUnavailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "minAvailable": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - } - } - }, - "istio_operator.v2.api.v1alpha1.Probe": { - "description": "Probe describes a health check to be performed against a container to determine whether it is alive or ready to receive traffic.", - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes", - "type": "integer", - "format": "int32" - }, - "terminationGracePeriodSeconds": { - "description": "Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset.", - "type": "integer", - "format": "int64" - }, - "initialDelaySeconds": { - "description": "Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes", - "type": "integer", - "format": "int32" - }, - "periodSeconds": { - "description": "How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1.", - "type": "integer", - "format": "int32" - }, - "successThreshold": { - "description": "Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1.", - "type": "integer", - "format": "int32" - }, - "failureThreshold": { - "description": "Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1.", - "type": "integer", - "format": "int32" - } - }, - "oneOf": [ - { - "not": { - "anyOf": [ - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ExecAction" - } - } - }, - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.HTTPGetAction" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.TCPSocketAction" - } - } - }, - { - "required": [ - "grpc" - ], - "properties": { - "grpc": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GRPCAction" - } - } - } - ] - } - }, - { - "required": [ - "exec" - ], - "properties": { - "exec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ExecAction" - } - } - }, - { - "required": [ - "httpGet" - ], - "properties": { - "httpGet": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.HTTPGetAction" - } - } - }, - { - "required": [ - "tcpSocket" - ], - "properties": { - "tcpSocket": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.TCPSocketAction" - } - } - }, - { - "required": [ - "grpc" - ], - "properties": { - "grpc": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GRPCAction" - } - } - } - ] - }, - "istio_operator.v2.api.v1alpha1.Properties": { - "type": "object", - "properties": { - "name": { - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.Quantity": { - "description": "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and Int64() accessors. GOTYPE: *Quantity", - "oneOf": [ - { - "type": "string" - }, - { - "type": "integer" - } - ], - "pattern": "^(\\\\+|-)?(([0-9]+(\\\\.[0-9]*)?)|(\\\\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\\\\+|-)?(([0-9]+(\\\\.[0-9]*)?)|(\\\\.[0-9]+))))?$" - }, - "istio_operator.v2.api.v1alpha1.Replicas": { - "description": "Replicas contains pod replica configuration", - "type": "object", - "properties": { - "count": { - "description": "Standard Kubernetes replica count configuration", - "type": "integer", - "nullable": true - }, - "max": { - "description": "max is the upper limit for the number of replicas to which the autoscaler can scale up. min and max both need to be set the turn on autoscaling. It cannot be less than min.", - "type": "integer", - "nullable": true - }, - "min": { - "description": "min is the lower limit for the number of replicas to which the autoscaler can scale down. min and max both need to be set the turn on autoscaling.", - "type": "integer", - "nullable": true - }, - "targetCPUUtilizationPercentage": { - "description": "target average CPU utilization (represented as a percentage of requested CPU) over all the pods; default 80% will be used if not specified.", - "type": "integer", - "nullable": true - } - } - }, - "istio_operator.v2.api.v1alpha1.ResourceRequirements": { - "description": "ResourceRequirements describes the compute resource requirements.", - "type": "object", - "properties": { - "limits": { - "description": "Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Quantity" - } - }, - "requests": { - "description": "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.Quantity" - } - } - } - }, - "istio_operator.v2.api.v1alpha1.Service": { - "description": "Service describes the attributes that a user creates on a service.", - "type": "object", - "properties": { - "type": { - "description": "type determines how the Service is exposed. Defaults to ClusterIP. Valid options are ExternalName, ClusterIP, NodePort, and LoadBalancer. \"ExternalName\" maps to the specified externalName. \"ClusterIP\" allocates a cluster-internal IP address for load-balancing to endpoints. Endpoints are determined by the selector or if that is not specified, by manual construction of an Endpoints object. If clusterIP is \"None\", no virtual IP is allocated and the endpoints are published as a set of endpoints rather than a stable IP. \"NodePort\" builds on ClusterIP and allocates a port on every node which routes to the clusterIP. \"LoadBalancer\" builds on NodePort and creates an external load-balancer (if supported in the current cloud) which routes to the clusterIP. More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types", - "type": "string" - }, - "metadata": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.K8sObjectMeta" - }, - "ports": { - "description": "The list of ports that are exposed by this service. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.ServicePort" - } - }, - "selector": { - "description": "Route service traffic to pods with label keys and values matching this selector. If empty or not present, the service is assumed to have an external process managing its endpoints, which Kubernetes will not modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "clusterIP": { - "description": "clusterIP is the IP address of the service and is usually assigned randomly by the master. If an address is specified manually and is not in use by others, it will be allocated to the service; otherwise, creation of the service will fail. This field can not be changed through updates. Valid values are \"None\", empty string (\"\"), or a valid IP address. \"None\" can be specified for headless services when proxying is not required. Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if type is ExternalName. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "string" - }, - "externalIPs": { - "description": "externalIPs is a list of IP addresses for which nodes in the cluster will also accept traffic for this service. These IPs are not managed by Kubernetes. The user is responsible for ensuring that traffic arrives at a node with this IP. A common example is external load-balancers that are not part of the Kubernetes system.", - "type": "array", - "items": { - "type": "string" - } - }, - "sessionAffinity": { - "description": "Supports \"ClientIP\" and \"None\". Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies", - "type": "string" - }, - "loadBalancerIP": { - "description": "Only applies to Service Type: LoadBalancer LoadBalancer will get created with the IP specified in this field. This feature depends on whether the underlying cloud-provider supports specifying the loadBalancerIP when a load balancer is created. This field will be ignored if the cloud-provider does not support the feature.", - "type": "string" - }, - "loadBalancerSourceRanges": { - "description": "If specified and supported by the platform, this will restrict traffic through the cloud-provider load-balancer will be restricted to the specified client IPs. This field will be ignored if the cloud-provider does not support the feature.\" More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/", - "type": "array", - "items": { - "type": "string" - } - }, - "externalName": { - "description": "externalName is the external reference that kubedns or equivalent will return as a CNAME record for this service. No proxying will be involved. Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) and requires Type to be ExternalName.", - "type": "string" - }, - "externalTrafficPolicy": { - "description": "externalTrafficPolicy denotes if this Service desires to route external traffic to node-local or cluster-wide endpoints. \"Local\" preserves the client source IP and avoids a second hop for LoadBalancer and Nodeport type services, but risks potentially imbalanced traffic spreading. \"Cluster\" obscures the client source IP and may cause a second hop to another node, but should have good overall load-spreading.", - "type": "string" - }, - "healthCheckNodePort": { - "description": "healthCheckNodePort specifies the healthcheck nodePort for the service. If not specified, HealthCheckNodePort is created by the service api backend with the allocated nodePort. Will use user-specified nodePort value if specified by the client. Only effects when Type is set to LoadBalancer and ExternalTrafficPolicy is set to Local.", - "type": "integer", - "format": "int32" - }, - "publishNotReadyAddresses": { - "description": "publishNotReadyAddresses, when set to true, indicates that DNS implementations must publish the notReadyAddresses of subsets for the Endpoints associated with the Service. The default value is false. The primary use case for setting this field is to use a StatefulSet's Headless Service to propagate SRV records for its Pods without respect to their readiness for purpose of peer discovery.", - "type": "boolean", - "nullable": true - }, - "sessionAffinityConfig": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SessionAffinityConfig" - }, - "ipFamily": { - "description": "ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is available in the cluster. If no IP family is requested, the cluster's primary IP family will be used. Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which allocate external load-balancers should use the same IP family. Endpoints for this Service will be of this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment.", - "type": "string" - } - } - }, - "istio_operator.v2.api.v1alpha1.ServicePort": { - "description": "ServicePort contains information on service's port.", - "type": "object", - "properties": { - "name": { - "description": "The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the 'name' field in the EndpointPort. if only one ServicePort is defined on this service.", - "type": "string" - }, - "protocol": { - "description": "The IP protocol for this port. Supports \"TCP\", \"UDP\", and \"SCTP\". Default is TCP.", - "type": "string" - }, - "port": { - "description": "The port that will be exposed by this service.", - "type": "integer", - "format": "int32" - }, - "targetPort": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "nodePort": { - "description": "The port on each node on which this service is exposed when type=NodePort or LoadBalancer. Usually assigned by the system. If specified, it will be allocated to the service if unused or else creation of the service will fail. Default is to auto-allocate a port if the ServiceType of this Service requires one. More info: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport", - "type": "integer", - "format": "int32" - } - } - }, - "istio_operator.v2.api.v1alpha1.TCPSocketAction": { - "description": "TCPSocketAction describes an action based on opening a socket", - "type": "object", - "properties": { - "port": { - "$ref": "#/components/schemas/istio_operator.v2.api.v1alpha1.IntOrString" - }, - "host": { - "description": "Optional: Host name to connect to, defaults to the pod IP.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource": { - "description": "Represents a Persistent Disk resource in AWS. An AWS EBS disk must exist before mounting to a container. The disk must also be in the same AWS zone as the kubelet. An AWS EBS disk can only be mounted as read/write once. AWS EBS volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "volumeID": { - "description": "volumeID is unique ID of the persistent disk resource in AWS (Amazon EBS volume). More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore", - "type": "string" - }, - "fsType": { - "description": "fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "partition": { - "description": "partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty).", - "type": "integer", - "format": "int32" - }, - "readOnly": { - "description": "readOnly value true will force the readOnly setting in VolumeMounts. More info: https://kubernetes.io/docs/concepts/storage/volumes#awselasticblockstore", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.Affinity": { - "description": "Affinity is a group of affinity scheduling rules.", - "type": "object", - "properties": { - "nodeAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeAffinity" - }, - "podAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinity" - }, - "podAntiAffinity": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAntiAffinity" - } - } - }, - "k8s.io.api.core.v1.AzureDiskVolumeSource": { - "description": "AzureDisk represents an Azure Data Disk mount on the host and bind mount to the pod.", - "type": "object", - "properties": { - "kind": { - "description": "kind expected values are Shared: multiple blob disks per storage account Dedicated: single blob disk per storage account Managed: azure managed data disk (only in managed availability set). defaults to shared", - "type": "string" - }, - "fsType": { - "description": "fsType is Filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "readOnly": { - "description": "readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "diskName": { - "description": "diskName is the Name of the data disk in the blob storage", - "type": "string" - }, - "diskURI": { - "description": "diskURI is the URI of data disk in the blob storage", - "type": "string" - }, - "cachingMode": { - "description": "cachingMode is the Host Caching mode: None, Read Only, Read Write.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.AzureFileVolumeSource": { - "description": "AzureFile represents an Azure File Service mount on the host and bind mount to the pod.", - "type": "object", - "properties": { - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "secretName": { - "description": "secretName is the name of secret that contains Azure Storage Account Name and Key", - "type": "string" - }, - "shareName": { - "description": "shareName is the azure share Name", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.CSIVolumeSource": { - "description": "Represents a source location of a volume to mount, managed by an external CSI driver", - "type": "object", - "properties": { - "fsType": { - "description": "fsType to mount. Ex. \"ext4\", \"xfs\", \"ntfs\". If not provided, the empty value is passed to the associated CSI driver which will determine the default filesystem to apply.", - "type": "string" - }, - "readOnly": { - "description": "readOnly specifies a read-only configuration for the volume. Defaults to false (read/write).", - "type": "boolean" - }, - "driver": { - "description": "driver is the name of the CSI driver that handles this volume. Consult with your admin for the correct name as registered in the cluster.", - "type": "string" - }, - "volumeAttributes": { - "description": "volumeAttributes stores driver-specific properties that are passed to the CSI driver. Consult your driver's documentation for supported values.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "nodePublishSecretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.Capabilities": { - "description": "Adds and removes POSIX capabilities from running containers.", - "type": "object", - "properties": { - "add": { - "description": "Added capabilities", - "type": "array", - "items": { - "type": "string" - } - }, - "drop": { - "description": "Removed capabilities", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.CephFSVolumeSource": { - "description": "Represents a Ceph Filesystem mount that lasts the lifetime of a pod Cephfs volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path is Optional: Used as the mounted root, rather than the full Ceph tree, default is /", - "type": "string" - }, - "readOnly": { - "description": "readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "boolean" - }, - "monitors": { - "description": "monitors is Required: Monitors is a collection of Ceph monitors More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "array", - "items": { - "type": "string" - } - }, - "user": { - "description": "user is optional: User is the rados user name, default is admin More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "string" - }, - "secretFile": { - "description": "secretFile is Optional: SecretFile is the path to key ring for User, default is /etc/ceph/user.secret More info: https://examples.k8s.io/volumes/cephfs/README.md#how-to-use-it", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.CinderVolumeSource": { - "description": "Represents a cinder volume resource in Openstack. A Cinder volume must exist before mounting to a container. The volume must also be in the same region as the kubelet. Cinder volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "volumeID": { - "description": "volumeID used to identify the volume in cinder. More info: https://examples.k8s.io/mysql-cinder-pd/README.md", - "type": "string" - }, - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://examples.k8s.io/mysql-cinder-pd/README.md", - "type": "string" - }, - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts. More info: https://examples.k8s.io/mysql-cinder-pd/README.md", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.ClientIPConfig": { - "description": "ClientIPConfig represents the configurations of Client IP based session affinity.", - "type": "object", - "properties": { - "timeoutSeconds": { - "description": "timeoutSeconds specifies the seconds of ClientIP type session sticky time. The value must be \u003e0 \u0026\u0026 \u003c=86400(for 1 day) if ServiceAffinity == \"ClientIP\". Default value is 10800(for 3 hours).", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.ConfigMapKeySelector": { - "description": "Selects a key from a ConfigMap.", - "type": "object", - "properties": { - "key": { - "description": "The key to select.", - "type": "string" - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the ConfigMap or its key must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.ConfigMapProjection": { - "description": "Adapts a ConfigMap into a projected volume. The contents of the target ConfigMap's Data field will be presented in a projected volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. Note that this is identical to a configmap volume source without the default mode.", - "type": "object", - "properties": { - "items": { - "description": "items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "optional specify whether the ConfigMap or its keys must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.ConfigMapVolumeSource": { - "description": "Adapts a ConfigMap into a volume. The contents of the target ConfigMap's Data field will be presented in a volume as files using the keys in the Data field as the file names, unless the items element is populated with specific mappings of keys to paths. ConfigMap volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "items": { - "description": "items if unspecified, each key-value pair in the Data field of the referenced ConfigMap will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the ConfigMap, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "optional specify whether the ConfigMap or its keys must be defined", - "type": "boolean" - }, - "defaultMode": { - "description": "defaultMode is optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.DownwardAPIProjection": { - "description": "Represents downward API info for projecting into a projected volume. Note that this is identical to a downwardAPI volume source without the default mode.", - "type": "object", - "properties": { - "items": { - "description": "Items is a list of DownwardAPIVolume file", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeFile" - } - } - } - }, - "k8s.io.api.core.v1.DownwardAPIVolumeFile": { - "description": "DownwardAPIVolumeFile represents information to create the file containing the pod field", - "type": "object", - "properties": { - "path": { - "description": "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'", - "type": "string" - }, - "fieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ObjectFieldSelector" - }, - "resourceFieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceFieldSelector" - }, - "mode": { - "description": "Optional: mode bits used to set permissions on this file, must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.DownwardAPIVolumeSource": { - "description": "DownwardAPIVolumeSource represents a volume containing downward API info. Downward API volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "items": { - "description": "Items is a list of downward API volume file", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeFile" - } - }, - "defaultMode": { - "description": "Optional: mode bits to use on created files by default. Must be a Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.EmptyDirVolumeSource": { - "description": "Represents an empty directory for a pod. Empty directory volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "medium": { - "description": "medium represents what type of storage medium should back this directory. The default is \"\" which means to use the node's default medium. Must be an empty string (default) or Memory. More info: https://kubernetes.io/docs/concepts/storage/volumes#emptydir", - "type": "string" - }, - "sizeLimit": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - }, - "k8s.io.api.core.v1.EnvVar": { - "description": "EnvVar represents an environment variable present in a Container.", - "type": "object", - "properties": { - "name": { - "description": "Name of the environment variable. Must be a C_IDENTIFIER.", - "type": "string" - }, - "value": { - "description": "Variable references $(VAR_NAME) are expanded using the previously defined environment variables in the container and any service environment variables. If a variable cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. \"$$(VAR_NAME)\" will produce the string literal \"$(VAR_NAME)\". Escaped references will never be expanded, regardless of whether the variable exists or not. Defaults to \"\".", - "type": "string" - }, - "valueFrom": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EnvVarSource" - } - } - }, - "k8s.io.api.core.v1.EnvVarSource": { - "description": "EnvVarSource represents a source for the value of an EnvVar.", - "type": "object", - "properties": { - "fieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ObjectFieldSelector" - }, - "resourceFieldRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceFieldSelector" - }, - "configMapKeyRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapKeySelector" - }, - "secretKeyRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretKeySelector" - } - } - }, - "k8s.io.api.core.v1.EphemeralVolumeSource": { - "description": "Represents an ephemeral volume that is handled by a normal storage driver.", - "type": "object", - "properties": { - "volumeClaimTemplate": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PersistentVolumeClaimTemplate" - } - } - }, - "k8s.io.api.core.v1.ExecAction": { - "description": "ExecAction describes a \"run in container\" action.", - "type": "object", - "properties": { - "command": { - "description": "Command is the command line to execute inside the container, the working directory for the command is root ('/') in the container's filesystem. The command is simply exec'd, it is not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use a shell, you need to explicitly call out to that shell. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FCVolumeSource": { - "description": "Represents a Fibre Channel volume. Fibre Channel volumes can only be mounted as read/write once. Fibre Channel volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "readOnly": { - "description": "readOnly is Optional: Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "targetWWNs": { - "description": "targetWWNs is Optional: FC target worldwide names (WWNs)", - "type": "array", - "items": { - "type": "string" - } - }, - "lun": { - "description": "lun is Optional: FC target lun number", - "type": "integer", - "format": "int32" - }, - "wwids": { - "description": "wwids Optional: FC volume world wide identifiers (wwids) Either wwids or combination of targetWWNs and lun must be set, but not both simultaneously.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FlexVolumeSource": { - "description": "FlexVolume represents a generic volume resource that is provisioned/attached using an exec based plugin.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". The default filesystem depends on FlexVolume script.", - "type": "string" - }, - "readOnly": { - "description": "readOnly is Optional: defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "driver": { - "description": "driver is the name of the driver to use for this volume.", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "options": { - "description": "options is Optional: this field holds extra command options if any.", - "type": "object", - "additionalProperties": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.FlockerVolumeSource": { - "description": "Represents a Flocker volume mounted by the Flocker agent. One and only one of datasetName and datasetUUID should be set. Flocker volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "datasetName": { - "description": "datasetName is Name of the dataset stored as metadata -\u003e name on the dataset for Flocker should be considered as deprecated", - "type": "string" - }, - "datasetUUID": { - "description": "datasetUUID is the UUID of the dataset. This is unique identifier of a Flocker dataset", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GCEPersistentDiskVolumeSource": { - "description": "Represents a Persistent Disk resource in Google Compute Engine. A GCE PD must exist before mounting to a container. The disk must also be in the same GCE project and zone as the kubelet. A GCE PD can only be mounted as read/write once or read-only many times. GCE PDs support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "partition": { - "description": "partition is the partition in the volume that you want to mount. If omitted, the default is to mount by volume name. Examples: For volume /dev/sda1, you specify the partition as \"1\". Similarly, the volume partition for /dev/sda is \"0\" (or you can leave the property empty). More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk", - "type": "integer", - "format": "int32" - }, - "readOnly": { - "description": "readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk", - "type": "boolean" - }, - "pdName": { - "description": "pdName is unique name of the PD resource in GCE. Used to identify the disk in GCE. More info: https://kubernetes.io/docs/concepts/storage/volumes#gcepersistentdisk", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GRPCAction": { - "type": "object", - "properties": { - "port": { - "description": "Port number of the gRPC service. Number must be in the range 1 to 65535.", - "type": "integer", - "format": "int32" - }, - "service": { - "description": "Service is the name of the service to place in the gRPC HealthCheckRequest (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). If this is not specified, the default behavior is defined by gRPC.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GitRepoVolumeSource": { - "description": "Represents a volume that is populated with the contents of a git repository. Git repo volumes do not support ownership management. Git repo volumes support SELinux relabeling. DEPRECATED: GitRepo is deprecated. To provision a container with a git repo, mount an EmptyDir into an InitContainer that clones the repo using git, then mount the EmptyDir into the Pod's container.", - "type": "object", - "properties": { - "repository": { - "description": "repository is the URL", - "type": "string" - }, - "revision": { - "description": "revision is the commit hash for the specified revision.", - "type": "string" - }, - "directory": { - "description": "directory is the target directory name. Must not contain or start with '..'. If '.' is supplied, the volume directory will be the git repository. Otherwise, if specified, the volume will contain the git repository in the subdirectory with the given name.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.GlusterfsVolumeSource": { - "description": "Represents a Glusterfs mount that lasts the lifetime of a pod. Glusterfs volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path is the Glusterfs volume path. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the Glusterfs volume to be mounted with read-only permissions. Defaults to false. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "boolean" - }, - "endpoints": { - "description": "endpoints is the endpoint name that details Glusterfs topology. More info: https://examples.k8s.io/volumes/glusterfs/README.md#create-a-pod", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.HTTPHeader": { - "description": "HTTPHeader describes a custom header to be used in HTTP probes", - "type": "object", - "properties": { - "name": { - "description": "The header field name", - "type": "string" - }, - "value": { - "description": "The header field value", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.HostPathVolumeSource": { - "description": "Represents a host path mapped into a pod. Host path volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path of the directory on the host. If the path is a symlink, it will follow the link to the real path. More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath", - "type": "string" - }, - "type": { - "description": "type for HostPath Volume Defaults to \"\" More info: https://kubernetes.io/docs/concepts/storage/volumes#hostpath", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ISCSIVolumeSource": { - "description": "Represents an ISCSI disk. ISCSI volumes can only be mounted as read/write once. ISCSI volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#iscsi TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false.", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "lun": { - "description": "lun represents iSCSI Target Lun number.", - "type": "integer", - "format": "int32" - }, - "targetPortal": { - "description": "targetPortal is iSCSI Target Portal. The Portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).", - "type": "string" - }, - "iqn": { - "description": "iqn is the target iSCSI Qualified Name.", - "type": "string" - }, - "iscsiInterface": { - "description": "iscsiInterface is the interface Name that uses an iSCSI transport. Defaults to 'default' (tcp).", - "type": "string" - }, - "portals": { - "description": "portals is the iSCSI Target Portal List. The portal is either an IP or ip_addr:port if the port is other than default (typically TCP ports 860 and 3260).", - "type": "array", - "items": { - "type": "string" - } - }, - "chapAuthDiscovery": { - "description": "chapAuthDiscovery defines whether support iSCSI Discovery CHAP authentication", - "type": "boolean" - }, - "chapAuthSession": { - "description": "chapAuthSession defines whether support iSCSI Session CHAP authentication", - "type": "boolean" - }, - "initiatorName": { - "description": "initiatorName is the custom iSCSI Initiator Name. If initiatorName is specified with iscsiInterface simultaneously, new iSCSI interface \u003ctarget portal\u003e:\u003cvolume name\u003e will be created for the connection.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.KeyToPath": { - "description": "Maps a string key to a path within a volume.", - "type": "object", - "properties": { - "path": { - "description": "path is the relative path of the file to map the key to. May not be an absolute path. May not contain the path element '..'. May not start with the string '..'.", - "type": "string" - }, - "key": { - "description": "key is the key to project.", - "type": "string" - }, - "mode": { - "description": "mode is Optional: mode bits used to set permissions on this file. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. If not specified, the volume defaultMode will be used. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.LocalObjectReference": { - "description": "LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.", - "type": "object", - "properties": { - "name": { - "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.NFSVolumeSource": { - "description": "Represents an NFS mount that lasts the lifetime of a pod. NFS volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "path": { - "description": "path that is exported by the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the NFS export to be mounted with read-only permissions. Defaults to false. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "boolean" - }, - "server": { - "description": "server is the hostname or IP address of the NFS server. More info: https://kubernetes.io/docs/concepts/storage/volumes#nfs", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.NodeAffinity": { - "description": "Node affinity is a group of node affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelector" - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node matches the corresponding matchExpressions; the node(s) with the highest sum are the most preferred.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PreferredSchedulingTerm" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelector": { - "description": "A node selector represents the union of the results of one or more label queries over a set of nodes; that is, it represents the OR of the selectors represented by the node selector terms.", - "type": "object", - "properties": { - "nodeSelectorTerms": { - "description": "Required. A list of node selector terms. The terms are ORed.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorTerm" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelectorRequirement": { - "description": "A node selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", - "type": "object", - "properties": { - "key": { - "description": "The label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "Represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist. Gt, and Lt.", - "type": "string" - }, - "values": { - "description": "An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. If the operator is Gt or Lt, the values array must have a single element, which will be interpreted as an integer. This array is replaced during a strategic merge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.api.core.v1.NodeSelectorTerm": { - "description": "A null or empty node selector term matches no objects. The requirements of them are ANDed. The TopologySelectorTerm type implements a subset of the NodeSelectorTerm.", - "type": "object", - "properties": { - "matchExpressions": { - "description": "A list of node selector requirements by node's labels.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorRequirement" - } - }, - "matchFields": { - "description": "A list of node selector requirements by node's fields.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorRequirement" - } - } - } - }, - "k8s.io.api.core.v1.ObjectFieldSelector": { - "description": "ObjectFieldSelector selects an APIVersioned field of an object.", - "type": "object", - "properties": { - "apiVersion": { - "description": "Version of the schema the FieldPath is written in terms of, defaults to \"v1\".", - "type": "string" - }, - "fieldPath": { - "description": "Path of the field to select in the specified API version.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PersistentVolumeClaimSpec": { - "description": "PersistentVolumeClaimSpec describes the common attributes of storage devices and allows a Source for provider-specific attributes", - "type": "object", - "properties": { - "resources": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ResourceRequirements" - }, - "accessModes": { - "description": "accessModes contains the desired access modes the volume should have. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#access-modes-1", - "type": "array", - "items": { - "type": "string" - } - }, - "selector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "volumeName": { - "description": "volumeName is the binding reference to the PersistentVolume backing this claim.", - "type": "string" - }, - "storageClassName": { - "description": "storageClassName is the name of the StorageClass required by the claim. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#class-1", - "type": "string" - }, - "volumeMode": { - "description": "volumeMode defines what type of volume is required by the claim. Value of Filesystem is implied when not included in claim spec.", - "type": "string" - }, - "dataSource": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TypedLocalObjectReference" - }, - "dataSourceRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.TypedLocalObjectReference" - } - } - }, - "k8s.io.api.core.v1.PersistentVolumeClaimTemplate": { - "description": "PersistentVolumeClaimTemplate is used to produce PersistentVolumeClaim objects as part of an EphemeralVolumeSource.", - "type": "object", - "properties": { - "metadata": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta" - }, - "spec": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PersistentVolumeClaimSpec" - } - } - }, - "k8s.io.api.core.v1.PersistentVolumeClaimVolumeSource": { - "description": "PersistentVolumeClaimVolumeSource references the user's PVC in the same namespace. This volume finds the bound PV and mounts that volume for the pod. A PersistentVolumeClaimVolumeSource is, essentially, a wrapper around another type of volume that is owned by someone else (the system).", - "type": "object", - "properties": { - "readOnly": { - "description": "readOnly Will force the ReadOnly setting in VolumeMounts. Default false.", - "type": "boolean" - }, - "claimName": { - "description": "claimName is the name of a PersistentVolumeClaim in the same namespace as the pod using this volume. More info: https://kubernetes.io/docs/concepts/storage/persistent-volumes#persistentvolumeclaims", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PhotonPersistentDiskVolumeSource": { - "description": "Represents a Photon Controller persistent disk resource.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "pdID": { - "description": "pdID is the ID that identifies Photon Controller persistent disk", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.PodAffinity": { - "description": "Pod affinity is a group of inter pod affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "description": "If the affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WeightedPodAffinityTerm" - } - } - } - }, - "k8s.io.api.core.v1.PodAffinityTerm": { - "description": "Defines a set of pods (namely those matching the labelSelector relative to the given namespace(s)) that this pod should be co-located (affinity) or not co-located (anti-affinity) with, where co-located is defined as running on a node whose value of the label with key \u003ctopologyKey\u003e matches that of any node on which a pod of the set of pods is running", - "type": "object", - "properties": { - "labelSelector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "namespaces": { - "description": "namespaces specifies a static list of namespace names that the term applies to. The term is applied to the union of the namespaces listed in this field and the ones selected by namespaceSelector. null or empty namespaces list and null namespaceSelector means \"this pod's namespace\".", - "type": "array", - "items": { - "type": "string" - } - }, - "topologyKey": { - "description": "This pod should be co-located (affinity) or not co-located (anti-affinity) with the pods matching the labelSelector in the specified namespaces, where co-located is defined as running on a node whose value of the label with key topologyKey matches that of any node on which any of the selected pods is running. Empty topologyKey is not allowed.", - "type": "string" - }, - "namespaceSelector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - } - } - }, - "k8s.io.api.core.v1.PodAntiAffinity": { - "description": "Pod anti affinity is a group of inter pod anti affinity scheduling rules.", - "type": "object", - "properties": { - "requiredDuringSchedulingIgnoredDuringExecution": { - "description": "If the anti-affinity requirements specified by this field are not met at scheduling time, the pod will not be scheduled onto the node. If the anti-affinity requirements specified by this field cease to be met at some point during pod execution (e.g. due to a pod label update), the system may or may not try to eventually evict the pod from its node. When there are multiple elements, the lists of nodes corresponding to each podAffinityTerm are intersected, i.e. all terms must be satisfied.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - }, - "preferredDuringSchedulingIgnoredDuringExecution": { - "description": "The scheduler will prefer to schedule pods to nodes that satisfy the anti-affinity expressions specified by this field, but it may choose a node that violates one or more of the expressions. The node that is most preferred is the one with the greatest sum of weights, i.e. for each node that meets all of the scheduling requirements (resource request, requiredDuringScheduling anti-affinity expressions, etc.), compute a sum by iterating through the elements of this field and adding \"weight\" to the sum if the node has pods which matches the corresponding podAffinityTerm; the node(s) with the highest sum are the most preferred.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WeightedPodAffinityTerm" - } - } - } - }, - "k8s.io.api.core.v1.PodSecurityContext": { - "description": "PodSecurityContext holds pod-level security attributes and common container settings. Some fields are also present in container.securityContext. Field values of container.securityContext take precedence over field values of PodSecurityContext.", - "type": "object", - "properties": { - "seLinuxOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SELinuxOptions" - }, - "windowsOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WindowsSecurityContextOptions" - }, - "runAsUser": { - "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsGroup": { - "description": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence for that container. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsNonRoot": { - "description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in SecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", - "type": "boolean" - }, - "supplementalGroups": { - "description": "A list of groups applied to the first process run in each container, in addition to the container's primary GID. If unspecified, no groups will be added to any container. Note that this field cannot be set when spec.os.name is windows.", - "type": "array", - "items": { - "type": "integer", - "format": "int64" - } - }, - "fsGroup": { - "description": "A special supplemental group that applies to all containers in a pod. Some volume types allow the Kubelet to change the ownership of that volume to be owned by the pod: 1. The owning GID will be the FSGroup 2. The setgid bit is set (new files created in the volume will be owned by FSGroup) 3. The permission bits are OR'd with rw-rw---- If unset, the Kubelet will not modify the ownership and permissions of any volume. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "sysctls": { - "description": "Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported sysctls (by the container runtime) might fail to launch. Note that this field cannot be set when spec.os.name is windows.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Sysctl" - } - }, - "fsGroupChangePolicy": { - "description": "fsGroupChangePolicy defines behavior of changing ownership and permission of the volume before being exposed inside Pod. This field will only apply to volume types which support fsGroup based ownership(and permissions). It will have no effect on ephemeral volume types such as: secret, configmaps and emptydir. Valid values are \"OnRootMismatch\" and \"Always\". If not specified, \"Always\" is used. Note that this field cannot be set when spec.os.name is windows.", - "type": "string" - }, - "seccompProfile": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SeccompProfile" - } - } - }, - "k8s.io.api.core.v1.PortworxVolumeSource": { - "description": "PortworxVolumeSource represents a Portworx volume resource.", - "type": "object", - "properties": { - "volumeID": { - "description": "volumeID uniquely identifies a Portworx volume", - "type": "string" - }, - "fsType": { - "description": "fSType represents the filesystem type to mount Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.PreferredSchedulingTerm": { - "description": "An empty preferred scheduling term matches all objects with implicit weight 0 (i.e. it's a no-op). A null preferred scheduling term matches no objects (i.e. is also a no-op).", - "type": "object", - "properties": { - "weight": { - "description": "Weight associated with matching the corresponding nodeSelectorTerm, in the range 1-100.", - "type": "integer", - "format": "int32" - }, - "preference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NodeSelectorTerm" - } - } - }, - "k8s.io.api.core.v1.ProjectedVolumeSource": { - "description": "Represents a projected volume source", - "type": "object", - "properties": { - "defaultMode": { - "description": "defaultMode are the mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - }, - "sources": { - "description": "sources is the list of volume projections", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeProjection" - } - } - } - }, - "k8s.io.api.core.v1.QuobyteVolumeSource": { - "description": "Represents a Quobyte mount that lasts the lifetime of a pod. Quobyte volumes do not support ownership management or SELinux relabeling.", - "type": "object", - "properties": { - "group": { - "description": "group to map volume access to Default is no group", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the Quobyte volume to be mounted with read-only permissions. Defaults to false.", - "type": "boolean" - }, - "user": { - "description": "user to map volume access to Defaults to serivceaccount user", - "type": "string" - }, - "registry": { - "description": "registry represents a single or multiple Quobyte Registry services specified as a string as host:port pair (multiple entries are separated with commas) which acts as the central registry for volumes", - "type": "string" - }, - "volume": { - "description": "volume is a string that references an already created Quobyte volume by name.", - "type": "string" - }, - "tenant": { - "description": "tenant owning the given Quobyte volume in the Backend Used with dynamically provisioned Quobyte volumes, value is set by the plugin", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.RBDVolumeSource": { - "description": "Represents a Rados Block Device mount that lasts the lifetime of a pod. RBD volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type of the volume that you want to mount. Tip: Ensure that the filesystem type is supported by the host operating system. Examples: \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified. More info: https://kubernetes.io/docs/concepts/storage/volumes#rbd TODO: how do we prevent errors in the filesystem from compromising the machine", - "type": "string" - }, - "readOnly": { - "description": "readOnly here will force the ReadOnly setting in VolumeMounts. Defaults to false. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "boolean" - }, - "monitors": { - "description": "monitors is a collection of Ceph monitors. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "array", - "items": { - "type": "string" - } - }, - "user": { - "description": "user is the rados user name. Default is admin. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "image": { - "description": "image is the rados image name. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - }, - "pool": { - "description": "pool is the rados pool name. Default is rbd. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - }, - "keyring": { - "description": "keyring is the path to key ring for RBDUser. Default is /etc/ceph/keyring. More info: https://examples.k8s.io/volumes/rbd/README.md#how-to-use-it", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ResourceFieldSelector": { - "description": "ResourceFieldSelector represents container resources (cpu, memory) and their output format", - "type": "object", - "properties": { - "resource": { - "description": "Required: resource to select", - "type": "string" - }, - "containerName": { - "description": "Container name: required for volumes, optional for env vars", - "type": "string" - }, - "divisor": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - }, - "k8s.io.api.core.v1.ResourceRequirements": { - "description": "ResourceRequirements describes the compute resource requirements.", - "type": "object", - "properties": { - "limits": { - "description": "Limits describes the maximum amount of compute resources allowed. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - }, - "requests": { - "description": "Requests describes the minimum amount of compute resources required. If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, otherwise to an implementation-defined value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/", - "type": "object", - "additionalProperties": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.api.resource.Quantity" - } - } - } - }, - "k8s.io.api.core.v1.SELinuxOptions": { - "description": "SELinuxOptions are the labels to be applied to the container", - "type": "object", - "properties": { - "type": { - "description": "Type is a SELinux type label that applies to the container.", - "type": "string" - }, - "user": { - "description": "User is a SELinux user label that applies to the container.", - "type": "string" - }, - "role": { - "description": "Role is a SELinux role label that applies to the container.", - "type": "string" - }, - "level": { - "description": "Level is SELinux level label that applies to the container.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ScaleIOVolumeSource": { - "description": "ScaleIOVolumeSource represents a persistent ScaleIO volume", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Default is \"xfs\".", - "type": "string" - }, - "readOnly": { - "description": "readOnly Defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "volumeName": { - "description": "volumeName is the name of a volume already created in the ScaleIO system that is associated with this volume source.", - "type": "string" - }, - "gateway": { - "description": "gateway is the host address of the ScaleIO API Gateway.", - "type": "string" - }, - "system": { - "description": "system is the name of the storage system as configured in ScaleIO.", - "type": "string" - }, - "sslEnabled": { - "description": "sslEnabled Flag enable/disable SSL communication with Gateway, default false", - "type": "boolean" - }, - "protectionDomain": { - "description": "protectionDomain is the name of the ScaleIO Protection Domain for the configured storage.", - "type": "string" - }, - "storagePool": { - "description": "storagePool is the ScaleIO Storage Pool associated with the protection domain.", - "type": "string" - }, - "storageMode": { - "description": "storageMode indicates whether the storage for a volume should be ThickProvisioned or ThinProvisioned. Default is ThinProvisioned.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.SeccompProfile": { - "description": "SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.", - "type": "object", - "properties": { - "type": { - "description": "type indicates which kind of seccomp profile will be applied. Valid options are: Localhost - a profile defined in a file on the node should be used. RuntimeDefault - the container runtime default profile should be used. Unconfined - no profile should be applied.", - "type": "string" - }, - "localhostProfile": { - "description": "localhostProfile indicates a profile defined in a file on the node should be used. The profile must be preconfigured on the node to work. Must be a descending path, relative to the kubelet's configured seccomp profile location. Must only be set if type is \"Localhost\".", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.SecretKeySelector": { - "description": "SecretKeySelector selects a key of a Secret.", - "type": "object", - "properties": { - "key": { - "description": "The key of the secret to select from. Must be a valid secret key.", - "type": "string" - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "Specify whether the Secret or its key must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.SecretProjection": { - "description": "Adapts a secret into a projected volume. The contents of the target Secret's Data field will be presented in a projected volume as files using the keys in the Data field as the file names. Note that this is identical to a secret volume source without the default mode.", - "type": "object", - "properties": { - "items": { - "description": "items if unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "localObjectReference": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "optional": { - "description": "optional field specify whether the Secret or its key must be defined", - "type": "boolean" - } - } - }, - "k8s.io.api.core.v1.SecretVolumeSource": { - "description": "Adapts a Secret into a volume. The contents of the target Secret's Data field will be presented in a volume as files using the keys in the Data field as the file names. Secret volumes support ownership management and SELinux relabeling.", - "type": "object", - "properties": { - "items": { - "description": "items If unspecified, each key-value pair in the Data field of the referenced Secret will be projected into the volume as a file whose name is the key and content is the value. If specified, the listed keys will be projected into the specified paths, and unlisted keys will not be present. If a key is specified which is not present in the Secret, the volume setup will error unless it is marked optional. Paths must be relative and may not contain the '..' path or start with '..'.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.KeyToPath" - } - }, - "secretName": { - "description": "secretName is the name of the secret in the pod's namespace to use. More info: https://kubernetes.io/docs/concepts/storage/volumes#secret", - "type": "string" - }, - "optional": { - "description": "optional field specify whether the Secret or its keys must be defined", - "type": "boolean" - }, - "defaultMode": { - "description": "defaultMode is Optional: mode bits used to set permissions on created files by default. Must be an octal value between 0000 and 0777 or a decimal value between 0 and 511. YAML accepts both octal and decimal values, JSON requires decimal values for mode bits. Defaults to 0644. Directories within the path are not affected by this setting. This might be in conflict with other options that affect the file mode, like fsGroup, and the result can be other mode bits set.", - "type": "integer", - "format": "int32" - } - } - }, - "k8s.io.api.core.v1.SecurityContext": { - "description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.", - "type": "object", - "properties": { - "seLinuxOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SELinuxOptions" - }, - "windowsOptions": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.WindowsSecurityContextOptions" - }, - "runAsUser": { - "description": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsGroup": { - "description": "The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.", - "type": "integer", - "format": "int64" - }, - "runAsNonRoot": { - "description": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", - "type": "boolean" - }, - "seccompProfile": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SeccompProfile" - }, - "capabilities": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.Capabilities" - }, - "privileged": { - "description": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.", - "type": "boolean" - }, - "readOnlyRootFilesystem": { - "description": "Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows.", - "type": "boolean" - }, - "allowPrivilegeEscalation": { - "description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.", - "type": "boolean" - }, - "procMount": { - "description": "procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.ServiceAccountTokenProjection": { - "description": "ServiceAccountTokenProjection represents a projected service account token volume. This projection can be used to insert a service account token into the pods runtime filesystem for use against APIs (Kubernetes API Server or otherwise).", - "type": "object", - "properties": { - "path": { - "description": "path is the path relative to the mount point of the file to project the token into.", - "type": "string" - }, - "audience": { - "description": "audience is the intended audience of the token. A recipient of a token must identify itself with an identifier specified in the audience of the token, and otherwise should reject the token. The audience defaults to the identifier of the apiserver.", - "type": "string" - }, - "expirationSeconds": { - "description": "expirationSeconds is the requested duration of validity of the service account token. As the token approaches expiration, the kubelet volume plugin will proactively rotate the service account token. The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.Defaults to 1 hour and must be at least 10 minutes.", - "type": "integer", - "format": "int64" - } - } - }, - "k8s.io.api.core.v1.SessionAffinityConfig": { - "description": "SessionAffinityConfig represents the configurations of session affinity.", - "type": "object", - "properties": { - "clientIP": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ClientIPConfig" - } - } - }, - "k8s.io.api.core.v1.StorageOSVolumeSource": { - "description": "Represents a StorageOS persistent volume resource.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is the filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "readOnly": { - "description": "readOnly defaults to false (read/write). ReadOnly here will force the ReadOnly setting in VolumeMounts.", - "type": "boolean" - }, - "secretRef": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.LocalObjectReference" - }, - "volumeName": { - "description": "volumeName is the human-readable name of the StorageOS volume. Volume names are only unique within a namespace.", - "type": "string" - }, - "volumeNamespace": { - "description": "volumeNamespace specifies the scope of the volume within StorageOS. If no namespace is specified then the Pod's namespace will be used. This allows the Kubernetes name scoping to be mirrored within StorageOS for tighter integration. Set VolumeName to any name to override the default behaviour. Set to \"default\" if you are not using namespaces within StorageOS. Namespaces that do not pre-exist within StorageOS will be created.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Sysctl": { - "description": "Sysctl defines a kernel parameter to be set", - "type": "object", - "properties": { - "name": { - "description": "Name of a property to set", - "type": "string" - }, - "value": { - "description": "Value of a property to set", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Toleration": { - "description": "The pod this Toleration is attached to tolerates any taint that matches the triple \u003ckey,value,effect\u003e using the matching operator \u003coperator\u003e.", - "type": "object", - "properties": { - "key": { - "description": "Key is the taint key that the toleration applies to. Empty means match all taint keys. If the key is empty, operator must be Exists; this combination means to match all values and all keys.", - "type": "string" - }, - "operator": { - "description": "Operator represents a key's relationship to the value. Valid operators are Exists and Equal. Defaults to Equal. Exists is equivalent to wildcard for value, so that a pod can tolerate all taints of a particular category.", - "type": "string" - }, - "value": { - "description": "Value is the taint value the toleration matches to. If the operator is Exists, the value should be empty, otherwise just a regular string.", - "type": "string" - }, - "effect": { - "description": "Effect indicates the taint effect to match. Empty means match all taint effects. When specified, allowed values are NoSchedule, PreferNoSchedule and NoExecute.", - "type": "string" - }, - "tolerationSeconds": { - "description": "TolerationSeconds represents the period of time the toleration (which must be of effect NoExecute, otherwise this field is ignored) tolerates the taint. By default, it is not set, which means tolerate the taint forever (do not evict). Zero and negative values will be treated as 0 (evict immediately) by the system.", - "type": "integer", - "format": "int64" - } - } - }, - "k8s.io.api.core.v1.TopologySpreadConstraint": { - "description": "TopologySpreadConstraint specifies how to spread matching pods among the given topology.", - "type": "object", - "properties": { - "labelSelector": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - "topologyKey": { - "description": "TopologyKey is the key of node labels. Nodes that have a label with this key and identical values are considered to be in the same topology. We consider each \u003ckey, value\u003e as a \"bucket\", and try to put balanced number of pods into each bucket. It's a required field.", - "type": "string" - }, - "maxSkew": { - "description": "MaxSkew describes the degree to which pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`, it is the maximum permitted difference between the number of matching pods in the target topology and the global minimum. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 1/1/0: | zone1 | zone2 | zone3 | | P | P | | - if MaxSkew is 1, incoming pod can only be scheduled to zone3 to become 1/1/1; scheduling it onto zone1(zone2) would make the ActualSkew(2-0) on zone1(zone2) violate MaxSkew(1). - if MaxSkew is 2, incoming pod can be scheduled onto any zone. When `whenUnsatisfiable=ScheduleAnyway`, it is used to give higher precedence to topologies that satisfy it. It's a required field. Default value is 1 and 0 is not allowed.", - "type": "integer", - "format": "int32" - }, - "whenUnsatisfiable": { - "description": "WhenUnsatisfiable indicates how to deal with a pod if it doesn't satisfy the spread constraint. - DoNotSchedule (default) tells the scheduler not to schedule it. - ScheduleAnyway tells the scheduler to schedule the pod in any location, but giving higher precedence to topologies that would help reduce the skew. A constraint is considered \"Unsatisfiable\" for an incoming pod if and only if every possible node assignment for that pod would violate \"MaxSkew\" on some topology. For example, in a 3-zone cluster, MaxSkew is set to 1, and pods with the same labelSelector spread as 3/1/1: | zone1 | zone2 | zone3 | | P P P | P | P | If WhenUnsatisfiable is set to DoNotSchedule, incoming pod can only be scheduled to zone2(zone3) to become 3/2/1(3/1/2) as ActualSkew(2-1) on zone2(zone3) satisfies MaxSkew(1). In other words, the cluster can still be imbalanced, but scheduler won't make it *more* imbalanced. It's a required field.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.TypedLocalObjectReference": { - "description": "TypedLocalObjectReference contains enough information to let you locate the typed referenced object inside the same namespace.", - "type": "object", - "properties": { - "name": { - "description": "Name is the name of resource being referenced", - "type": "string" - }, - "kind": { - "description": "Kind is the type of resource being referenced", - "type": "string" - }, - "apiGroup": { - "description": "APIGroup is the group for the resource being referenced. If APIGroup is not specified, the specified Kind must be in the core API group. For any other third-party types, APIGroup is required.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.Volume": { - "description": "Volume represents a named volume in a pod that may be accessed by any container in the pod.", - "type": "object", - "properties": { - "name": { - "description": "name of the volume. Must be a DNS_LABEL and unique within the pod. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", - "type": "string" - }, - "volumeSource": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VolumeSource" - } - } - }, - "k8s.io.api.core.v1.VolumeMount": { - "description": "VolumeMount describes a mounting of a Volume within a container.", - "type": "object", - "properties": { - "name": { - "description": "This must match the Name of a Volume.", - "type": "string" - }, - "readOnly": { - "description": "Mounted read-only if true, read-write otherwise (false or unspecified). Defaults to false.", - "type": "boolean" - }, - "mountPath": { - "description": "Path within the container at which the volume should be mounted. Must not contain ':'.", - "type": "string" - }, - "subPath": { - "description": "Path within the volume from which the container's volume should be mounted. Defaults to \"\" (volume's root).", - "type": "string" - }, - "mountPropagation": { - "description": "mountPropagation determines how mounts are propagated from the host to container and the other way around. When not set, MountPropagationNone is used. This field is beta in 1.10.", - "type": "string" - }, - "subPathExpr": { - "description": "Expanded path within the volume from which the container's volume should be mounted. Behaves similarly to SubPath but environment variable references $(VAR_NAME) are expanded using the container's environment. Defaults to \"\" (volume's root). SubPathExpr and SubPath are mutually exclusive.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.VolumeProjection": { - "description": "Projection that may be projected along with other supported volume types", - "type": "object", - "properties": { - "configMap": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapProjection" - }, - "secret": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretProjection" - }, - "downwardAPI": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIProjection" - }, - "serviceAccountToken": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ServiceAccountTokenProjection" - } - } - }, - "k8s.io.api.core.v1.VolumeSource": { - "description": "Represents the source of a volume to mount. Only one of its members may be specified.", - "type": "object", - "properties": { - "configMap": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ConfigMapVolumeSource" - }, - "gcePersistentDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GCEPersistentDiskVolumeSource" - }, - "awsElasticBlockStore": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AWSElasticBlockStoreVolumeSource" - }, - "hostPath": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.HostPathVolumeSource" - }, - "glusterfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GlusterfsVolumeSource" - }, - "nfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.NFSVolumeSource" - }, - "rbd": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.RBDVolumeSource" - }, - "iscsi": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ISCSIVolumeSource" - }, - "cinder": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CinderVolumeSource" - }, - "cephfs": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CephFSVolumeSource" - }, - "fc": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FCVolumeSource" - }, - "flocker": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FlockerVolumeSource" - }, - "flexVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.FlexVolumeSource" - }, - "azureFile": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AzureFileVolumeSource" - }, - "vsphereVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.VsphereVirtualDiskVolumeSource" - }, - "quobyte": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.QuobyteVolumeSource" - }, - "azureDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.AzureDiskVolumeSource" - }, - "photonPersistentDisk": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PhotonPersistentDiskVolumeSource" - }, - "portworxVolume": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PortworxVolumeSource" - }, - "scaleIO": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ScaleIOVolumeSource" - }, - "storageos": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.StorageOSVolumeSource" - }, - "csi": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.CSIVolumeSource" - }, - "secret": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.SecretVolumeSource" - }, - "downwardAPI": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.DownwardAPIVolumeSource" - }, - "emptyDir": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EmptyDirVolumeSource" - }, - "gitRepo": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.GitRepoVolumeSource" - }, - "persistentVolumeClaim": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PersistentVolumeClaimVolumeSource" - }, - "projected": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.ProjectedVolumeSource" - }, - "ephemeral": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.EphemeralVolumeSource" - } - } - }, - "k8s.io.api.core.v1.VsphereVirtualDiskVolumeSource": { - "description": "Represents a vSphere volume resource.", - "type": "object", - "properties": { - "fsType": { - "description": "fsType is filesystem type to mount. Must be a filesystem type supported by the host operating system. Ex. \"ext4\", \"xfs\", \"ntfs\". Implicitly inferred to be \"ext4\" if unspecified.", - "type": "string" - }, - "volumePath": { - "description": "volumePath is the path that identifies vSphere volume vmdk", - "type": "string" - }, - "storagePolicyName": { - "description": "storagePolicyName is the storage Policy Based Management (SPBM) profile name.", - "type": "string" - }, - "storagePolicyID": { - "description": "storagePolicyID is the storage Policy Based Management (SPBM) profile ID associated with the StoragePolicyName.", - "type": "string" - } - } - }, - "k8s.io.api.core.v1.WeightedPodAffinityTerm": { - "description": "The weights of all of the matched WeightedPodAffinityTerm fields are added per-node to find the most preferred node(s)", - "type": "object", - "properties": { - "weight": { - "description": "weight associated with matching the corresponding podAffinityTerm, in the range 1-100.", - "type": "integer", - "format": "int32" - }, - "podAffinityTerm": { - "$ref": "#/components/schemas/k8s.io.api.core.v1.PodAffinityTerm" - } - } - }, - "k8s.io.api.core.v1.WindowsSecurityContextOptions": { - "description": "WindowsSecurityContextOptions contain Windows-specific options and credentials.", - "type": "object", - "properties": { - "gmsaCredentialSpecName": { - "description": "GMSACredentialSpecName is the name of the GMSA credential spec to use.", - "type": "string" - }, - "gmsaCredentialSpec": { - "description": "GMSACredentialSpec is where the GMSA admission webhook (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the GMSA credential spec named by the GMSACredentialSpecName field.", - "type": "string" - }, - "runAsUserName": { - "description": "The UserName in Windows to run the entrypoint of the container process. Defaults to the user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.", - "type": "string" - }, - "hostProcess": { - "description": "HostProcess determines if a container should be run as a 'Host Process' container. This field is alpha-level and will only be honored by components that enable the WindowsHostProcessContainers feature flag. Setting this field without the feature flag will result in errors when validating the Pod. All of a Pod's containers must have the same effective HostProcess value (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers). In addition, if HostProcess is true then HostNetwork must also be set to true.", - "type": "boolean" - } - } - }, - "k8s.io.apimachinery.pkg.api.resource.Quantity": { - "description": "Quantity is a fixed-point representation of a number. It provides convenient marshaling/unmarshaling in JSON and YAML, in addition to String() and AsInt64() accessors. The serialization format is: \u003cquantity\u003e ::= \u003csignedNumber\u003e\u003csuffix\u003e (Note that \u003csuffix\u003e may be empty, from the \"\" case in \u003cdecimalSI\u003e.) \u003cdigit\u003e ::= 0 | 1 | ... | 9 \u003cdigits\u003e ::= \u003cdigit\u003e | \u003cdigit\u003e\u003cdigits\u003e \u003cnumber\u003e ::= \u003cdigits\u003e | \u003cdigits\u003e.\u003cdigits\u003e | \u003cdigits\u003e. | .\u003cdigits\u003e \u003csign\u003e ::= \"+\" | \"-\" \u003csignedNumber\u003e ::= \u003cnumber\u003e | \u003csign\u003e\u003cnumber\u003e \u003csuffix\u003e ::= \u003cbinarySI\u003e | \u003cdecimalExponent\u003e | \u003cdecimalSI\u003e \u003cbinarySI\u003e ::= Ki | Mi | Gi | Ti | Pi | Ei (International System of units; See: http://physics.nist.gov/cuu/Units/binary.html) \u003cdecimalSI\u003e ::= m | \"\" | k | M | G | T | P | E (Note that 1024 = 1Ki but 1000 = 1k; I didn't choose the capitalization.) \u003cdecimalExponent\u003e ::= \"e\" \u003csignedNumber\u003e | \"E\" \u003csignedNumber\u003e No matter which of the three exponent forms is used, no quantity may represent a number greater than 2^63-1 in magnitude, nor may it have more than 3 decimal places. Numbers larger or more precise will be capped or rounded up. (E.g.: 0.1m will rounded up to 1m.) This may be extended in the future if we require larger or smaller quantities. When a Quantity is parsed from a string, it will remember the type of suffix it had, and will use the same type again when it is serialized. Before serializing, Quantity will be put in \"canonical form\". This means that Exponent/suffix will be adjusted up or down (with a corresponding increase or decrease in Mantissa) such that: a. No precision is lost b. No fractional digits will be emitted c. The exponent (or suffix) is as large as possible. The sign will be omitted unless the number is negative. Examples: 1.5 will be serialized as \"1500m\" 1.5Gi will be serialized as \"1536Mi\" Note that the quantity will NEVER be internally represented by a floating point number. That is the whole point of this exercise. Non-canonical values will still parse as long as they are well formed, but will be re-emitted in their canonical form. (So always use canonical form, or don't diff.) This format is intended to make it difficult to use these numbers without writing some sort of special handling code in the hopes that that will cause implementors to also use a fixed point implementation.", - "type": "object", - "properties": { - "string": { - "type": "string" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.FieldsV1": { - "description": "FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format. Each key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats: 'f:\u003cname\u003e', where \u003cname\u003e is the name of a field in a struct, or key in a map 'v:\u003cvalue\u003e', where \u003cvalue\u003e is the exact json formatted value of a list item 'i:\u003cindex\u003e', where \u003cindex\u003e is position of a item in a list 'k:\u003ckeys\u003e', where \u003ckeys\u003e is a map of a list item's key fields to their unique values If a key maps to an empty Fields value, the field that key represents is part of the set. The exact format is defined in sigs.k8s.io/structured-merge-diff", - "type": "object", - "properties": { - "Raw": { - "description": "Raw is the underlying serialization of this object.", - "type": "string", - "format": "binary" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector": { - "description": "A label selector is a label query over a set of resources. The result of matchLabels and matchExpressions are ANDed. An empty label selector matches all objects. A null label selector matches no objects.", - "type": "object", - "properties": { - "matchLabels": { - "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "matchExpressions": { - "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelectorRequirement": { - "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", - "type": "object", - "properties": { - "key": { - "description": "key is the label key that the selector applies to.", - "type": "string" - }, - "operator": { - "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", - "type": "string" - }, - "values": { - "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", - "type": "array", - "items": { - "type": "string" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry": { - "description": "ManagedFieldsEntry is a workflow-id, a FieldSet and the group version of the resource that the fieldset applies to.", - "type": "object", - "properties": { - "time": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.Time" - }, - "apiVersion": { - "description": "APIVersion defines the version of this resource that this field set applies to. The format is \"group/version\" just like the top-level APIVersion field. It is necessary to track the version of a field set because it cannot be automatically converted.", - "type": "string" - }, - "manager": { - "description": "Manager is an identifier of the workflow managing these fields.", - "type": "string" - }, - "operation": { - "description": "Operation is the type of operation which lead to this ManagedFieldsEntry being created. The only valid values for this field are 'Apply' and 'Update'.", - "type": "string" - }, - "fieldsType": { - "description": "FieldsType is the discriminator for the different fields format and version. There is currently only one possible value: \"FieldsV1\"", - "type": "string" - }, - "fieldsV1": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.FieldsV1" - }, - "subresource": { - "description": "Subresource is the name of the subresource used to update that object, or empty string if the object was updated through the main resource. The value of this field is used to distinguish between managers, even if they share the same name. For example, a status update will be distinct from a regular update using the same manager name. Note that the APIVersion field is not related to the Subresource field and it always corresponds to the version of the main resource.", - "type": "string" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta": { - "description": "ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create.", - "type": "object", - "properties": { - "name": { - "description": "Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names", - "type": "string" - }, - "resourceVersion": { - "description": "An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources. Populated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", - "type": "string" - }, - "selfLink": { - "description": "Deprecated: selfLink is a legacy read-only field that is no longer populated by the system.", - "type": "string" - }, - "generateName": { - "description": "GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server. If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header). Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency", - "type": "string" - }, - "namespace": { - "description": "Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty. Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces", - "type": "string" - }, - "uid": { - "description": "UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations. Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids", - "type": "string" - }, - "generation": { - "description": "A sequence number representing a specific generation of the desired state. Populated by the system. Read-only.", - "type": "integer", - "format": "int64" - }, - "creationTimestamp": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.Time" - }, - "deletionTimestamp": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.Time" - }, - "deletionGracePeriodSeconds": { - "description": "Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only.", - "type": "integer", - "format": "int64" - }, - "labels": { - "description": "Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "annotations": { - "description": "Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations", - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "ownerReferences": { - "description": "List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.OwnerReference" - } - }, - "finalizers": { - "description": "Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list.", - "type": "array", - "items": { - "type": "string" - } - }, - "clusterName": { - "description": "The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.", - "type": "string" - }, - "managedFields": { - "description": "ManagedFields maps workflow-id and version to the set of fields that are managed by that workflow. This is mostly for internal housekeeping, and users typically shouldn't need to set or understand this field. A workflow can be the user's name, a controller's name, or the name of a specific apply path like \"ci-cd\". The set of fields is always in the version that the workflow used when modifying the object.", - "type": "array", - "items": { - "$ref": "#/components/schemas/k8s.io.apimachinery.pkg.apis.meta.v1.ManagedFieldsEntry" - } - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.OwnerReference": { - "description": "OwnerReference contains enough information to let you identify an owning object. An owning object must be in the same namespace as the dependent, or be cluster-scoped, so there is no namespace field.", - "type": "object", - "properties": { - "name": { - "description": "Name of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#names", - "type": "string" - }, - "apiVersion": { - "description": "API version of the referent.", - "type": "string" - }, - "kind": { - "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", - "type": "string" - }, - "uid": { - "description": "UID of the referent. More info: http://kubernetes.io/docs/user-guide/identifiers#uids", - "type": "string" - }, - "controller": { - "description": "If true, this reference points to the managing controller.", - "type": "boolean" - }, - "blockOwnerDeletion": { - "description": "If true, AND if the owner has the \"foregroundDeletion\" finalizer, then the owner cannot be deleted from the key-value store until this reference is removed. See https://kubernetes.io/docs/concepts/architecture/garbage-collection/#foreground-deletion for how the garbage collector interacts with this field and enforces the foreground deletion. Defaults to false. To set this field, a user needs \"delete\" permission of the owner, otherwise 422 (Unprocessable Entity) will be returned.", - "type": "boolean" - } - } - }, - "k8s.io.apimachinery.pkg.apis.meta.v1.Time": { - "description": "Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.", - "type": "object", - "properties": { - "seconds": { - "description": "Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z inclusive.", - "type": "integer", - "format": "int64" - }, - "nanos": { - "description": "Non-negative fractions of a second at nanosecond resolution. Negative second values with fractions must still have non-negative nanos values that count forward in time. Must be from 0 to 999,999,999 inclusive. This field may be limited in precision depending on context.", - "type": "integer", - "format": "int32" - } - } - } - } - } -} \ No newline at end of file diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.pb.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.pb.go deleted file mode 100644 index f576bafcc..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.pb.go +++ /dev/null @@ -1,504 +0,0 @@ -// Copyright 2021 Cisco Systems, Inc. and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -// Code generated by protoc-gen-go. DO NOT EDIT. -// versions: -// protoc-gen-go v1.28.0 -// protoc (unknown) -// source: api/v1alpha1/istiomeshgateway.proto - -// $schema: istio-operator.api.v1alpha1.IstioMeshGatewaySpec -// $title: Istio Mesh Gateway Spec -// $description: Istio Mesh Gateway descriptor - -package v1alpha1 - -import ( - wrappers "github.com/golang/protobuf/ptypes/wrappers" - _ "google.golang.org/genproto/googleapis/api/annotations" - protoreflect "google.golang.org/protobuf/reflect/protoreflect" - protoimpl "google.golang.org/protobuf/runtime/protoimpl" - _ "k8s.io/api/core/v1" - reflect "reflect" - sync "sync" -) - -const ( - // Verify that this generated code is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) - // Verify that runtime/protoimpl is sufficiently up-to-date. - _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) -) - -type GatewayType int32 - -const ( - GatewayType_unspecified GatewayType = 0 - GatewayType_ingress GatewayType = 1 - GatewayType_egress GatewayType = 2 -) - -// Enum value maps for GatewayType. -var ( - GatewayType_name = map[int32]string{ - 0: "unspecified", - 1: "ingress", - 2: "egress", - } - GatewayType_value = map[string]int32{ - "unspecified": 0, - "ingress": 1, - "egress": 2, - } -) - -func (x GatewayType) Enum() *GatewayType { - p := new(GatewayType) - *p = x - return p -} - -func (x GatewayType) String() string { - return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) -} - -func (GatewayType) Descriptor() protoreflect.EnumDescriptor { - return file_api_v1alpha1_istiomeshgateway_proto_enumTypes[0].Descriptor() -} - -func (GatewayType) Type() protoreflect.EnumType { - return &file_api_v1alpha1_istiomeshgateway_proto_enumTypes[0] -} - -func (x GatewayType) Number() protoreflect.EnumNumber { - return protoreflect.EnumNumber(x) -} - -// Deprecated: Use GatewayType.Descriptor instead. -func (GatewayType) EnumDescriptor() ([]byte, []int) { - return file_api_v1alpha1_istiomeshgateway_proto_rawDescGZIP(), []int{0} -} - -// IstioMeshGateway defines an Istio ingress or egress gateway -// -// -// -// -type IstioMeshGatewaySpec struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Deployment spec - Deployment *BaseKubernetesResourceConfig `protobuf:"bytes,1,opt,name=deployment,proto3" json:"deployment,omitempty"` - // Service spec - Service *Service `protobuf:"bytes,2,opt,name=service,proto3" json:"service,omitempty"` - // Whether to run the gateway in a privileged container - RunAsRoot *wrappers.BoolValue `protobuf:"bytes,3,opt,name=runAsRoot,proto3" json:"runAsRoot,omitempty"` - // Type of gateway, either ingress or egress - // +kubebuilder:validation:Enum=ingress;egress - Type GatewayType `protobuf:"varint,4,opt,name=type,proto3,enum=istio_operator.v2.api.v1alpha1.GatewayType" json:"type,omitempty"` - // Istio CR to which this gateway belongs to - IstioControlPlane *NamespacedName `protobuf:"bytes,5,opt,name=istioControlPlane,proto3" json:"istioControlPlane,omitempty"` - // K8s resource overlay patches - K8SResourceOverlays []*K8SResourceOverlayPatch `protobuf:"bytes,6,rep,name=k8sResourceOverlays,proto3" json:"k8sResourceOverlays,omitempty"` -} - -func (x *IstioMeshGatewaySpec) Reset() { - *x = IstioMeshGatewaySpec{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiomeshgateway_proto_msgTypes[0] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *IstioMeshGatewaySpec) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*IstioMeshGatewaySpec) ProtoMessage() {} - -func (x *IstioMeshGatewaySpec) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiomeshgateway_proto_msgTypes[0] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use IstioMeshGatewaySpec.ProtoReflect.Descriptor instead. -func (*IstioMeshGatewaySpec) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiomeshgateway_proto_rawDescGZIP(), []int{0} -} - -func (x *IstioMeshGatewaySpec) GetDeployment() *BaseKubernetesResourceConfig { - if x != nil { - return x.Deployment - } - return nil -} - -func (x *IstioMeshGatewaySpec) GetService() *Service { - if x != nil { - return x.Service - } - return nil -} - -func (x *IstioMeshGatewaySpec) GetRunAsRoot() *wrappers.BoolValue { - if x != nil { - return x.RunAsRoot - } - return nil -} - -func (x *IstioMeshGatewaySpec) GetType() GatewayType { - if x != nil { - return x.Type - } - return GatewayType_unspecified -} - -func (x *IstioMeshGatewaySpec) GetIstioControlPlane() *NamespacedName { - if x != nil { - return x.IstioControlPlane - } - return nil -} - -func (x *IstioMeshGatewaySpec) GetK8SResourceOverlays() []*K8SResourceOverlayPatch { - if x != nil { - return x.K8SResourceOverlays - } - return nil -} - -type Properties struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` -} - -func (x *Properties) Reset() { - *x = Properties{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiomeshgateway_proto_msgTypes[1] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *Properties) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*Properties) ProtoMessage() {} - -func (x *Properties) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiomeshgateway_proto_msgTypes[1] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use Properties.ProtoReflect.Descriptor instead. -func (*Properties) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiomeshgateway_proto_rawDescGZIP(), []int{1} -} - -func (x *Properties) GetName() string { - if x != nil { - return x.Name - } - return "" -} - -// -type IstioMeshGatewayStatus struct { - state protoimpl.MessageState - sizeCache protoimpl.SizeCache - unknownFields protoimpl.UnknownFields - - // Reconciliation status of the istio mesh gateway - Status ConfigState `protobuf:"varint,1,opt,name=Status,proto3,enum=istio_operator.v2.api.v1alpha1.ConfigState" json:"Status,omitempty"` - // Current address for the gateway - GatewayAddress []string `protobuf:"bytes,2,rep,name=GatewayAddress,proto3" json:"GatewayAddress,omitempty"` - // Reconciliation error message if any - ErrorMessage string `protobuf:"bytes,3,opt,name=ErrorMessage,proto3" json:"ErrorMessage,omitempty"` -} - -func (x *IstioMeshGatewayStatus) Reset() { - *x = IstioMeshGatewayStatus{} - if protoimpl.UnsafeEnabled { - mi := &file_api_v1alpha1_istiomeshgateway_proto_msgTypes[2] - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - ms.StoreMessageInfo(mi) - } -} - -func (x *IstioMeshGatewayStatus) String() string { - return protoimpl.X.MessageStringOf(x) -} - -func (*IstioMeshGatewayStatus) ProtoMessage() {} - -func (x *IstioMeshGatewayStatus) ProtoReflect() protoreflect.Message { - mi := &file_api_v1alpha1_istiomeshgateway_proto_msgTypes[2] - if protoimpl.UnsafeEnabled && x != nil { - ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) - if ms.LoadMessageInfo() == nil { - ms.StoreMessageInfo(mi) - } - return ms - } - return mi.MessageOf(x) -} - -// Deprecated: Use IstioMeshGatewayStatus.ProtoReflect.Descriptor instead. -func (*IstioMeshGatewayStatus) Descriptor() ([]byte, []int) { - return file_api_v1alpha1_istiomeshgateway_proto_rawDescGZIP(), []int{2} -} - -func (x *IstioMeshGatewayStatus) GetStatus() ConfigState { - if x != nil { - return x.Status - } - return ConfigState_Unspecified -} - -func (x *IstioMeshGatewayStatus) GetGatewayAddress() []string { - if x != nil { - return x.GatewayAddress - } - return nil -} - -func (x *IstioMeshGatewayStatus) GetErrorMessage() string { - if x != nil { - return x.ErrorMessage - } - return "" -} - -var File_api_v1alpha1_istiomeshgateway_proto protoreflect.FileDescriptor - -var file_api_v1alpha1_istiomeshgateway_proto_rawDesc = []byte{ - 0x0a, 0x23, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2f, 0x69, - 0x73, 0x74, 0x69, 0x6f, 0x6d, 0x65, 0x73, 0x68, 0x67, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, - 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x19, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, - 0x68, 0x61, 0x31, 0x2f, 0x63, 0x6f, 0x6d, 0x6d, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, - 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x1a, 0x22, 0x6b, 0x38, 0x73, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x63, 0x6f, - 0x72, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x67, 0x65, 0x6e, 0x65, 0x72, 0x61, 0x74, 0x65, 0x64, 0x2e, - 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x8d, 0x04, 0x0a, 0x14, 0x49, 0x73, 0x74, 0x69, 0x6f, 0x4d, - 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x53, 0x70, 0x65, 0x63, 0x12, 0x5c, - 0x0a, 0x0a, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x3c, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, - 0x68, 0x61, 0x31, 0x2e, 0x42, 0x61, 0x73, 0x65, 0x4b, 0x75, 0x62, 0x65, 0x72, 0x6e, 0x65, 0x74, - 0x65, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, - 0x52, 0x0a, 0x64, 0x65, 0x70, 0x6c, 0x6f, 0x79, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x47, 0x0a, 0x07, - 0x73, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x27, 0x2e, - 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, - 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x53, - 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x07, 0x73, 0x65, - 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x38, 0x0a, 0x09, 0x72, 0x75, 0x6e, 0x41, 0x73, 0x52, 0x6f, - 0x6f, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x52, 0x09, 0x72, 0x75, 0x6e, 0x41, 0x73, 0x52, 0x6f, 0x6f, 0x74, 0x12, - 0x45, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x2b, 0x2e, - 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, - 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x47, - 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x54, 0x79, 0x70, 0x65, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, - 0x52, 0x04, 0x74, 0x79, 0x70, 0x65, 0x12, 0x62, 0x0a, 0x11, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x43, - 0x6f, 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x18, 0x05, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x2e, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, - 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, - 0x61, 0x31, 0x2e, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x70, 0x61, 0x63, 0x65, 0x64, 0x4e, 0x61, 0x6d, - 0x65, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x11, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x43, 0x6f, - 0x6e, 0x74, 0x72, 0x6f, 0x6c, 0x50, 0x6c, 0x61, 0x6e, 0x65, 0x12, 0x69, 0x0a, 0x13, 0x6b, 0x38, - 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x6c, 0x61, 0x79, - 0x73, 0x18, 0x06, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x37, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, - 0x6f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, - 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4b, 0x38, 0x73, 0x52, 0x65, 0x73, 0x6f, - 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, 0x72, 0x6c, 0x61, 0x79, 0x50, 0x61, 0x74, 0x63, 0x68, - 0x52, 0x13, 0x6b, 0x38, 0x73, 0x52, 0x65, 0x73, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x4f, 0x76, 0x65, - 0x72, 0x6c, 0x61, 0x79, 0x73, 0x22, 0x20, 0x0a, 0x0a, 0x50, 0x72, 0x6f, 0x70, 0x65, 0x72, 0x74, - 0x69, 0x65, 0x73, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0xa9, 0x01, 0x0a, 0x16, 0x49, 0x73, 0x74, 0x69, - 0x6f, 0x4d, 0x65, 0x73, 0x68, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x53, 0x74, 0x61, 0x74, - 0x75, 0x73, 0x12, 0x43, 0x0a, 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x18, 0x01, 0x20, 0x01, - 0x28, 0x0e, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x5f, 0x6f, 0x70, 0x65, 0x72, 0x61, - 0x74, 0x6f, 0x72, 0x2e, 0x76, 0x32, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, - 0x68, 0x61, 0x31, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x53, 0x74, 0x61, 0x74, 0x65, 0x52, - 0x06, 0x53, 0x74, 0x61, 0x74, 0x75, 0x73, 0x12, 0x26, 0x0a, 0x0e, 0x47, 0x61, 0x74, 0x65, 0x77, - 0x61, 0x79, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, - 0x0e, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x41, 0x64, 0x64, 0x72, 0x65, 0x73, 0x73, 0x12, - 0x22, 0x0a, 0x0c, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x18, - 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x45, 0x72, 0x72, 0x6f, 0x72, 0x4d, 0x65, 0x73, 0x73, - 0x61, 0x67, 0x65, 0x2a, 0x37, 0x0a, 0x0b, 0x47, 0x61, 0x74, 0x65, 0x77, 0x61, 0x79, 0x54, 0x79, - 0x70, 0x65, 0x12, 0x0f, 0x0a, 0x0b, 0x75, 0x6e, 0x73, 0x70, 0x65, 0x63, 0x69, 0x66, 0x69, 0x65, - 0x64, 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x69, 0x6e, 0x67, 0x72, 0x65, 0x73, 0x73, 0x10, 0x01, - 0x12, 0x0a, 0x0a, 0x06, 0x65, 0x67, 0x72, 0x65, 0x73, 0x73, 0x10, 0x02, 0x42, 0x37, 0x5a, 0x35, - 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x62, 0x61, 0x6e, 0x7a, 0x61, - 0x69, 0x63, 0x6c, 0x6f, 0x75, 0x64, 0x2f, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2d, 0x6f, 0x70, 0x65, - 0x72, 0x61, 0x74, 0x6f, 0x72, 0x2f, 0x76, 0x32, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x76, 0x31, 0x61, - 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, -} - -var ( - file_api_v1alpha1_istiomeshgateway_proto_rawDescOnce sync.Once - file_api_v1alpha1_istiomeshgateway_proto_rawDescData = file_api_v1alpha1_istiomeshgateway_proto_rawDesc -) - -func file_api_v1alpha1_istiomeshgateway_proto_rawDescGZIP() []byte { - file_api_v1alpha1_istiomeshgateway_proto_rawDescOnce.Do(func() { - file_api_v1alpha1_istiomeshgateway_proto_rawDescData = protoimpl.X.CompressGZIP(file_api_v1alpha1_istiomeshgateway_proto_rawDescData) - }) - return file_api_v1alpha1_istiomeshgateway_proto_rawDescData -} - -var file_api_v1alpha1_istiomeshgateway_proto_enumTypes = make([]protoimpl.EnumInfo, 1) -var file_api_v1alpha1_istiomeshgateway_proto_msgTypes = make([]protoimpl.MessageInfo, 3) -var file_api_v1alpha1_istiomeshgateway_proto_goTypes = []interface{}{ - (GatewayType)(0), // 0: istio_operator.v2.api.v1alpha1.GatewayType - (*IstioMeshGatewaySpec)(nil), // 1: istio_operator.v2.api.v1alpha1.IstioMeshGatewaySpec - (*Properties)(nil), // 2: istio_operator.v2.api.v1alpha1.Properties - (*IstioMeshGatewayStatus)(nil), // 3: istio_operator.v2.api.v1alpha1.IstioMeshGatewayStatus - (*BaseKubernetesResourceConfig)(nil), // 4: istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig - (*Service)(nil), // 5: istio_operator.v2.api.v1alpha1.Service - (*wrappers.BoolValue)(nil), // 6: google.protobuf.BoolValue - (*NamespacedName)(nil), // 7: istio_operator.v2.api.v1alpha1.NamespacedName - (*K8SResourceOverlayPatch)(nil), // 8: istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch - (ConfigState)(0), // 9: istio_operator.v2.api.v1alpha1.ConfigState -} -var file_api_v1alpha1_istiomeshgateway_proto_depIdxs = []int32{ - 4, // 0: istio_operator.v2.api.v1alpha1.IstioMeshGatewaySpec.deployment:type_name -> istio_operator.v2.api.v1alpha1.BaseKubernetesResourceConfig - 5, // 1: istio_operator.v2.api.v1alpha1.IstioMeshGatewaySpec.service:type_name -> istio_operator.v2.api.v1alpha1.Service - 6, // 2: istio_operator.v2.api.v1alpha1.IstioMeshGatewaySpec.runAsRoot:type_name -> google.protobuf.BoolValue - 0, // 3: istio_operator.v2.api.v1alpha1.IstioMeshGatewaySpec.type:type_name -> istio_operator.v2.api.v1alpha1.GatewayType - 7, // 4: istio_operator.v2.api.v1alpha1.IstioMeshGatewaySpec.istioControlPlane:type_name -> istio_operator.v2.api.v1alpha1.NamespacedName - 8, // 5: istio_operator.v2.api.v1alpha1.IstioMeshGatewaySpec.k8sResourceOverlays:type_name -> istio_operator.v2.api.v1alpha1.K8sResourceOverlayPatch - 9, // 6: istio_operator.v2.api.v1alpha1.IstioMeshGatewayStatus.Status:type_name -> istio_operator.v2.api.v1alpha1.ConfigState - 7, // [7:7] is the sub-list for method output_type - 7, // [7:7] is the sub-list for method input_type - 7, // [7:7] is the sub-list for extension type_name - 7, // [7:7] is the sub-list for extension extendee - 0, // [0:7] is the sub-list for field type_name -} - -func init() { file_api_v1alpha1_istiomeshgateway_proto_init() } -func file_api_v1alpha1_istiomeshgateway_proto_init() { - if File_api_v1alpha1_istiomeshgateway_proto != nil { - return - } - file_api_v1alpha1_common_proto_init() - if !protoimpl.UnsafeEnabled { - file_api_v1alpha1_istiomeshgateway_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*IstioMeshGatewaySpec); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiomeshgateway_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*Properties); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - file_api_v1alpha1_istiomeshgateway_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*IstioMeshGatewayStatus); i { - case 0: - return &v.state - case 1: - return &v.sizeCache - case 2: - return &v.unknownFields - default: - return nil - } - } - } - type x struct{} - out := protoimpl.TypeBuilder{ - File: protoimpl.DescBuilder{ - GoPackagePath: reflect.TypeOf(x{}).PkgPath(), - RawDescriptor: file_api_v1alpha1_istiomeshgateway_proto_rawDesc, - NumEnums: 1, - NumMessages: 3, - NumExtensions: 0, - NumServices: 0, - }, - GoTypes: file_api_v1alpha1_istiomeshgateway_proto_goTypes, - DependencyIndexes: file_api_v1alpha1_istiomeshgateway_proto_depIdxs, - EnumInfos: file_api_v1alpha1_istiomeshgateway_proto_enumTypes, - MessageInfos: file_api_v1alpha1_istiomeshgateway_proto_msgTypes, - }.Build() - File_api_v1alpha1_istiomeshgateway_proto = out.File - file_api_v1alpha1_istiomeshgateway_proto_rawDesc = nil - file_api_v1alpha1_istiomeshgateway_proto_goTypes = nil - file_api_v1alpha1_istiomeshgateway_proto_depIdxs = nil -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.pb.html b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.pb.html deleted file mode 100644 index db699ed8a..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.pb.html +++ /dev/null @@ -1,856 +0,0 @@ ---- -title: Istio Mesh Gateway Spec -description: Istio Mesh Gateway descriptor -layout: protoc-gen-docs -generator: protoc-gen-docs -schema: istio-operator.api.v1alpha1.IstioMeshGatewaySpec -number_of_entries: 9 ---- -

IstioMeshGatewaySpec

-
-

IstioMeshGateway defines an Istio ingress or egress gateway

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
deploymentBaseKubernetesResourceConfig -

Deployment spec

- -		 -No -
serviceService -

Service spec

- -		 -Yes -
runAsRootBoolValue -

Whether to run the gateway in a privileged container

- -		 -No -
typeGatewayType -

Type of gateway, either ingress or egress -+kubebuilder:validation:Enum=ingress;egress

- -		 -Yes -
istioControlPlaneNamespacedName -

Istio CR to which this gateway belongs to

- -		 -Yes -
k8sResourceOverlaysK8sResourceOverlayPatch[] -

K8s resource overlay patches

- -		 -No -
-
-

Properties

-
- - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring - -No -
-
-

IstioMeshGatewayStatus

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
StatusConfigState -

Reconciliation status of the istio mesh gateway

- -		 -No -
GatewayAddressstring[] -

Current address for the gateway

- -		 -No -
ErrorMessagestring -

Reconciliation error message if any

- -		 -No -
-
-

BaseKubernetesResourceConfig

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
metadataK8sObjectMeta -

Generic k8s resource metadata

- -		 -No -
imagestring -

Standard Kubernetes container image configuration

- -		 -No -
envEnvVar[] -

If present will be appended to the environment variables of the container

- -		 -No -
resourcesResourceRequirements -

Standard Kubernetes resource configuration, memory and CPU resource requirements

- -		 -No -
nodeSelectormap<string, string> -

Standard Kubernetes node selector configuration

- -		 -No -
affinityAffinity -

Standard Kubernetes affinity configuration

- -		 -No -
securityContextSecurityContext -

Standard Kubernetes security context configuration

- -		 -No -
imagePullPolicystring -

Image pull policy. -One of Always, Never, IfNotPresent. -Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. -+optional

- -		 -No -
imagePullSecretsLocalObjectReference[] -

ImagePullSecrets is an optional list of references to secrets to use for pulling any of the images. -+optional

- -		 -No -
priorityClassNamestring -

If specified, indicates the pod’s priority. “system-node-critical” and -“system-cluster-critical” are two special keywords which indicate the -highest priorities with the former being the highest priority. Any other -name must be defined by creating a PriorityClass object with that name. -If not specified, the pod priority will be default or zero if there is no -default. -+optional

- -		 -No -
tolerationsToleration[] -

If specified, the pod’s tolerations. -+optional

- -		 -No -
volumesVolume[] -

List of volumes that can be mounted by containers belonging to the pod. -More info: https://kubernetes.io/docs/concepts/storage/volumes -+optional -+patchMergeKey=name -+patchStrategy=merge,retainKeys

- -		 -No -
volumeMountsVolumeMount[] -

Pod volumes to mount into the container’s filesystem. -Cannot be updated. -+optional -+patchMergeKey=mountPath -+patchStrategy=merge

- -		 -No -
replicasReplicas -

Replica configuration

- -		 -No -
podMetadataK8sObjectMeta -

Standard Kubernetes pod annotation and label configuration

- -		 -No -
podDisruptionBudgetPodDisruptionBudget -

PodDisruptionBudget configuration

- -		 -No -
deploymentStrategyDeploymentStrategy -

DeploymentStrategy configuration

- -		 -No -
podSecurityContextPodSecurityContext -

Standard Kubernetes pod security context configuration

- -		 -No -
livenessProbeProbe -

Periodic probe of container liveness. -Container will be restarted if the probe fails. -Cannot be updated. -More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes -+optional

- -		 -No -
readinessProbeProbe -

Periodic probe of container service readiness. -Container will be removed from service endpoints if the probe fails. -Cannot be updated. -More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes -+optional

- -		 -No -
topologySpreadConstraintsTopologySpreadConstraint[] -

Used to control how Pods are spread across a cluster among failure-domains. -This can help to achieve high availability as well as efficient resource utilization. -More info: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints -+optional

- -		 -No -
-
-

Service

-
-

Service describes the attributes that a user creates on a service.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
metadataK8sObjectMeta - -No -
portsServicePort[] -

The list of ports that are exposed by this service. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+patchMergeKey=port -+patchStrategy=merge -+listType=map -+listMapKey=port -+listMapKey=protocol -+kubebuilder:validation:MinItems=1

- -		 -Yes -
selectormap<string, string> -

Route service traffic to pods with label keys and values matching this -selector. If empty or not present, the service is assumed to have an -external process managing its endpoints, which Kubernetes will not -modify. Only applies to types ClusterIP, NodePort, and LoadBalancer. -Ignored if type is ExternalName. -More info: https://kubernetes.io/docs/concepts/services-networking/service/ -+optional

- -		 -No -
clusterIPstring -

clusterIP is the IP address of the service and is usually assigned -randomly by the master. If an address is specified manually and is not in -use by others, it will be allocated to the service; otherwise, creation -of the service will fail. This field can not be changed through updates. -Valid values are “None”, empty string (“”), or a valid IP address. “None” -can be specified for headless services when proxying is not required. -Only applies to types ClusterIP, NodePort, and LoadBalancer. Ignored if -type is ExternalName. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+optional

- -		 -No -
typestring -

type determines how the Service is exposed. Defaults to ClusterIP. Valid -options are ExternalName, ClusterIP, NodePort, and LoadBalancer. -“ExternalName” maps to the specified externalName. -“ClusterIP” allocates a cluster-internal IP address for load-balancing to -endpoints. Endpoints are determined by the selector or if that is not -specified, by manual construction of an Endpoints object. If clusterIP is -“None”, no virtual IP is allocated and the endpoints are published as a -set of endpoints rather than a stable IP. -“NodePort” builds on ClusterIP and allocates a port on every node which -routes to the clusterIP. -“LoadBalancer” builds on NodePort and creates an -external load-balancer (if supported in the current cloud) which routes -to the clusterIP. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types -+optional -+kubebuilder:validation:Enum=ClusterIP;NodePort;LoadBalancer

- -		 -Yes -
externalIPsstring[] -

externalIPs is a list of IP addresses for which nodes in the cluster -will also accept traffic for this service. These IPs are not managed by -Kubernetes. The user is responsible for ensuring that traffic arrives -at a node with this IP. A common example is external load-balancers -that are not part of the Kubernetes system. -+optional

- -		 -No -
sessionAffinitystring -

Supports “ClientIP” and “None”. Used to maintain session affinity. -Enable client IP based session affinity. -Must be ClientIP or None. -Defaults to None. -More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies -+optional

- -		 -No -
loadBalancerIPstring -

Only applies to Service Type: LoadBalancer -LoadBalancer will get created with the IP specified in this field. -This feature depends on whether the underlying cloud-provider supports specifying -the loadBalancerIP when a load balancer is created. -This field will be ignored if the cloud-provider does not support the feature. -+optional

- -		 -No -
loadBalancerSourceRangesstring[] -

If specified and supported by the platform, this will restrict traffic through the cloud-provider -load-balancer will be restricted to the specified client IPs. This field will be ignored if the -cloud-provider does not support the feature.” -More info: https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/ -+optional

- -		 -No -
externalNamestring -

externalName is the external reference that kubedns or equivalent will -return as a CNAME record for this service. No proxying will be involved. -Must be a valid RFC-1123 hostname (https://tools.ietf.org/html/rfc1123) -and requires Type to be ExternalName. -+optional

- -		 -No -
externalTrafficPolicystring -

externalTrafficPolicy denotes if this Service desires to route external -traffic to node-local or cluster-wide endpoints. “Local” preserves the -client source IP and avoids a second hop for LoadBalancer and Nodeport -type services, but risks potentially imbalanced traffic spreading. -“Cluster” obscures the client source IP and may cause a second hop to -another node, but should have good overall load-spreading. -+optional

- -		 -No -
healthCheckNodePortint32 -

healthCheckNodePort specifies the healthcheck nodePort for the service. -If not specified, HealthCheckNodePort is created by the service api -backend with the allocated nodePort. Will use user-specified nodePort value -if specified by the client. Only effects when Type is set to LoadBalancer -and ExternalTrafficPolicy is set to Local. -+optional

- -		 -No -
publishNotReadyAddressesBoolValue -

publishNotReadyAddresses, when set to true, indicates that DNS implementations -must publish the notReadyAddresses of subsets for the Endpoints associated with -the Service. The default value is false. -The primary use case for setting this field is to use a StatefulSet’s Headless Service -to propagate SRV records for its Pods without respect to their readiness for purpose -of peer discovery. -+optional

- -		 -No -
sessionAffinityConfigSessionAffinityConfig -

sessionAffinityConfig contains the configurations of session affinity. -+optional

- -		 -No -
ipFamilystring -

ipFamily specifies whether this Service has a preference for a particular IP family (e.g. IPv4 vs. -IPv6). If a specific IP family is requested, the clusterIP field will be allocated from that family, if it is -available in the cluster. If no IP family is requested, the cluster’s primary IP family will be used. -Other IP fields (loadBalancerIP, loadBalancerSourceRanges, externalIPs) and controllers which -allocate external load-balancers should use the same IP family. Endpoints for this Service will be of -this family. This field is immutable after creation. Assigning a ServiceIPFamily not available in the -cluster (e.g. IPv6 in IPv4 only cluster) is an error condition and will fail during clusterIP assignment. -+optional

- -		 -No -
-
-

NamespacedName

-
- - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
namestring -

Name of the referenced Kubernetes resource

- -		 -No -
namespacestring -

Namespace of the referenced Kubernetes resource

- -		 -No -
-
-

K8sResourceOverlayPatch

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FieldTypeDescriptionRequired
groupVersionKindGroupVersionKind - -No -
objectKeyNamespacedName - -No -
patchesPatch[] - -No -
-
-

GatewayType

-
- - - - - - - - - - - - - - - - - - - - - -
NameDescription
unspecified -
ingress -
egress -
-
-

ConfigState

-
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NameDescription
Unspecified -
Created -
ReconcileFailed -
Reconciling -
Available -
Unmanaged -
-
diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.proto b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.proto deleted file mode 100644 index 42029d8da..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway.proto +++ /dev/null @@ -1,99 +0,0 @@ -// Copyright 2021 Cisco Systems, Inc. and/or its affiliates. -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -import "google/protobuf/wrappers.proto"; -import "api/v1alpha1/common.proto"; -import "google/api/field_behavior.proto"; -import "k8s.io/api/core/v1/generated.proto"; - -// $schema: istio-operator.api.v1alpha1.IstioMeshGatewaySpec -// $title: Istio Mesh Gateway Spec -// $description: Istio Mesh Gateway descriptor - -package istio_operator.v2.api.v1alpha1; - -option go_package = "github.com/banzaicloud/istio-operator/v2/api/v1alpha1"; - -// IstioMeshGateway defines an Istio ingress or egress gateway -// -// -// -// -message IstioMeshGatewaySpec { - // Deployment spec - BaseKubernetesResourceConfig deployment = 1; - - // Service spec - Service service = 2 [(google.api.field_behavior) = REQUIRED]; - - // Whether to run the gateway in a privileged container - google.protobuf.BoolValue runAsRoot = 3; - - // Type of gateway, either ingress or egress - // +kubebuilder:validation:Enum=ingress;egress - GatewayType type = 4 [(google.api.field_behavior) = REQUIRED]; - - // Istio CR to which this gateway belongs to - NamespacedName istioControlPlane = 5 [(google.api.field_behavior) = REQUIRED]; - - // K8s resource overlay patches - repeated K8sResourceOverlayPatch k8sResourceOverlays = 6; -} - -message Properties { - string name = 1; -} - -enum GatewayType { - unspecified = 0; - ingress = 1; - egress = 2; -} - -// -message IstioMeshGatewayStatus { - // Reconciliation status of the istio mesh gateway - ConfigState Status = 1; - - // Current address for the gateway - repeated string GatewayAddress = 2; - - // Reconciliation error message if any - string ErrorMessage = 3; -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway_deepcopy.gen.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway_deepcopy.gen.go deleted file mode 100644 index dd4b6acc3..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway_deepcopy.gen.go +++ /dev/null @@ -1,69 +0,0 @@ -// Code generated by protoc-gen-deepcopy. DO NOT EDIT. -package v1alpha1 - -import ( - proto "github.com/golang/protobuf/proto" -) - -// DeepCopyInto supports using IstioMeshGatewaySpec within kubernetes types, where deepcopy-gen is used. -func (in *IstioMeshGatewaySpec) DeepCopyInto(out *IstioMeshGatewaySpec) { - p := proto.Clone(in).(*IstioMeshGatewaySpec) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGatewaySpec. Required by controller-gen. -func (in *IstioMeshGatewaySpec) DeepCopy() *IstioMeshGatewaySpec { - if in == nil { - return nil - } - out := new(IstioMeshGatewaySpec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGatewaySpec. Required by controller-gen. -func (in *IstioMeshGatewaySpec) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using Properties within kubernetes types, where deepcopy-gen is used. -func (in *Properties) DeepCopyInto(out *Properties) { - p := proto.Clone(in).(*Properties) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Properties. Required by controller-gen. -func (in *Properties) DeepCopy() *Properties { - if in == nil { - return nil - } - out := new(Properties) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Properties. Required by controller-gen. -func (in *Properties) DeepCopyInterface() interface{} { - return in.DeepCopy() -} - -// DeepCopyInto supports using IstioMeshGatewayStatus within kubernetes types, where deepcopy-gen is used. -func (in *IstioMeshGatewayStatus) DeepCopyInto(out *IstioMeshGatewayStatus) { - p := proto.Clone(in).(*IstioMeshGatewayStatus) - *out = *p -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGatewayStatus. Required by controller-gen. -func (in *IstioMeshGatewayStatus) DeepCopy() *IstioMeshGatewayStatus { - if in == nil { - return nil - } - out := new(IstioMeshGatewayStatus) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGatewayStatus. Required by controller-gen. -func (in *IstioMeshGatewayStatus) DeepCopyInterface() interface{} { - return in.DeepCopy() -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway_json.gen.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway_json.gen.go deleted file mode 100644 index f6a13d297..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway_json.gen.go +++ /dev/null @@ -1,45 +0,0 @@ -// Code generated by protoc-gen-jsonshim. DO NOT EDIT. -package v1alpha1 - -import ( - bytes "bytes" - jsonpb "github.com/golang/protobuf/jsonpb" -) - -// MarshalJSON is a custom marshaler for IstioMeshGatewaySpec -func (this *IstioMeshGatewaySpec) MarshalJSON() ([]byte, error) { - str, err := IstiomeshgatewayMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for IstioMeshGatewaySpec -func (this *IstioMeshGatewaySpec) UnmarshalJSON(b []byte) error { - return IstiomeshgatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for Properties -func (this *Properties) MarshalJSON() ([]byte, error) { - str, err := IstiomeshgatewayMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for Properties -func (this *Properties) UnmarshalJSON(b []byte) error { - return IstiomeshgatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for IstioMeshGatewayStatus -func (this *IstioMeshGatewayStatus) MarshalJSON() ([]byte, error) { - str, err := IstiomeshgatewayMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for IstioMeshGatewayStatus -func (this *IstioMeshGatewayStatus) UnmarshalJSON(b []byte) error { - return IstiomeshgatewayUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -var ( - IstiomeshgatewayMarshaler = &jsonpb.Marshaler{} - IstiomeshgatewayUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} -) diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway_types.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway_types.go deleted file mode 100644 index f8cb5bf9e..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/istiomeshgateway_types.go +++ /dev/null @@ -1,116 +0,0 @@ -/* -Copyright 2021 Cisco Systems, Inc. and/or its affiliates. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -const ( - SidecarInjectionChecksumAnnotation = "sidecar.istio.servicemesh.cisco.com/injection-checksum" - MeshConfigChecksumAnnotation = "sidecar.istio.servicemesh.cisco.com/meshconfig-checksum" -) - -// +kubebuilder:object:root=true - -// IstioMeshGateway is the Schema for the istiomeshgateways API -type IstioMeshGateway struct { - metav1.TypeMeta `json:",inline"` - metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` - - Spec *IstioMeshGatewaySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` - Status *IstioMeshGatewayStatus `json:"status,omitempty"` -} - -func (imgw *IstioMeshGateway) SetStatus(status ConfigState, errorMessage string) { - imgw.GetStatus().Status = status - imgw.GetStatus().ErrorMessage = errorMessage -} - -func (imgw *IstioMeshGateway) GetStatus() *IstioMeshGatewayStatus { - if imgw.Status == nil { - imgw.Status = &IstioMeshGatewayStatus{} - } - - return imgw.Status -} - -func (imgw *IstioMeshGateway) GetSpec() *IstioMeshGatewaySpec { - if imgw.Spec != nil { - return imgw.Spec - } - - return nil -} - -// +kubebuilder:object:generate=false -type IstioMeshGatewayWithProperties struct { - *IstioMeshGateway `json:"istiomeshgateway,omitempty"` - Properties IstioMeshGatewayProperties `json:"properties,omitempty"` -} - -func (p *IstioMeshGatewayWithProperties) SetDefaults() { - annotations := p.IstioMeshGateway.GetSpec().GetDeployment().GetPodMetadata().GetAnnotations() - if annotations == nil { - annotations = make(map[string]string) - } - if p.Properties.InjectionChecksum != "" { - annotations[SidecarInjectionChecksumAnnotation] = p.Properties.InjectionChecksum - } - if p.Properties.MeshConfigChecksum != "" { - annotations[MeshConfigChecksumAnnotation] = p.Properties.MeshConfigChecksum - } - if p.IstioMeshGateway.GetSpec().GetDeployment() == nil { - p.IstioMeshGateway.GetSpec().Deployment = &BaseKubernetesResourceConfig{} - } - if p.IstioMeshGateway.GetSpec().GetDeployment().GetPodMetadata() == nil { - p.IstioMeshGateway.GetSpec().GetDeployment().PodMetadata = &K8SObjectMeta{} - } - p.IstioMeshGateway.GetSpec().GetDeployment().GetPodMetadata().Annotations = annotations -} - -// Properties of the IstioMeshGateway -type IstioMeshGatewayProperties struct { - Revision string `json:"revision,omitempty"` - EnablePrometheusMerge *bool `json:"enablePrometheusMerge,omitempty"` - InjectionTemplate string `json:"injectionTemplate,omitempty"` - InjectionChecksum string `json:"injectionChecksum,omitempty"` - MeshConfigChecksum string `json:"meshConfigChecksum,omitempty"` - IstioControlPlane *IstioControlPlane `json:"istioControlPlane,omitempty"` - GenerateExternalService bool `json:"generateExternalService,omitempty"` -} - -func (p IstioMeshGatewayProperties) GetIstioControlPlane() *IstioControlPlane { - if p.IstioControlPlane != nil { - return p.IstioControlPlane - } - - return &IstioControlPlane{} -} - -// +kubebuilder:object:root=true - -// IstioMeshGatewayList contains a list of IstioMeshGateway -type IstioMeshGatewayList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` - Items []IstioMeshGateway `json:"items" protobuf:"bytes,2,rep,name=items"` -} - -func init() { - SchemeBuilder.Register(&IstioMeshGateway{}, &IstioMeshGatewayList{}) -} diff --git a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/zz_generated.deepcopy.go b/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/zz_generated.deepcopy.go deleted file mode 100644 index 0fddf0ca8..000000000 --- a/third_party/github.com/banzaicloud/istio-operator/api/v1alpha1/zz_generated.deepcopy.go +++ /dev/null @@ -1,411 +0,0 @@ -//go:build !ignore_autogenerated -// +build !ignore_autogenerated - -/* -Copyright 2021 Cisco Systems, Inc. and/or its affiliates. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// Code generated by controller-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "k8s.io/api/core/v1" - runtime "k8s.io/apimachinery/pkg/runtime" -) - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioControlPlane) DeepCopyInto(out *IstioControlPlane) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - if in.Spec != nil { - in, out := &in.Spec, &out.Spec - *out = (*in).DeepCopy() - } - if in.Status != nil { - in, out := &in.Status, &out.Status - *out = (*in).DeepCopy() - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioControlPlane. -func (in *IstioControlPlane) DeepCopy() *IstioControlPlane { - if in == nil { - return nil - } - out := new(IstioControlPlane) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IstioControlPlane) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioControlPlaneList) DeepCopyInto(out *IstioControlPlaneList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]IstioControlPlane, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioControlPlaneList. -func (in *IstioControlPlaneList) DeepCopy() *IstioControlPlaneList { - if in == nil { - return nil - } - out := new(IstioControlPlaneList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IstioControlPlaneList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioMesh) DeepCopyInto(out *IstioMesh) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - if in.Spec != nil { - in, out := &in.Spec, &out.Spec - *out = (*in).DeepCopy() - } - if in.Status != nil { - in, out := &in.Status, &out.Status - *out = (*in).DeepCopy() - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMesh. -func (in *IstioMesh) DeepCopy() *IstioMesh { - if in == nil { - return nil - } - out := new(IstioMesh) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IstioMesh) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioMeshGateway) DeepCopyInto(out *IstioMeshGateway) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - if in.Spec != nil { - in, out := &in.Spec, &out.Spec - *out = (*in).DeepCopy() - } - if in.Status != nil { - in, out := &in.Status, &out.Status - *out = (*in).DeepCopy() - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGateway. -func (in *IstioMeshGateway) DeepCopy() *IstioMeshGateway { - if in == nil { - return nil - } - out := new(IstioMeshGateway) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IstioMeshGateway) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioMeshGatewayList) DeepCopyInto(out *IstioMeshGatewayList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]IstioMeshGateway, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGatewayList. -func (in *IstioMeshGatewayList) DeepCopy() *IstioMeshGatewayList { - if in == nil { - return nil - } - out := new(IstioMeshGatewayList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IstioMeshGatewayList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioMeshGatewayProperties) DeepCopyInto(out *IstioMeshGatewayProperties) { - *out = *in - if in.EnablePrometheusMerge != nil { - in, out := &in.EnablePrometheusMerge, &out.EnablePrometheusMerge - *out = new(bool) - **out = **in - } - if in.IstioControlPlane != nil { - in, out := &in.IstioControlPlane, &out.IstioControlPlane - *out = new(IstioControlPlane) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshGatewayProperties. -func (in *IstioMeshGatewayProperties) DeepCopy() *IstioMeshGatewayProperties { - if in == nil { - return nil - } - out := new(IstioMeshGatewayProperties) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *IstioMeshList) DeepCopyInto(out *IstioMeshList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]IstioMesh, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IstioMeshList. -func (in *IstioMeshList) DeepCopy() *IstioMeshList { - if in == nil { - return nil - } - out := new(IstioMeshList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *IstioMeshList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PeerIstioControlPlane) DeepCopyInto(out *PeerIstioControlPlane) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - if in.Spec != nil { - in, out := &in.Spec, &out.Spec - *out = (*in).DeepCopy() - } - if in.Status != nil { - in, out := &in.Status, &out.Status - *out = (*in).DeepCopy() - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerIstioControlPlane. -func (in *PeerIstioControlPlane) DeepCopy() *PeerIstioControlPlane { - if in == nil { - return nil - } - out := new(PeerIstioControlPlane) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *PeerIstioControlPlane) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PeerIstioControlPlaneList) DeepCopyInto(out *PeerIstioControlPlaneList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]PeerIstioControlPlane, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerIstioControlPlaneList. -func (in *PeerIstioControlPlaneList) DeepCopy() *PeerIstioControlPlaneList { - if in == nil { - return nil - } - out := new(PeerIstioControlPlaneList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *PeerIstioControlPlaneList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Probe_Exec) DeepCopyInto(out *Probe_Exec) { - *out = *in - if in.Exec != nil { - in, out := &in.Exec, &out.Exec - *out = new(v1.ExecAction) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Probe_Exec. -func (in *Probe_Exec) DeepCopy() *Probe_Exec { - if in == nil { - return nil - } - out := new(Probe_Exec) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Probe_Grpc) DeepCopyInto(out *Probe_Grpc) { - *out = *in - if in.Grpc != nil { - in, out := &in.Grpc, &out.Grpc - *out = new(v1.GRPCAction) - (*in).DeepCopyInto(*out) - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Probe_Grpc. -func (in *Probe_Grpc) DeepCopy() *Probe_Grpc { - if in == nil { - return nil - } - out := new(Probe_Grpc) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Probe_HttpGet) DeepCopyInto(out *Probe_HttpGet) { - *out = *in - if in.HttpGet != nil { - in, out := &in.HttpGet, &out.HttpGet - *out = (*in).DeepCopy() - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Probe_HttpGet. -func (in *Probe_HttpGet) DeepCopy() *Probe_HttpGet { - if in == nil { - return nil - } - out := new(Probe_HttpGet) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *Probe_TcpSocket) DeepCopyInto(out *Probe_TcpSocket) { - *out = *in - if in.TcpSocket != nil { - in, out := &in.TcpSocket, &out.TcpSocket - *out = (*in).DeepCopy() - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Probe_TcpSocket. -func (in *Probe_TcpSocket) DeepCopy() *Probe_TcpSocket { - if in == nil { - return nil - } - out := new(Probe_TcpSocket) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in SortableIstioControlPlaneItems) DeepCopyInto(out *SortableIstioControlPlaneItems) { - { - in := &in - *out = make(SortableIstioControlPlaneItems, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SortableIstioControlPlaneItems. -func (in SortableIstioControlPlaneItems) DeepCopy() SortableIstioControlPlaneItems { - if in == nil { - return nil - } - out := new(SortableIstioControlPlaneItems) - in.DeepCopyInto(out) - return *out -} diff --git a/third_party/github.com/banzaicloud/k8s-objectmatcher/README.md b/third_party/github.com/banzaicloud/k8s-objectmatcher/README.md index 5e63a12b0..940b74db1 100644 --- a/third_party/github.com/banzaicloud/k8s-objectmatcher/README.md +++ b/third_party/github.com/banzaicloud/k8s-objectmatcher/README.md @@ -16,7 +16,7 @@ There is a legacy version of the lib, that is now deprecated and documented here The library uses the same method that `kubectl apply` does under the hood to calculate a patch using the [three way merge](http://www.drdobbs.com/tools/three-way-merging-a-look-under-the-hood/240164902) method. However for this to work properly we need to keep track of the last applied version of our object, let's call it the `original`. Unfortunately Kubernetes does -not keep track of our previously submitted object versions, but we can put it into an annotation like `kubectl apply` does. +not keep track of our previously submitted object versions, but we can put it into an annotation like `kubectl apply` does. Next time we query the `current` state of the object from the API Server we can extract the `original` version from the annotation. Once we have the the `original`, the `current` and our new `modified` object in place the library will take care of the rest. @@ -72,7 +72,7 @@ Example: opts := []patch.CalculateOption{ patch.IgnoreStatusFields(), } - + patchResult, err := patch.DefaultPatchMaker.Calculate(existing.(runtime.Object), newObject.(runtime.Object), opts...) if err != nil { return err @@ -89,7 +89,7 @@ This CalculateOption clears volumeClaimTemplate fields from both objects before #### IgnorePdbSelector -Checks `selector` fields of PDB objects before comparing and removes them if they match. `reflect.DeepEquals` is used for the equality check. +Checks `selector` fields of PDB objects before comparing and removes them if they match. `reflect.DeepEquals` is used for the equality check. This is required because map fields using `patchStrategy:"replace"` will always diff regardless if they are otherwise equal. #### IgnoreField("field-name-to-ignore") diff --git a/third_party/github.com/banzaicloud/k8s-objectmatcher/docs/legacy.md b/third_party/github.com/banzaicloud/k8s-objectmatcher/docs/legacy.md index 9e07ced90..d4ac36ba6 100644 --- a/third_party/github.com/banzaicloud/k8s-objectmatcher/docs/legacy.md +++ b/third_party/github.com/banzaicloud/k8s-objectmatcher/docs/legacy.md @@ -33,11 +33,11 @@ objectMatcher.Match(e.ObjectOld, e.ObjectNew) ### The idea -There are existing libraries in the wild that can calculate a patch by giving them two different objects. If the patch is empty the two objects match and we are ready, right? +There are existing libraries in the wild that can calculate a patch by giving them two different objects. If the patch is empty the two objects match and we are ready, right? Well not quite. JSON Merge Patch, defined by [rfc7396](https://tools.ietf.org/html/rfc7396) replaces lists completely which is not always what we need. Kubernetes defines and uses a modified version called [strategic merge patch](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-api-machinery/strategic-merge-patch.md). -Strategic Merge Patch extends the JSON Merge Patch format by adding explicit directives for deleting, replacing, ordering and merging lists. +Strategic Merge Patch extends the JSON Merge Patch format by adding explicit directives for deleting, replacing, ordering and merging lists. It uses the go struct tag of the API objects to determine what lists should be merged and which ones should not. Worth to note it's not tied to Kubernetes objects only, so we can use this for matching custom go structs as well. @@ -46,21 +46,21 @@ Kubernetes objects only, so we can use this for matching custom go structs as we #### Defaults and version compatibility As outlined previously Kubernetes objects are amended with different default values when submitted. For example PodSpec.RestartPolicy will be set to "Always" when -ommitted from the object, so we will have a mismatch when we try to compare it later. This library uses the same functions to set the default values on the local -objects before matching so that they won't differ. +ommitted from the object, so we will have a mismatch when we try to compare it later. This library uses the same functions to set the default values on the local +objects before matching so that they won't differ. -Since the defaults functions are defined in the main kubernetes repo, there is a higher chance that objects decorated using these functions will be incompatible +Since the defaults functions are defined in the main kubernetes repo, there is a higher chance that objects decorated using these functions will be incompatible when comparing them with objects coming from different server versions. Also since the library depends on the kubernetes repo it is more tightly coupled to it's version. -To preserve compatibility between the client and server versions [.circleci/config.yml](.circleci/config.yml) contains jobs that run the integration test suite against Kubernetes +To preserve compatibility between the client and server versions [.circleci/config.yml](.circleci/config.yml) contains jobs that run the integration test suite against Kubernetes versions from 1.10 to 1.14. The library itself is known and tested to be working with operators depending on Kubernetes client version 1.12 and 1.13. #### Generated values -There are values that are generated by the API Server dynamically. To workaround this the library removes null fields from the patch as long as it's not inside a list. -(In case of lists, even if we remove null fields we would still left with `setElementOrder` directives) -This works as long as we don't set/unset complete fields on the objects conditionally, because in that case we would miss to detect a change to unset something. +There are values that are generated by the API Server dynamically. To workaround this the library removes null fields from the patch as long as it's not inside a list. +(In case of lists, even if we remove null fields we would still left with `setElementOrder` directives) +This works as long as we don't set/unset complete fields on the objects conditionally, because in that case we would miss to detect a change to unset something. -In case a field gets removed from somewhere inside a list we have to explicitly tell to ignore it. One example is NodePort in Service objects, see [service.go](service.go). +In case a field gets removed from somewhere inside a list we have to explicitly tell to ignore it. One example is NodePort in Service objects, see [service.go](service.go). Another example is Volume and VolumeMount generated automatically for the service account token, see [pod.go](pod.go). diff --git a/third_party/github.com/banzaicloud/operator-tools/cmd/docs.go b/third_party/github.com/banzaicloud/operator-tools/cmd/docs.go index c43097527..933f1cd2b 100644 --- a/third_party/github.com/banzaicloud/operator-tools/cmd/docs.go +++ b/third_party/github.com/banzaicloud/operator-tools/cmd/docs.go @@ -55,7 +55,7 @@ func crds() { lister.Header = heredoc.Doc(` # Available Types - + For more information please click on the name
diff --git a/third_party/github.com/banzaicloud/operator-tools/pkg/reconciler/README.md b/third_party/github.com/banzaicloud/operator-tools/pkg/reconciler/README.md index 82b39696d..cfabeaa54 100644 --- a/third_party/github.com/banzaicloud/operator-tools/pkg/reconciler/README.md +++ b/third_party/github.com/banzaicloud/operator-tools/pkg/reconciler/README.md @@ -24,13 +24,13 @@ import ( func example(client runtimeClient.Client, logger logr.Logger) { resourceReconciler := reconciler.NewReconcilerWith(client, reconciler.WithLog(logger)) - + serviceObject := &corev1.Service{ Spec: corev1.ServiceSpec{ ... }, } - + result, err := resourceReconciler.ReconcileResource(serviceObject, reconciler.StatePresent) } diff --git a/third_party/github.com/banzaicloud/operator-tools/pkg/secret/README.md b/third_party/github.com/banzaicloud/operator-tools/pkg/secret/README.md index 90ab3ee09..ee712f625 100644 --- a/third_party/github.com/banzaicloud/operator-tools/pkg/secret/README.md +++ b/third_party/github.com/banzaicloud/operator-tools/pkg/secret/README.md @@ -5,10 +5,10 @@ Currently it supports Kubernetes secrets only, but it can be extended to refer to secrets in custom secret stores as well. -There are two main approaches to load secrets and one for testing. - +There are two main approaches to load secrets and one for testing. + 1. Load the secrets and return with their value directly if `ValueFrom` is set. -1. Load the secrets in the background if `MountFrom` is set, but return only the full path where they should be available in a container. +1. Load the secrets in the background if `MountFrom` is set, but return only the full path where they should be available in a container. It's the callers responsibility to make those secrets available on that given path, e.g. by creating an aggregated secret with all the referenced secrets and mount it into the container through a secret volume (this is how we use it). 1. Load the value directly if `Value` is set. (This is only good for testing.) diff --git a/third_party/github.com/banzaicloud/operator-tools/pkg/volume/README.md b/third_party/github.com/banzaicloud/operator-tools/pkg/volume/README.md index 9e158bbda..da4d6c338 100644 --- a/third_party/github.com/banzaicloud/operator-tools/pkg/volume/README.md +++ b/third_party/github.com/banzaicloud/operator-tools/pkg/volume/README.md @@ -5,7 +5,7 @@ Configure volumes in custom types for underlying pods in a uniform way. ```go type SomeCustomApp struct { - BufferStorage *volume.KubernetesVolume `json:"bufferStorage,omitempty"` + BufferStorage *volume.KubernetesVolume `json:"bufferStorage,omitempty"` } ```