admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

upgrade controller-tools to v0.4.1

Browse Source 
Signed-off-by: yuswift <yuswift2018@gmail.com>
This commit is contained in:
yuswift
2021-04-12 16:31:10 +08:00
parent adef4b5e43
commit 644a08aff3
28 changed files with 1817 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/crds/network.kubesphere.io_namespacenetworkpolicies.yaml generated
View File

@@ -53,6 +53,7 @@ spec:
description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
x-kubernetes-int-or-string: true
protocol:
default: TCP
description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
type: string
type: object
@@ -152,6 +153,7 @@ spec:
description: The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.
x-kubernetes-int-or-string: true
protocol:
default: TCP
description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
type: string
type: object

930
config/crds/servicemesh.kubesphere.io_servicepolicies.yaml generated
View File

@@ -70,6 +70,936 @@ spec:
type: object
spec:
description: Spec indicates the behavior of a destination rule.
properties:
export_to:
description: "A list of namespaces to which this destination rule is exported. The resolution of a destination rule to apply to a service occurs in the context of a hierarchy of namespaces. Exporting a destination rule allows it to be included in the resolution hierarchy for services in other namespaces. This feature provides a mechanism for service owners and mesh administrators to control the visibility of destination rules across namespace boundaries. \n If no namespaces are specified then the destination rule is exported to all namespaces by default. \n The value \".\" is reserved and defines an export to the same namespace that the destination rule is declared in. Similarly, the value \"*\" is reserved and defines an export to all namespaces. \n NOTE: in the current release, the `exportTo` value is restricted to \".\" or \"*\" (i.e., the current namespace or all namespaces)."
items:
type: string
type: array
host:
description: "The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by [ServiceEntries](https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry). Rules defined for services that do not exist in the service registry will be ignored. \n *Note for Kubernetes users*: When short names are used (e.g. \"reviews\" instead of \"reviews.default.svc.cluster.local\"), Istio will interpret the short name based on the namespace of the rule, not the service. A rule in the \"default\" namespace containing a host \"reviews\" will be interpreted as \"reviews.default.svc.cluster.local\", irrespective of the actual namespace associated with the reviews service. _To avoid potential misconfigurations, it is recommended to always use fully qualified domain names over short names._ \n Note that the host field applies to both HTTP and TCP services."
type: string
subsets:
description: One or more named sets that represent individual versions of a service. Traffic policies can be overridden at subset level.
items:
description: "A subset of endpoints of a service. Subsets can be used for scenarios like A/B testing, or routing to a specific version of a service. Refer to [VirtualService](https://istio.io/docs/reference/config/networking/virtual-service/#VirtualService) documentation for examples of using subsets in these scenarios. In addition, traffic policies defined at the service-level can be overridden at a subset-level. The following rule uses a round robin load balancing policy for all traffic going to a subset named testversion that is composed of endpoints (e.g., pods) with labels (version:v3). \n {{<tabset category-name=\"example\">}} {{<tab name=\"v1alpha3\" category-value=\"v1alpha3\">}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: bookinfo-ratings spec: host: ratings.prod.svc.cluster.local trafficPolicy: loadBalancer: simple: LEAST_CONN subsets: - name: testversion labels: version: v3 trafficPolicy: loadBalancer: simple: ROUND_ROBIN ``` {{</tab>}} \n {{<tab name=\"v1beta1\" category-value=\"v1beta1\">}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: bookinfo-ratings spec: host: ratings.prod.svc.cluster.local trafficPolicy: loadBalancer: simple: LEAST_CONN subsets: - name: testversion labels: version: v3 trafficPolicy: loadBalancer: simple: ROUND_ROBIN ``` {{</tab>}} {{</tabset>}} \n **Note:** Policies specified for subsets will not take effect until a route rule explicitly sends traffic to this subset. \n One or more labels are typically required to identify the subset destination, however, when the corresponding DestinationRule represents a host that supports multiple SNI hosts (e.g., an egress gateway), a subset without labels may be meaningful. In this case a traffic policy with [ClientTLSSettings](#ClientTLSSettings) can be used to identify a specific SNI host corresponding to the named subset."
properties:
labels:
additionalProperties:
type: string
description: Labels apply a filter over the endpoints of a service in the service registry. See route rules for examples of usage.
type: object
name:
description: Name of the subset. The service name and the subset name can be used for traffic splitting in a route rule.
type: string
traffic_policy:
description: Traffic policies that apply to this subset. Subsets inherit the traffic policies specified at the DestinationRule level. Settings specified at the subset level will override the corresponding settings specified at the DestinationRule level.
properties:
connection_pool:
description: Settings controlling the volume of connections to an upstream service
properties:
http:
description: HTTP connection pool settings.
properties:
h2_upgrade_policy:
description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.
format: int32
type: integer
http1_max_pending_requests:
description: Maximum number of pending HTTP requests to a destination. Default 2^32-1.
format: int32
type: integer
http2_max_requests:
description: Maximum number of requests to a backend. Default 2^32-1.
format: int32
type: integer
idle_timeout:
description: The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. If not set, the default is 1 hour. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_requests_per_connection:
description: Maximum number of requests per connection to a backend. Setting this parameter to 1 disables keep alive. Default 0, meaning "unlimited", up to 2^29.
format: int32
type: integer
max_retries:
description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. Defaults to 2^32-1.
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connect_timeout:
description: 'TCP connection timeout. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_connections:
description: Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.
format: int32
type: integer
tcp_keepalive:
description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
probes:
description: Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)
format: int32
type: integer
time:
description: The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
type: object
type: object
type: object
load_balancer:
description: Settings controlling the load balancer algorithms.
properties:
locality_lb_setting:
description: Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed between this object and the object one in MeshConfig
properties:
distribute:
description: 'Optional: only one of distribute or failover can be set. Explicitly specify loadbalancing weight across different zones and geographical locations. Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) If empty, the locality weight is set according to the endpoints number within it.'
items:
description: 'Describes how traffic originating in the ''from'' zone or sub-zone is distributed over a set of ''to'' zones. Syntax for specifying a zone is {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any segment of the specification. Examples: * - matches all localities us-west/* - all zones and sub-zones within the us-west region us-west/zone-1/* - all sub-zones within us-west/zone-1'
properties:
from:
description: Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
type: string
to:
additionalProperties:
format: int32
type: integer
description: Map of upstream localities to traffic distribution weights. The sum of all weights should be == 100. Any locality not assigned a weight will receive no traffic.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.
properties:
value:
description: The bool value.
type: boolean
type: object
failover:
description: 'Optional: only failover or distribute can be set. Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.'
items:
description: Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.
properties:
from:
description: Originating region.
type: string
to:
description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy.
type: string
type: object
type: array
type: object
type: object
outlier_detection:
description: Settings controlling eviction of unhealthy hosts from the load balancing pool
properties:
base_ejection_time:
description: 'Minimum ejection duration. A host will remain ejected for a period equal to the product of minimum ejection duration and the number of times the host has been ejected. This technique allows the system to automatically increase the ejection period for unhealthy upstream servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
consecutive_5xx_errors:
description: "Number of 5xx errors before a host is ejected from the connection pool. When the upstream host is accessed over an opaque TCP connection, connect timeouts, connection error/failure and request failure events qualify as a 5xx error. This feature defaults to 5 but can be disabled by setting the value to 0. \n Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect."
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
consecutive_errors:
description: Number of errors before a host is ejected from the connection pool. Defaults to 5. When the upstream host is accessed over HTTP, a 502, 503, or 504 return code qualifies as an error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as an error. $hide_from_docs
format: int32
type: integer
consecutive_gateway_errors:
description: "Number of gateway errors before a host is ejected from the connection pool. When the upstream host is accessed over HTTP, a 502, 503, or 504 return code qualifies as a gateway error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as a gateway error. This feature is disabled by default or when set to the value 0. \n Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect."
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
interval:
description: 'Time interval between ejection sweep analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_ejection_percent:
description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. Defaults to 10%.
format: int32
type: integer
min_health_percent:
description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. When the percentage of healthy hosts in the load balancing pool drops below this threshold, outlier detection will be disabled and the proxy will load balance across all hosts in the pool (healthy and unhealthy). The threshold can be disabled by setting it to 0%. The default is 0% as it's not typically applicable in k8s environments with few pods per service.
format: int32
type: integer
type: object
port_level_settings:
description: Traffic policies specific to individual ports. Note that port level settings will override the destination-level settings. Traffic settings specified at the destination-level will not be inherited when overridden by port-level settings, i.e. default values will be applied to fields omitted in port-level traffic policies.
items:
description: Traffic policies that apply to specific ports of the service
properties:
connection_pool:
description: Settings controlling the volume of connections to an upstream service
properties:
http:
description: HTTP connection pool settings.
properties:
h2_upgrade_policy:
description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.
format: int32
type: integer
http1_max_pending_requests:
description: Maximum number of pending HTTP requests to a destination. Default 2^32-1.
format: int32
type: integer
http2_max_requests:
description: Maximum number of requests to a backend. Default 2^32-1.
format: int32
type: integer
idle_timeout:
description: The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. If not set, the default is 1 hour. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_requests_per_connection:
description: Maximum number of requests per connection to a backend. Setting this parameter to 1 disables keep alive. Default 0, meaning "unlimited", up to 2^29.
format: int32
type: integer
max_retries:
description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. Defaults to 2^32-1.
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connect_timeout:
description: 'TCP connection timeout. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_connections:
description: Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.
format: int32
type: integer
tcp_keepalive:
description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
probes:
description: Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)
format: int32
type: integer
time:
description: The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
type: object
type: object
type: object
load_balancer:
description: Settings controlling the load balancer algorithms.
properties:
locality_lb_setting:
description: Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed between this object and the object one in MeshConfig
properties:
distribute:
description: 'Optional: only one of distribute or failover can be set. Explicitly specify loadbalancing weight across different zones and geographical locations. Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) If empty, the locality weight is set according to the endpoints number within it.'
items:
description: 'Describes how traffic originating in the ''from'' zone or sub-zone is distributed over a set of ''to'' zones. Syntax for specifying a zone is {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any segment of the specification. Examples: * - matches all localities us-west/* - all zones and sub-zones within the us-west region us-west/zone-1/* - all sub-zones within us-west/zone-1'
properties:
from:
description: Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
type: string
to:
additionalProperties:
format: int32
type: integer
description: Map of upstream localities to traffic distribution weights. The sum of all weights should be == 100. Any locality not assigned a weight will receive no traffic.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.
properties:
value:
description: The bool value.
type: boolean
type: object
failover:
description: 'Optional: only failover or distribute can be set. Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.'
items:
description: Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.
properties:
from:
description: Originating region.
type: string
to:
description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy.
type: string
type: object
type: array
type: object
type: object
outlier_detection:
description: Settings controlling eviction of unhealthy hosts from the load balancing pool
properties:
base_ejection_time:
description: 'Minimum ejection duration. A host will remain ejected for a period equal to the product of minimum ejection duration and the number of times the host has been ejected. This technique allows the system to automatically increase the ejection period for unhealthy upstream servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
consecutive_5xx_errors:
description: "Number of 5xx errors before a host is ejected from the connection pool. When the upstream host is accessed over an opaque TCP connection, connect timeouts, connection error/failure and request failure events qualify as a 5xx error. This feature defaults to 5 but can be disabled by setting the value to 0. \n Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect."
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
consecutive_errors:
description: Number of errors before a host is ejected from the connection pool. Defaults to 5. When the upstream host is accessed over HTTP, a 502, 503, or 504 return code qualifies as an error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as an error. $hide_from_docs
format: int32
type: integer
consecutive_gateway_errors:
description: "Number of gateway errors before a host is ejected from the connection pool. When the upstream host is accessed over HTTP, a 502, 503, or 504 return code qualifies as a gateway error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as a gateway error. This feature is disabled by default or when set to the value 0. \n Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect."
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
interval:
description: 'Time interval between ejection sweep analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_ejection_percent:
description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. Defaults to 10%.
format: int32
type: integer
min_health_percent:
description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. When the percentage of healthy hosts in the load balancing pool drops below this threshold, outlier detection will be disabled and the proxy will load balance across all hosts in the pool (healthy and unhealthy). The threshold can be disabled by setting it to 0%. The default is 0% as it's not typically applicable in k8s environments with few pods per service.
format: int32
type: integer
type: object
port:
description: Specifies the number of a port on the destination service on which this policy is being applied.
properties:
number:
description: Valid port number
format: int32
type: integer
type: object
tls:
description: TLS related settings for connections to the upstream service.
properties:
ca_certificates:
description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will not verify the server''s certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
type: string
client_certificate:
description: REQUIRED if mode is `MUTUAL`. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is `ISTIO_MUTUAL`.
type: string
mode:
description: Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.
format: int32
type: integer
private_key:
description: REQUIRED if mode is `MUTUAL`. The path to the file holding the client's private key. Should be empty if mode is `ISTIO_MUTUAL`.
type: string
sni:
description: SNI string to present to the server during TLS handshake.
type: string
subject_alt_names:
description: A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry.
items:
type: string
type: array
type: object
type: object
type: array
tls:
description: TLS related settings for connections to the upstream service.
properties:
ca_certificates:
description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will not verify the server''s certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
type: string
client_certificate:
description: REQUIRED if mode is `MUTUAL`. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is `ISTIO_MUTUAL`.
type: string
mode:
description: Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.
format: int32
type: integer
private_key:
description: REQUIRED if mode is `MUTUAL`. The path to the file holding the client's private key. Should be empty if mode is `ISTIO_MUTUAL`.
type: string
sni:
description: SNI string to present to the server during TLS handshake.
type: string
subject_alt_names:
description: A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry.
items:
type: string
type: array
type: object
type: object
type: object
type: array
traffic_policy:
description: Traffic policies to apply (load balancing policy, connection pool sizes, outlier detection).
properties:
connection_pool:
description: Settings controlling the volume of connections to an upstream service
properties:
http:
description: HTTP connection pool settings.
properties:
h2_upgrade_policy:
description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.
format: int32
type: integer
http1_max_pending_requests:
description: Maximum number of pending HTTP requests to a destination. Default 2^32-1.
format: int32
type: integer
http2_max_requests:
description: Maximum number of requests to a backend. Default 2^32-1.
format: int32
type: integer
idle_timeout:
description: The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. If not set, the default is 1 hour. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_requests_per_connection:
description: Maximum number of requests per connection to a backend. Setting this parameter to 1 disables keep alive. Default 0, meaning "unlimited", up to 2^29.
format: int32
type: integer
max_retries:
description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. Defaults to 2^32-1.
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connect_timeout:
description: 'TCP connection timeout. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_connections:
description: Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.
format: int32
type: integer
tcp_keepalive:
description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
probes:
description: Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)
format: int32
type: integer
time:
description: The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
type: object
type: object
type: object
load_balancer:
description: Settings controlling the load balancer algorithms.
properties:
locality_lb_setting:
description: Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed between this object and the object one in MeshConfig
properties:
distribute:
description: 'Optional: only one of distribute or failover can be set. Explicitly specify loadbalancing weight across different zones and geographical locations. Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) If empty, the locality weight is set according to the endpoints number within it.'
items:
description: 'Describes how traffic originating in the ''from'' zone or sub-zone is distributed over a set of ''to'' zones. Syntax for specifying a zone is {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any segment of the specification. Examples: * - matches all localities us-west/* - all zones and sub-zones within the us-west region us-west/zone-1/* - all sub-zones within us-west/zone-1'
properties:
from:
description: Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
type: string
to:
additionalProperties:
format: int32
type: integer
description: Map of upstream localities to traffic distribution weights. The sum of all weights should be == 100. Any locality not assigned a weight will receive no traffic.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.
properties:
value:
description: The bool value.
type: boolean
type: object
failover:
description: 'Optional: only failover or distribute can be set. Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.'
items:
description: Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.
properties:
from:
description: Originating region.
type: string
to:
description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy.
type: string
type: object
type: array
type: object
type: object
outlier_detection:
description: Settings controlling eviction of unhealthy hosts from the load balancing pool
properties:
base_ejection_time:
description: 'Minimum ejection duration. A host will remain ejected for a period equal to the product of minimum ejection duration and the number of times the host has been ejected. This technique allows the system to automatically increase the ejection period for unhealthy upstream servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
consecutive_5xx_errors:
description: "Number of 5xx errors before a host is ejected from the connection pool. When the upstream host is accessed over an opaque TCP connection, connect timeouts, connection error/failure and request failure events qualify as a 5xx error. This feature defaults to 5 but can be disabled by setting the value to 0. \n Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect."
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
consecutive_errors:
description: Number of errors before a host is ejected from the connection pool. Defaults to 5. When the upstream host is accessed over HTTP, a 502, 503, or 504 return code qualifies as an error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as an error. $hide_from_docs
format: int32
type: integer
consecutive_gateway_errors:
description: "Number of gateway errors before a host is ejected from the connection pool. When the upstream host is accessed over HTTP, a 502, 503, or 504 return code qualifies as a gateway error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as a gateway error. This feature is disabled by default or when set to the value 0. \n Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect."
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
interval:
description: 'Time interval between ejection sweep analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_ejection_percent:
description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. Defaults to 10%.
format: int32
type: integer
min_health_percent:
description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. When the percentage of healthy hosts in the load balancing pool drops below this threshold, outlier detection will be disabled and the proxy will load balance across all hosts in the pool (healthy and unhealthy). The threshold can be disabled by setting it to 0%. The default is 0% as it's not typically applicable in k8s environments with few pods per service.
format: int32
type: integer
type: object
port_level_settings:
description: Traffic policies specific to individual ports. Note that port level settings will override the destination-level settings. Traffic settings specified at the destination-level will not be inherited when overridden by port-level settings, i.e. default values will be applied to fields omitted in port-level traffic policies.
items:
description: Traffic policies that apply to specific ports of the service
properties:
connection_pool:
description: Settings controlling the volume of connections to an upstream service
properties:
http:
description: HTTP connection pool settings.
properties:
h2_upgrade_policy:
description: Specify if http1.1 connection should be upgraded to http2 for the associated destination.
format: int32
type: integer
http1_max_pending_requests:
description: Maximum number of pending HTTP requests to a destination. Default 2^32-1.
format: int32
type: integer
http2_max_requests:
description: Maximum number of requests to a backend. Default 2^32-1.
format: int32
type: integer
idle_timeout:
description: The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. If not set, the default is 1 hour. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_requests_per_connection:
description: Maximum number of requests per connection to a backend. Setting this parameter to 1 disables keep alive. Default 0, meaning "unlimited", up to 2^29.
format: int32
type: integer
max_retries:
description: Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. Defaults to 2^32-1.
format: int32
type: integer
type: object
tcp:
description: Settings common to both HTTP and TCP upstream connections.
properties:
connect_timeout:
description: 'TCP connection timeout. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_connections:
description: Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.
format: int32
type: integer
tcp_keepalive:
description: If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
properties:
interval:
description: The time duration between keep-alive probes. Default is to use the OS level configuration (unless overridden, Linux defaults to 75s.)
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
probes:
description: Maximum number of keepalive probes to send without response before deciding the connection is dead. Default is to use the OS level configuration (unless overridden, Linux defaults to 9.)
format: int32
type: integer
time:
description: The time duration a connection needs to be idle before keep-alive probes start being sent. Default is to use the OS level configuration (unless overridden, Linux defaults to 7200s (ie 2 hours.)
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
type: object
type: object
type: object
load_balancer:
description: Settings controlling the load balancer algorithms.
properties:
locality_lb_setting:
description: Locality load balancer settings, this will override mesh wide settings in entirety, meaning no merging would be performed between this object and the object one in MeshConfig
properties:
distribute:
description: 'Optional: only one of distribute or failover can be set. Explicitly specify loadbalancing weight across different zones and geographical locations. Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight) If empty, the locality weight is set according to the endpoints number within it.'
items:
description: 'Describes how traffic originating in the ''from'' zone or sub-zone is distributed over a set of ''to'' zones. Syntax for specifying a zone is {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any segment of the specification. Examples: * - matches all localities us-west/* - all zones and sub-zones within the us-west region us-west/zone-1/* - all sub-zones within us-west/zone-1'
properties:
from:
description: Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
type: string
to:
additionalProperties:
format: int32
type: integer
description: Map of upstream localities to traffic distribution weights. The sum of all weights should be == 100. Any locality not assigned a weight will receive no traffic.
type: object
type: object
type: array
enabled:
description: enable locality load balancing, this is DestinationRule-level and will override mesh wide settings in entirety. e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh wide settings is.
properties:
value:
description: The bool value.
type: boolean
type: object
failover:
description: 'Optional: only failover or distribute can be set. Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy. Should be used together with OutlierDetection to detect unhealthy endpoints. Note: if no OutlierDetection specified, this will not take effect.'
items:
description: Specify the traffic failover policy across regions. Since zone and sub-zone failover is supported by default this only needs to be specified for regions when the operator needs to constrain traffic failover so that the default behavior of failing over to any endpoint globally does not apply. This is useful when failing over traffic across regions would not improve service health or may need to be restricted for other reasons like regulatory controls.
properties:
from:
description: Originating region.
type: string
to:
description: Destination region the traffic will fail over to when endpoints in the 'from' region becomes unhealthy.
type: string
type: object
type: array
type: object
type: object
outlier_detection:
description: Settings controlling eviction of unhealthy hosts from the load balancing pool
properties:
base_ejection_time:
description: 'Minimum ejection duration. A host will remain ejected for a period equal to the product of minimum ejection duration and the number of times the host has been ejected. This technique allows the system to automatically increase the ejection period for unhealthy upstream servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
consecutive_5xx_errors:
description: "Number of 5xx errors before a host is ejected from the connection pool. When the upstream host is accessed over an opaque TCP connection, connect timeouts, connection error/failure and request failure events qualify as a 5xx error. This feature defaults to 5 but can be disabled by setting the value to 0. \n Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect."
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
consecutive_errors:
description: Number of errors before a host is ejected from the connection pool. Defaults to 5. When the upstream host is accessed over HTTP, a 502, 503, or 504 return code qualifies as an error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as an error. $hide_from_docs
format: int32
type: integer
consecutive_gateway_errors:
description: "Number of gateway errors before a host is ejected from the connection pool. When the upstream host is accessed over HTTP, a 502, 503, or 504 return code qualifies as a gateway error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as a gateway error. This feature is disabled by default or when set to the value 0. \n Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect."
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
interval:
description: 'Time interval between ejection sweep analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
max_ejection_percent:
description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. Defaults to 10%.
format: int32
type: integer
min_health_percent:
description: Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. When the percentage of healthy hosts in the load balancing pool drops below this threshold, outlier detection will be disabled and the proxy will load balance across all hosts in the pool (healthy and unhealthy). The threshold can be disabled by setting it to 0%. The default is 0% as it's not typically applicable in k8s environments with few pods per service.
format: int32
type: integer
type: object
port:
description: Specifies the number of a port on the destination service on which this policy is being applied.
properties:
number:
description: Valid port number
format: int32
type: integer
type: object
tls:
description: TLS related settings for connections to the upstream service.
properties:
ca_certificates:
description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will not verify the server''s certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
type: string
client_certificate:
description: REQUIRED if mode is `MUTUAL`. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is `ISTIO_MUTUAL`.
type: string
mode:
description: Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.
format: int32
type: integer
private_key:
description: REQUIRED if mode is `MUTUAL`. The path to the file holding the client's private key. Should be empty if mode is `ISTIO_MUTUAL`.
type: string
sni:
description: SNI string to present to the server during TLS handshake.
type: string
subject_alt_names:
description: A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry.
items:
type: string
type: array
type: object
type: object
type: array
tls:
description: TLS related settings for connections to the upstream service.
properties:
ca_certificates:
description: 'OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will not verify the server''s certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
type: string
client_certificate:
description: REQUIRED if mode is `MUTUAL`. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is `ISTIO_MUTUAL`.
type: string
mode:
description: Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.
format: int32
type: integer
private_key:
description: REQUIRED if mode is `MUTUAL`. The path to the file holding the client's private key. Should be empty if mode is `ISTIO_MUTUAL`.
type: string
sni:
description: SNI string to present to the server during TLS handshake.
type: string
subject_alt_names:
description: A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry.
items:
type: string
type: array
type: object
type: object
type: object
type: object
type: object

522
config/crds/servicemesh.kubesphere.io_strategies.yaml generated
View File

@@ -92,6 +92,528 @@ spec:
type: object
spec:
description: Spec indicates the behavior of a virtual service.
properties:
export_to:
description: "A list of namespaces to which this virtual service is exported. Exporting a virtual service allows it to be used by sidecars and gateways defined in other namespaces. This feature provides a mechanism for service owners and mesh administrators to control the visibility of virtual services across namespace boundaries. \n If no namespaces are specified then the virtual service is exported to all namespaces by default. \n The value \".\" is reserved and defines an export to the same namespace that the virtual service is declared in. Similarly the value \"*\" is reserved and defines an export to all namespaces. \n NOTE: in the current release, the `exportTo` value is restricted to \".\" or \"*\" (i.e., the current namespace or all namespaces)."
items:
type: string
type: array
gateways:
description: The names of gateways and sidecars that should apply these routes. Gateways in other namespaces may be referred to by `<gateway namespace>/<gateway name>`; specifying a gateway with no namespace qualifier is the same as specifying the VirtualService's namespace. A single VirtualService is used for sidecars inside the mesh as well as for one or more gateways. The selection condition imposed by this field can be overridden using the source field in the match conditions of protocol-specific routes. The reserved word `mesh` is used to imply all the sidecars in the mesh. When this field is omitted, the default gateway (`mesh`) will be used, which would apply the rule to all sidecars in the mesh. If a list of gateway names is provided, the rules will apply only to the gateways. To apply the rules to both gateways and sidecars, specify `mesh` as one of the gateway names.
items:
type: string
type: array
hosts:
description: "The destination hosts to which traffic is being sent. Could be a DNS name with wildcard prefix or an IP address. Depending on the platform, short-names can also be used instead of a FQDN (i.e. has no dots in the name). In such a scenario, the FQDN of the host would be derived based on the underlying platform. \n A single VirtualService can be used to describe all the traffic properties of the corresponding hosts, including those for multiple HTTP and TCP ports. Alternatively, the traffic properties of a host can be defined using more than one VirtualService, with certain caveats. Refer to the [Operations Guide](https://istio.io/docs/ops/best-practices/traffic-management/#split-virtual-services) for details. \n *Note for Kubernetes users*: When short names are used (e.g. \"reviews\" instead of \"reviews.default.svc.cluster.local\"), Istio will interpret the short name based on the namespace of the rule, not the service. A rule in the \"default\" namespace containing a host \"reviews\" will be interpreted as \"reviews.default.svc.cluster.local\", irrespective of the actual namespace associated with the reviews service. _To avoid potential misconfigurations, it is recommended to always use fully qualified domain names over short names._ \n The hosts field applies to both HTTP and TCP services. Service inside the mesh, i.e., those found in the service registry, must always be referred to using their alphanumeric names. IP addresses are allowed only for services defined via the Gateway. \n *Note*: It must be empty for a delegate VirtualService."
items:
type: string
type: array
http:
description: An ordered list of route rules for HTTP traffic. HTTP routes will be applied to platform service ports named 'http-*'/'http2-*'/'grpc-*', gateway ports with protocol HTTP/HTTP2/GRPC/ TLS-terminated-HTTPS and service entry ports using HTTP/HTTP2/GRPC protocols. The first rule matching an incoming request is used.
items:
description: Describes match conditions and actions for routing HTTP/1.1, HTTP2, and gRPC traffic. See VirtualService for usage examples.
properties:
cors_policy:
description: Cross-Origin Resource Sharing policy (CORS). Refer to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS) for further details about cross origin resource sharing.
properties:
allow_credentials:
description: Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. Translates to `Access-Control-Allow-Credentials` header.
properties:
value:
description: The bool value.
type: boolean
type: object
allow_headers:
description: List of HTTP headers that can be used when requesting the resource. Serialized to Access-Control-Allow-Headers header.
items:
type: string
type: array
allow_methods:
description: List of HTTP methods allowed to access the resource. The content will be serialized into the Access-Control-Allow-Methods header.
items:
type: string
type: array
allow_origin:
description: The list of origins that are allowed to perform CORS requests. The content will be serialized into the Access-Control-Allow-Origin header. Wildcard * will allow all origins. $hide_from_docs
items:
type: string
type: array
allow_origins:
description: String patterns that match allowed origins. An origin is allowed if any of the string matchers match. If a match is found, then the outgoing Access-Control-Allow-Origin would be set to the origin as provided by the client.
items:
description: Describes how to match a given string in HTTP headers. Match is case-sensitive.
type: object
type: array
expose_headers:
description: A white list of HTTP headers that the browsers are allowed to access. Serialized into Access-Control-Expose-Headers header.
items:
type: string
type: array
max_age:
description: Specifies how long the results of a preflight request can be cached. Translates to the `Access-Control-Max-Age` header.
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
type: object
delegate:
description: 'Delegate is used to specify the particular VirtualService which can be used to define delegate HTTPRoute. It can be set only when `Route` and `Redirect` are empty, and the route rules of the delegate VirtualService will be merged with that in the current one. **NOTE**: 1. Only one level delegation is supported. 2. The delegate''s HTTPMatchRequest must be a strict subset of the root''s, otherwise there is a conflict and the HTTPRoute will not take effect.'
properties:
name:
description: Name specifies the name of the delegate VirtualService.
type: string
namespace:
description: Namespace specifies the namespace where the delegate VirtualService resides. By default, it is same to the root's.
type: string
type: object
fault:
description: Fault injection policy to apply on HTTP traffic at the client side. Note that timeouts or retries will not be enabled when faults are enabled on the client side.
properties:
abort:
description: Abort Http request attempts and return error codes back to downstream service, giving the impression that the upstream service is faulty.
properties:
percentage:
description: Percentage of requests to be aborted with the error code provided.
properties:
value:
type: number
type: object
type: object
delay:
description: Delay requests before forwarding, emulating various failures such as network issues, overloaded upstream service, etc.
properties:
percent:
description: Percentage of requests on which the delay will be injected (0-100). Use of integer `percent` value is deprecated. Use the double `percentage` field instead.
format: int32
type: integer
percentage:
description: Percentage of requests on which the delay will be injected.
properties:
value:
type: number
type: object
type: object
type: object
headers:
description: Header manipulation rules
properties:
request:
description: Header manipulation rules to apply before forwarding a request to the destination service
properties:
add:
additionalProperties:
type: string
description: Append the given values to the headers specified by keys (will create a comma-separated list of values)
type: object
remove:
description: Remove a the specified headers
items:
type: string
type: array
set:
additionalProperties:
type: string
description: Overwrite the headers specified by key with the given values
type: object
type: object
response:
description: Header manipulation rules to apply before returning a response to the caller
properties:
add:
additionalProperties:
type: string
description: Append the given values to the headers specified by keys (will create a comma-separated list of values)
type: object
remove:
description: Remove a the specified headers
items:
type: string
type: array
set:
additionalProperties:
type: string
description: Overwrite the headers specified by key with the given values
type: object
type: object
type: object
match:
description: Match conditions to be satisfied for the rule to be activated. All conditions inside a single match block have AND semantics, while the list of match blocks have OR semantics. The rule is matched if any one of the match blocks succeed.
items:
description: "HttpMatchRequest specifies a set of criterion to be met in order for the rule to be applied to the HTTP request. For example, the following restricts the rule to match only requests where the URL path starts with /ratings/v2/ and the request contains a custom `end-user` header with value `jason`. \n {{<tabset category-name=\"example\">}} {{<tab name=\"v1alpha3\" category-value=\"v1alpha3\">}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings-route spec: hosts: - ratings.prod.svc.cluster.local http: - match: - headers: end-user: exact: jason uri: prefix: \"/ratings/v2/\" ignoreUriCase: true route: - destination: host: ratings.prod.svc.cluster.local ``` {{</tab>}} \n {{<tab name=\"v1beta1\" category-value=\"v1beta1\">}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: ratings-route spec: hosts: - ratings.prod.svc.cluster.local http: - match: - headers: end-user: exact: jason uri: prefix: \"/ratings/v2/\" ignoreUriCase: true route: - destination: host: ratings.prod.svc.cluster.local ``` {{</tab>}} {{</tabset>}} \n HTTPMatchRequest CANNOT be empty. **Note:** No regex string match can be set when delegate VirtualService is specified."
properties:
authority:
description: "HTTP Authority values are case-sensitive and formatted as follows: \n - `exact: \"value\"` for exact string match \n - `prefix: \"value\"` for prefix-based match \n - `regex: \"value\"` for ECMAscript style regex-based match"
type: object
gateways:
description: Names of gateways where the rule should be applied. Gateway names in the top-level `gateways` field of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.
items:
type: string
type: array
headers:
additionalProperties:
description: Describes how to match a given string in HTTP headers. Match is case-sensitive.
type: object
description: "The header keys must be lowercase and use hyphen as the separator, e.g. _x-request-id_. \n Header values are case-sensitive and formatted as follows: \n - `exact: \"value\"` for exact string match \n - `prefix: \"value\"` for prefix-based match \n - `regex: \"value\"` for ECMAscript style regex-based match \n If the value is empty and only the name of header is specfied, presence of the header is checked. **Note:** The keys `uri`, `scheme`, `method`, and `authority` will be ignored."
type: object
ignore_uri_case:
description: "Flag to specify whether the URI matching should be case-insensitive. \n **Note:** The case will be ignored only in the case of `exact` and `prefix` URI matches."
type: boolean
method:
description: "HTTP Method values are case-sensitive and formatted as follows: \n - `exact: \"value\"` for exact string match \n - `prefix: \"value\"` for prefix-based match \n - `regex: \"value\"` for ECMAscript style regex-based match"
type: object
name:
description: The name assigned to a match. The match's name will be concatenated with the parent route's name and will be logged in the access logs for requests matching this route.
type: string
port:
description: Specifies the ports on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.
format: int32
type: integer
query_params:
additionalProperties:
description: Describes how to match a given string in HTTP headers. Match is case-sensitive.
type: object
description: "Query parameters for matching. \n Ex: - For a query parameter like \"?key=true\", the map key would be \"key\" and the string match could be defined as `exact: \"true\"`. - For a query parameter like \"?key\", the map key would be \"key\" and the string match could be defined as `exact: \"\"`. - For a query parameter like \"?key=123\", the map key would be \"key\" and the string match could be defined as `regex: \"\\d+$\"`. Note that this configuration will only match values like \"123\" but not \"a123\" or \"123a\". \n **Note:** `prefix` matching is currently not supported."
type: object
scheme:
description: "URI Scheme values are case-sensitive and formatted as follows: \n - `exact: \"value\"` for exact string match \n - `prefix: \"value\"` for prefix-based match \n - `regex: \"value\"` for ECMAscript style regex-based match"
type: object
source_labels:
additionalProperties:
type: string
description: One or more labels that constrain the applicability of a rule to workloads with the given labels. If the VirtualService has a list of gateways specified in the top-level `gateways` field, it must include the reserved gateway `mesh` for this field to be applicable.
type: object
source_namespace:
description: Source namespace constraining the applicability of a rule to workloads in that namespace. If the VirtualService has a list of gateways specified in the top-level `gateways` field, it must include the reserved gateway `mesh` for this field to be applicable.
type: string
uri:
description: "URI to match values are case-sensitive and formatted as follows: \n - `exact: \"value\"` for exact string match \n - `prefix: \"value\"` for prefix-based match \n - `regex: \"value\"` for ECMAscript style regex-based match \n **Note:** Case-insensitive matching could be enabled via the `ignore_uri_case` flag."
type: object
without_headers:
additionalProperties:
description: Describes how to match a given string in HTTP headers. Match is case-sensitive.
type: object
description: withoutHeader has the same syntax with the header, but has opposite meaning. If a header is matched with a matching rule among withoutHeader, the traffic becomes not matched one.
type: object
type: object
type: array
mirror:
description: Mirror HTTP traffic to a another destination in addition to forwarding the requests to the intended destination. Mirrored traffic is on a best effort basis where the sidecar/gateway will not wait for the mirrored cluster to respond before returning the response from the original destination. Statistics will be generated for the mirrored destination.
properties:
host:
description: "The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by [ServiceEntry](https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry). Traffic forwarded to destinations that are not found in either of the two, will be dropped. \n *Note for Kubernetes users*: When short names are used (e.g. \"reviews\" instead of \"reviews.default.svc.cluster.local\"), Istio will interpret the short name based on the namespace of the rule, not the service. A rule in the \"default\" namespace containing a host \"reviews will be interpreted as \"reviews.default.svc.cluster.local\", irrespective of the actual namespace associated with the reviews service. To avoid potential misconfiguration, it is recommended to always use fully qualified domain names over short names."
type: string
port:
description: Specifies the port on the host that is being addressed. If a service exposes only a single port it is not required to explicitly select the port.
properties:
number:
description: Valid port number
format: int32
type: integer
type: object
subset:
description: The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.
type: string
type: object
mirror_percent:
description: Percentage of the traffic to be mirrored by the `mirror` field. Use of integer `mirror_percent` value is deprecated. Use the double `mirror_percentage` field instead
properties:
value:
description: The uint32 value.
format: int32
type: integer
type: object
mirror_percentage:
description: Percentage of the traffic to be mirrored by the `mirror` field. If this field is absent, all the traffic (100%) will be mirrored. Max value is 100.
properties:
value:
type: number
type: object
name:
description: The name assigned to the route for debugging purposes. The route's name will be concatenated with the match's name and will be logged in the access logs for requests matching this route/match.
type: string
redirect:
description: A HTTP rule can either redirect or forward (default) traffic. If traffic passthrough option is specified in the rule, route/redirect will be ignored. The redirect primitive can be used to send a HTTP 301 redirect to a different URI or Authority.
properties:
authority:
description: On a redirect, overwrite the Authority/Host portion of the URL with this value.
type: string
redirect_code:
description: On a redirect, Specifies the HTTP status code to use in the redirect response. The default response code is MOVED_PERMANENTLY (301).
format: int32
type: integer
uri:
description: On a redirect, overwrite the Path portion of the URL with this value. Note that the entire path will be replaced, irrespective of the request URI being matched as an exact path or prefix.
type: string
type: object
retries:
description: Retry policy for HTTP requests.
properties:
attempts:
description: Number of retries for a given request. The interval between retries will be determined automatically (25ms+). Actual number of retries attempted depends on the request `timeout` of the [HTTP route](https://istio.io/docs/reference/config/networking/virtual-service/#HTTPRoute).
format: int32
type: integer
per_try_timeout:
description: 'Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.'
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
retry_on:
description: Specifies the conditions under which retry takes place. One or more policies can be specified using a , delimited list. See the [retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-on) and [gRPC retry policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#x-envoy-retry-grpc-on) for more details.
type: string
retry_remote_localities:
description: Flag to specify whether the retries should retry to other localities. See the [retry plugin configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/http/http_connection_management#retry-plugin-configuration) for more details.
properties:
value:
description: The bool value.
type: boolean
type: object
type: object
rewrite:
description: Rewrite HTTP URIs and Authority headers. Rewrite cannot be used with Redirect primitive. Rewrite will be performed before forwarding.
properties:
authority:
description: rewrite the Authority/Host header with this value.
type: string
uri:
description: rewrite the path (or the prefix) portion of the URI with this value. If the original URI was matched based on prefix, the value provided in this field will replace the corresponding matched prefix.
type: string
type: object
route:
description: A HTTP rule can either redirect or forward (default) traffic. The forwarding target can be one of several versions of a service (see glossary in beginning of document). Weights associated with the service version determine the proportion of traffic it receives.
items:
description: "Each routing rule is associated with one or more service versions (see glossary in beginning of document). Weights associated with the version determine the proportion of traffic it receives. For example, the following rule will route 25% of traffic for the \"reviews\" service to instances with the \"v2\" tag and the remaining traffic (i.e., 75%) to \"v1\". \n {{<tabset category-name=\"example\">}} {{<tab name=\"v1alpha3\" category-value=\"v1alpha3\">}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews-route spec: hosts: - reviews.prod.svc.cluster.local http: - route: - destination: host: reviews.prod.svc.cluster.local subset: v2 weight: 25 - destination: host: reviews.prod.svc.cluster.local subset: v1 weight: 75 ``` {{</tab>}} \n {{<tab name=\"v1beta1\" category-value=\"v1beta1\">}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews-route spec: hosts: - reviews.prod.svc.cluster.local http: - route: - destination: host: reviews.prod.svc.cluster.local subset: v2 weight: 25 - destination: host: reviews.prod.svc.cluster.local subset: v1 weight: 75 ``` {{</tab>}} {{</tabset>}} \n And the associated DestinationRule \n {{<tabset category-name=\"example\">}} {{<tab name=\"v1alpha3\" category-value=\"v1alpha3\">}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: DestinationRule metadata: name: reviews-destination spec: host: reviews.prod.svc.cluster.local subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 ``` {{</tab>}} \n {{<tab name=\"v1beta1\" category-value=\"v1beta1\">}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: DestinationRule metadata: name: reviews-destination spec: host: reviews.prod.svc.cluster.local subsets: - name: v1 labels: version: v1 - name: v2 labels: version: v2 ``` {{</tab>}} {{</tabset>}} \n Traffic can also be split across two entirely different services without having to define new subsets. For example, the following rule forwards 25% of traffic to reviews.com to dev.reviews.com \n {{<tabset category-name=\"example\">}} {{<tab name=\"v1alpha3\" category-value=\"v1alpha3\">}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: reviews-route-two-domains spec: hosts: - reviews.com http: - route: - destination: host: dev.reviews.com weight: 25 - destination: host: reviews.com weight: 75 ``` {{</tab>}} \n {{<tab name=\"v1beta1\" category-value=\"v1beta1\">}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: reviews-route-two-domains spec: hosts: - reviews.com http: - route: - destination: host: dev.reviews.com weight: 25 - destination: host: reviews.com weight: 75 ``` {{</tab>}} {{</tabset>}}"
properties:
destination:
description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to.
properties:
host:
description: "The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by [ServiceEntry](https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry). Traffic forwarded to destinations that are not found in either of the two, will be dropped. \n *Note for Kubernetes users*: When short names are used (e.g. \"reviews\" instead of \"reviews.default.svc.cluster.local\"), Istio will interpret the short name based on the namespace of the rule, not the service. A rule in the \"default\" namespace containing a host \"reviews will be interpreted as \"reviews.default.svc.cluster.local\", irrespective of the actual namespace associated with the reviews service. To avoid potential misconfiguration, it is recommended to always use fully qualified domain names over short names."
type: string
port:
description: Specifies the port on the host that is being addressed. If a service exposes only a single port it is not required to explicitly select the port.
properties:
number:
description: Valid port number
format: int32
type: integer
type: object
subset:
description: The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.
type: string
type: object
headers:
description: Header manipulation rules
properties:
request:
description: Header manipulation rules to apply before forwarding a request to the destination service
properties:
add:
additionalProperties:
type: string
description: Append the given values to the headers specified by keys (will create a comma-separated list of values)
type: object
remove:
description: Remove a the specified headers
items:
type: string
type: array
set:
additionalProperties:
type: string
description: Overwrite the headers specified by key with the given values
type: object
type: object
response:
description: Header manipulation rules to apply before returning a response to the caller
properties:
add:
additionalProperties:
type: string
description: Append the given values to the headers specified by keys (will create a comma-separated list of values)
type: object
remove:
description: Remove a the specified headers
items:
type: string
type: array
set:
additionalProperties:
type: string
description: Overwrite the headers specified by key with the given values
type: object
type: object
type: object
weight:
description: The proportion of traffic to be forwarded to the service version. (0-100). Sum of weights across destinations SHOULD BE == 100. If there is only one destination in a rule, the weight value is assumed to be 100.
format: int32
type: integer
type: object
type: array
timeout:
description: Timeout for HTTP requests.
properties:
nanos:
description: Signed fractions of a second at nanosecond resolution of the span of time. Durations less than one second are represented with a 0 `seconds` field and a positive or negative `nanos` field. For durations of one second or more, a non-zero value for the `nanos` field must be of the same sign as the `seconds` field. Must be from -999,999,999 to +999,999,999 inclusive.
format: int32
type: integer
seconds:
description: 'Signed seconds of the span of time. Must be from -315,576,000,000 to +315,576,000,000 inclusive. Note: these bounds are computed from: 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years'
format: int64
type: integer
type: object
type: object
type: array
tcp:
description: An ordered list of route rules for opaque TCP traffic. TCP routes will be applied to any port that is not a HTTP or TLS port. The first rule matching an incoming request is used.
items:
description: "Describes match conditions and actions for routing TCP traffic. The following routing rule forwards traffic arriving at port 27017 for mongo.prod.svc.cluster.local to another Mongo server on port 5555. \n {{<tabset category-name=\"example\">}} {{<tab name=\"v1alpha3\" category-value=\"v1alpha3\">}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo-Mongo spec: hosts: - mongo.prod.svc.cluster.local tcp: - match: - port: 27017 route: - destination: host: mongo.backup.svc.cluster.local port: number: 5555 ``` {{</tab>}} \n {{<tab name=\"v1beta1\" category-value=\"v1beta1\">}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: bookinfo-Mongo spec: hosts: - mongo.prod.svc.cluster.local tcp: - match: - port: 27017 route: - destination: host: mongo.backup.svc.cluster.local port: number: 5555 ``` {{</tab>}} {{</tabset>}}"
properties:
match:
description: Match conditions to be satisfied for the rule to be activated. All conditions inside a single match block have AND semantics, while the list of match blocks have OR semantics. The rule is matched if any one of the match blocks succeed.
items:
description: L4 connection match attributes. Note that L4 connection matching support is incomplete.
properties:
destination_subnets:
description: IPv4 or IPv6 ip addresses of destination with optional subnet. E.g., a.b.c.d/xx form or just a.b.c.d.
items:
type: string
type: array
gateways:
description: Names of gateways where the rule should be applied. Gateway names in the top-level `gateways` field of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.
items:
type: string
type: array
port:
description: Specifies the port on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.
format: int32
type: integer
source_labels:
additionalProperties:
type: string
description: One or more labels that constrain the applicability of a rule to workloads with the given labels. If the VirtualService has a list of gateways specified in the top-level `gateways` field, it should include the reserved gateway `mesh` in order for this field to be applicable.
type: object
source_namespace:
description: Source namespace constraining the applicability of a rule to workloads in that namespace. If the VirtualService has a list of gateways specified in the top-level `gateways` field, it must include the reserved gateway `mesh` for this field to be applicable.
type: string
source_subnet:
description: IPv4 or IPv6 ip address of source with optional subnet. E.g., a.b.c.d/xx form or just a.b.c.d $hide_from_docs
type: string
type: object
type: array
route:
description: The destination to which the connection should be forwarded to.
items:
description: L4 routing rule weighted destination.
properties:
destination:
description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to.
properties:
host:
description: "The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by [ServiceEntry](https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry). Traffic forwarded to destinations that are not found in either of the two, will be dropped. \n *Note for Kubernetes users*: When short names are used (e.g. \"reviews\" instead of \"reviews.default.svc.cluster.local\"), Istio will interpret the short name based on the namespace of the rule, not the service. A rule in the \"default\" namespace containing a host \"reviews will be interpreted as \"reviews.default.svc.cluster.local\", irrespective of the actual namespace associated with the reviews service. To avoid potential misconfiguration, it is recommended to always use fully qualified domain names over short names."
type: string
port:
description: Specifies the port on the host that is being addressed. If a service exposes only a single port it is not required to explicitly select the port.
properties:
number:
description: Valid port number
format: int32
type: integer
type: object
subset:
description: The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.
type: string
type: object
weight:
description: The proportion of traffic to be forwarded to the service version. If there is only one destination in a rule, all traffic will be routed to it irrespective of the weight.
format: int32
type: integer
type: object
type: array
type: object
type: array
tls:
description: 'An ordered list of route rule for non-terminated TLS & HTTPS traffic. Routing is typically performed using the SNI value presented by the ClientHello message. TLS routes will be applied to platform service ports named ''https-*'', ''tls-*'', unterminated gateway ports using HTTPS/TLS protocols (i.e. with "passthrough" TLS mode) and service entry ports using HTTPS/TLS protocols. The first rule matching an incoming request is used. NOTE: Traffic ''https-*'' or ''tls-*'' ports without associated virtual service will be treated as opaque TCP traffic.'
items:
description: "Describes match conditions and actions for routing unterminated TLS traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS traffic arriving at port 443 of gateway called \"mygateway\" to internal services in the mesh based on the SNI value. \n {{<tabset category-name=\"example\">}} {{<tab name=\"v1alpha3\" category-value=\"v1alpha3\">}} ```yaml apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: bookinfo-sni spec: hosts: - \"*.bookinfo.com\" gateways: - mygateway tls: - match: - port: 443 sniHosts: - login.bookinfo.com route: - destination: host: login.prod.svc.cluster.local - match: - port: 443 sniHosts: - reviews.bookinfo.com route: - destination: host: reviews.prod.svc.cluster.local ``` {{</tab>}} \n {{<tab name=\"v1beta1\" category-value=\"v1beta1\">}} ```yaml apiVersion: networking.istio.io/v1beta1 kind: VirtualService metadata: name: bookinfo-sni spec: hosts: - \"*.bookinfo.com\" gateways: - mygateway tls: - match: - port: 443 sniHosts: - login.bookinfo.com route: - destination: host: login.prod.svc.cluster.local - match: - port: 443 sniHosts: - reviews.bookinfo.com route: - destination: host: reviews.prod.svc.cluster.local ``` {{</tab>}} {{</tabset>}}"
properties:
match:
description: Match conditions to be satisfied for the rule to be activated. All conditions inside a single match block have AND semantics, while the list of match blocks have OR semantics. The rule is matched if any one of the match blocks succeed.
items:
description: TLS connection match attributes.
properties:
destination_subnets:
description: IPv4 or IPv6 ip addresses of destination with optional subnet. E.g., a.b.c.d/xx form or just a.b.c.d.
items:
type: string
type: array
gateways:
description: Names of gateways where the rule should be applied. Gateway names in the top-level `gateways` field of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.
items:
type: string
type: array
port:
description: Specifies the port on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.
format: int32
type: integer
sni_hosts:
description: SNI (server name indicator) to match on. Wildcard prefixes can be used in the SNI value, e.g., *.com will match foo.example.com as well as example.com. An SNI value must be a subset (i.e., fall within the domain) of the corresponding virtual serivce's hosts.
items:
type: string
type: array
source_labels:
additionalProperties:
type: string
description: One or more labels that constrain the applicability of a rule to workloads with the given labels. If the VirtualService has a list of gateways specified in the top-level `gateways` field, it should include the reserved gateway `mesh` in order for this field to be applicable.
type: object
source_namespace:
description: Source namespace constraining the applicability of a rule to workloads in that namespace. If the VirtualService has a list of gateways specified in the top-level `gateways` field, it must include the reserved gateway `mesh` for this field to be applicable.
type: string
type: object
type: array
route:
description: The destination to which the connection should be forwarded to.
items:
description: L4 routing rule weighted destination.
properties:
destination:
description: Destination uniquely identifies the instances of a service to which the request/connection should be forwarded to.
properties:
host:
description: "The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by [ServiceEntry](https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry). Traffic forwarded to destinations that are not found in either of the two, will be dropped. \n *Note for Kubernetes users*: When short names are used (e.g. \"reviews\" instead of \"reviews.default.svc.cluster.local\"), Istio will interpret the short name based on the namespace of the rule, not the service. A rule in the \"default\" namespace containing a host \"reviews will be interpreted as \"reviews.default.svc.cluster.local\", irrespective of the actual namespace associated with the reviews service. To avoid potential misconfiguration, it is recommended to always use fully qualified domain names over short names."
type: string
port:
description: Specifies the port on the host that is being addressed. If a service exposes only a single port it is not required to explicitly select the port.
properties:
number:
description: Valid port number
format: int32
type: integer
type: object
subset:
description: The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.
type: string
type: object
weight:
description: The proportion of traffic to be forwarded to the service version. If there is only one destination in a rule, all traffic will be routed to it irrespective of the weight.
format: int32
type: integer
type: object
type: array
type: object
type: array
type: object
type: object
type:

3
config/crds/types.kubefed.io_federateddeployments.yaml generated
View File

@@ -901,6 +901,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
@@ -1646,6 +1647,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
@@ -2395,6 +2397,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:

3
config/crds/types.kubefed.io_federatedjobs.yaml generated
View File

@@ -878,6 +878,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
@@ -1623,6 +1624,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
@@ -2372,6 +2374,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:

1
config/crds/types.kubefed.io_federatedservices.yaml generated
View File

@@ -156,6 +156,7 @@ spec:
format: int32
type: integer
protocol:
default: TCP
description: The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". Default is TCP.
type: string
targetPort:

3
config/crds/types.kubefed.io_federatedstatefulsets.yaml generated
View File

@@ -881,6 +881,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
@@ -1626,6 +1627,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
@@ -2375,6 +2377,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:

1
config/crds/types.kubefed.io_servicetemplates.yaml generated
View File

@@ -80,6 +80,7 @@ spec:
format: int32
type: integer
protocol:
default: TCP
description: The IP protocol for this port. Supports "TCP", "UDP", and "SCTP". Default is TCP.
type: string
targetPort:

3
config/crds/types.kubefed.io_statefulsettemplates.yaml generated
View File

@@ -805,6 +805,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
@@ -1550,6 +1551,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:
@@ -2299,6 +2301,7 @@ spec:
description: If specified, this must be an IANA_SVC_NAME and unique within the pod. Each named port in a pod must have a unique name. Name for the port that can be referred to by services.
type: string
protocol:
default: TCP
description: Protocol for port. Must be UDP, TCP, or SCTP. Defaults to "TCP".
type: string
required:

4
go.mod
View File

@@ -109,7 +109,7 @@ require (
kubesphere.io/monitoring-dashboard v0.1.2
sigs.k8s.io/application v0.8.4-0.20201016185654-c8e2959e57a0
sigs.k8s.io/controller-runtime v0.6.4
sigs.k8s.io/controller-tools v0.4.0
sigs.k8s.io/controller-tools v0.4.1
sigs.k8s.io/kubefed v0.6.1
sigs.k8s.io/kustomize v2.0.3+incompatible
sigs.k8s.io/yaml v1.2.0
@@ -739,7 +739,7 @@ replace (
sigs.k8s.io/apiserver-network-proxy/konnectivity-client => sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.7
sigs.k8s.io/application => sigs.k8s.io/application v0.8.4-0.20201016185654-c8e2959e57a0
sigs.k8s.io/controller-runtime => sigs.k8s.io/controller-runtime v0.6.4
sigs.k8s.io/controller-tools => sigs.k8s.io/controller-tools v0.4.0
sigs.k8s.io/controller-tools => sigs.k8s.io/controller-tools v0.4.1
sigs.k8s.io/kind => sigs.k8s.io/kind v0.8.1
sigs.k8s.io/kubefed => sigs.k8s.io/kubefed v0.6.1
sigs.k8s.io/kustomize => sigs.k8s.io/kustomize v2.0.3+incompatible

4
go.sum
View File

@@ -872,8 +872,8 @@ sigs.k8s.io/application v0.8.4-0.20201016185654-c8e2959e57a0 h1:cH3Q4uNycL9Lgzly
sigs.k8s.io/application v0.8.4-0.20201016185654-c8e2959e57a0/go.mod h1:wdTrELsIgKk8lnlRaoKWao9YpLelXpABdEgCM1aEEE4=
sigs.k8s.io/controller-runtime v0.6.4 h1:4013CKsBs5bEqo+LevzDett+LLxag/FjQWG94nVZ/9g=
sigs.k8s.io/controller-runtime v0.6.4/go.mod h1:WlZNXcM0++oyaQt4B7C2lEE5JYRs8vJUzRP4N4JpdAY=
sigs.k8s.io/controller-tools v0.4.0 h1:9zIdrc6q9RKke8+DnVPVBVZ+cfF9L0TwM01cxNnklYo=
sigs.k8s.io/controller-tools v0.4.0/go.mod h1:G9rHdZMVlBDocIxGkK3jHLWqcTMNvveypYJwrvYKjWU=
sigs.k8s.io/controller-tools v0.4.1 h1:VkuV0MxlRPmRu5iTgBZU4UxUX2LiR99n3sdQGRxZF4w=
sigs.k8s.io/controller-tools v0.4.1/go.mod h1:G9rHdZMVlBDocIxGkK3jHLWqcTMNvveypYJwrvYKjWU=
sigs.k8s.io/kind v0.8.1/go.mod h1:oNKTxUVPYkV9lWzY6CVMNluVq8cBsyq+UgPJdvA3uu4=
sigs.k8s.io/kubefed v0.6.1 h1:5NqfXCYPG1UC7H2KCs8tX77XN1ohHv+VegkZ69UWvF0=
sigs.k8s.io/kubefed v0.6.1/go.mod h1:dP40OsC2z1m2uzkk8YiTMdaO/Y8/2zvAAWfGuYnJTKU=

2
vendor/modules.txt vendored
View File

@@ -1638,7 +1638,7 @@ sigs.k8s.io/controller-runtime/pkg/webhook/admission
sigs.k8s.io/controller-runtime/pkg/webhook/conversion
sigs.k8s.io/controller-runtime/pkg/webhook/internal/certwatcher
sigs.k8s.io/controller-runtime/pkg/webhook/internal/metrics
# sigs.k8s.io/controller-tools v0.4.0 => sigs.k8s.io/controller-tools v0.4.0
# sigs.k8s.io/controller-tools v0.4.1 => sigs.k8s.io/controller-tools v0.4.1
sigs.k8s.io/controller-tools/cmd/controller-gen
sigs.k8s.io/controller-tools/pkg/crd
sigs.k8s.io/controller-tools/pkg/crd/markers

72
vendor/sigs.k8s.io/controller-tools/pkg/crd/gen.go generated vendored
View File

@@ -18,7 +18,9 @@ package crd
import (
"fmt"
"go/ast"
"go/types"
"os"
apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
apiextlegacy "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
@@ -84,6 +86,9 @@ type Generator struct {
CRDVersions []string `marker:"crdVersions,optional"`
}
func (Generator) CheckFilter() loader.NodeFilter {
return filterTypesForCRDs
}
func (Generator) RegisterMarkers(into *markers.Registry) error {
return crdmarkers.Register(into)
}
@@ -156,6 +161,11 @@ func (g Generator) Generate(ctx *genall.GenerationContext) error {
}
for i, crd := range versionedCRDs {
// defaults are not allowed to be specified in v1beta1 CRDs, so strip them
// before writing to a file
if crdVersions[i] == "v1beta1" {
removeDefaultsFromSchemas(crd.(*apiextlegacy.CustomResourceDefinition))
}
var fileName string
if i == 0 {
fileName = fmt.Sprintf("%s_%s.yaml", crdRaw.Spec.Group, crdRaw.Spec.Names.Plural)
@@ -171,6 +181,49 @@ func (g Generator) Generate(ctx *genall.GenerationContext) error {
return nil
}
// removeDefaultsFromSchemas will remove all instances of default values being
// specified across all defined API versions
func removeDefaultsFromSchemas(crd *apiextlegacy.CustomResourceDefinition) {
if crd.Spec.Validation != nil {
removeDefaultsFromSchemaProps(crd.Spec.Validation.OpenAPIV3Schema)
}
for _, versionSpec := range crd.Spec.Versions {
if versionSpec.Schema != nil {
removeDefaultsFromSchemaProps(versionSpec.Schema.OpenAPIV3Schema)
}
}
}
// removeDefaultsFromSchemaProps will recurse into JSONSchemaProps to remove
// all instances of default values being specified
func removeDefaultsFromSchemaProps(v *apiextlegacy.JSONSchemaProps) {
if v == nil {
return
}
if v.Default != nil {
fmt.Fprintln(os.Stderr, "Warning: default unsupported in CRD version v1beta1, v1 required. Removing defaults.")
}
// nil-out the default field
v.Default = nil
for name, prop := range v.Properties {
// iter var reference is fine -- we handle the persistence of the modfications on the line below
//nolint:gosec
removeDefaultsFromSchemaProps(&prop)
v.Properties[name] = prop
}
if v.Items != nil {
removeDefaultsFromSchemaProps(v.Items.Schema)
for i := range v.Items.JSONSchemas {
props := v.Items.JSONSchemas[i]
removeDefaultsFromSchemaProps(&props)
v.Items.JSONSchemas[i] = props
}
}
}
// toTrivialVersions strips out all schemata except for the storage schema,
// and moves that up into the root object. This makes the CRD compatible
// with pre 1.13 clusters.
@@ -277,3 +330,22 @@ func FindKubeKinds(parser *Parser, metav1Pkg *loader.Package) map[schema.GroupKi
return kubeKinds
}
// filterTypesForCRDs filters out all nodes that aren't used in CRD generation,
// like interfaces and struct fields without JSON tag.
func filterTypesForCRDs(node ast.Node) bool {
switch node := node.(type) {
case *ast.InterfaceType:
// skip interfaces, we never care about references in them
return false
case *ast.StructType:
return true
case *ast.Field:
_, hasTag := loader.ParseAstTag(node.Tag).Lookup("json")
// fields without JSON tags mean we have custom serialization,
// so only visit fields with tags.
return hasTag
default:
return true
}
}

8
vendor/sigs.k8s.io/controller-tools/pkg/crd/known_types.go generated vendored
View File

@@ -24,6 +24,14 @@ import (
// KnownPackages overrides types in some comment packages that have custom validation
// but don't have validation markers on them (since they're from core Kubernetes).
var KnownPackages = map[string]PackageOverride{
"k8s.io/api/core/v1": func(p *Parser, pkg *loader.Package) {
// Explicit defaulting for the corev1.Protocol type in lieu of https://github.com/kubernetes/enhancements/pull/1928
p.Schemata[TypeIdent{Name: "Protocol", Package: pkg}] = apiext.JSONSchemaProps{
Type: "string",
Default: &apiext.JSON{Raw: []byte(`"TCP"`)},
}
p.AddPackage(pkg)
},
"k8s.io/apimachinery/pkg/apis/meta/v1": func(p *Parser, pkg *loader.Package) {
// ObjectMeta is managed by the Kubernetes API server, so no need to

47
vendor/sigs.k8s.io/controller-tools/pkg/crd/markers/validation.go generated vendored
View File

@@ -40,6 +40,8 @@ var ValidationMarkers = mustMakeAllWithPrefix("kubebuilder:validation", markers.
ExclusiveMaximum(false),
ExclusiveMinimum(false),
MultipleOf(0),
MinProperties(0),
MaxProperties(0),
// string markers
@@ -78,12 +80,20 @@ var FieldOnlyMarkers = []*definitionWithHelp{
must(markers.MakeAnyTypeDefinition("kubebuilder:default", markers.DescribesField, Default{})).
WithHelp(Default{}.Help()),
must(markers.MakeDefinition("kubebuilder:pruning:PreserveUnknownFields", markers.DescribesField, XPreserveUnknownFields{})).
WithHelp(XPreserveUnknownFields{}.Help()),
must(markers.MakeDefinition("kubebuilder:validation:EmbeddedResource", markers.DescribesField, XEmbeddedResource{})).
WithHelp(XEmbeddedResource{}.Help()),
}
// ValidationIshMarkers are field-and-type markers that don't fall under the
// :validation: prefix, and/or don't have a name that directly matches their
// type.
var ValidationIshMarkers = []*definitionWithHelp{
must(markers.MakeDefinition("kubebuilder:pruning:PreserveUnknownFields", markers.DescribesField, XPreserveUnknownFields{})).
WithHelp(XPreserveUnknownFields{}.Help()),
must(markers.MakeDefinition("kubebuilder:pruning:PreserveUnknownFields", markers.DescribesType, XPreserveUnknownFields{})).
WithHelp(XPreserveUnknownFields{}.Help()),
}
func init() {
AllDefinitions = append(AllDefinitions, ValidationMarkers...)
@@ -99,6 +109,7 @@ func init() {
}
AllDefinitions = append(AllDefinitions, FieldOnlyMarkers...)
AllDefinitions = append(AllDefinitions, ValidationIshMarkers...)
}
// +controllertools:marker:generateHelp:category="CRD validation"
@@ -106,7 +117,7 @@ func init() {
type Maximum int
// +controllertools:marker:generateHelp:category="CRD validation"
// Minimum specifies the minimum numeric value that this field can have.
// Minimum specifies the minimum numeric value that this field can have. Negative integers are supported.
type Minimum int
// +controllertools:marker:generateHelp:category="CRD validation"
@@ -145,6 +156,14 @@ type MinItems int
// UniqueItems specifies that all items in this list must be unique.
type UniqueItems bool
// +controllertools:marker:generateHelp:category="CRD validation"
// MaxProperties restricts the number of keys in an object
type MaxProperties int
// +controllertools:marker:generateHelp:category="CRD validation"
// MinProperties restricts the number of keys in an object
type MinProperties int
// +controllertools:marker:generateHelp:category="CRD validation"
// Enum specifies that this (scalar) field is restricted to the *exact* values specified here.
type Enum []interface{}
@@ -191,6 +210,10 @@ type Default struct {
// if nested properties or additionalProperties are specified in the schema.
// This can either be true or undefined. False
// is forbidden.
//
// NB: The kubebuilder:validation:XPreserveUnknownFields variant is deprecated
// in favor of the kubebuilder:pruning:PreserveUnknownFields variant. They function
// identically.
type XPreserveUnknownFields struct{}
// +controllertools:marker:generateHelp:category="CRD validation"
@@ -289,6 +312,24 @@ func (m UniqueItems) ApplyToSchema(schema *apiext.JSONSchemaProps) error {
return nil
}
func (m MinProperties) ApplyToSchema(schema *apiext.JSONSchemaProps) error {
if schema.Type != "object" {
return fmt.Errorf("must apply minproperties to an object")
}
val := int64(m)
schema.MinProperties = &val
return nil
}
func (m MaxProperties) ApplyToSchema(schema *apiext.JSONSchemaProps) error {
if schema.Type != "object" {
return fmt.Errorf("must apply maxproperties to an object")
}
val := int64(m)
schema.MaxProperties = &val
return nil
}
func (m Enum) ApplyToSchema(schema *apiext.JSONSchemaProps) error {
// TODO(directxman12): this is a bit hacky -- we should
// probably support AnyType better + using the schema structure

26
vendor/sigs.k8s.io/controller-tools/pkg/crd/markers/zz_generated.markerhelp.go generated vendored
View File

@@ -139,6 +139,17 @@ func (MaxLength) Help() *markers.DefinitionHelp {
}
}
func (MaxProperties) Help() *markers.DefinitionHelp {
return &markers.DefinitionHelp{
Category: "CRD validation",
DetailedHelp: markers.DetailedHelp{
Summary: "restricts the number of keys in an object",
Details: "",
},
FieldHelp: map[string]markers.DetailedHelp{},
}
}
func (Maximum) Help() *markers.DefinitionHelp {
return &markers.DefinitionHelp{
Category: "CRD validation",
@@ -172,11 +183,22 @@ func (MinLength) Help() *markers.DefinitionHelp {
}
}
func (MinProperties) Help() *markers.DefinitionHelp {
return &markers.DefinitionHelp{
Category: "CRD validation",
DetailedHelp: markers.DetailedHelp{
Summary: "restricts the number of keys in an object",
Details: "",
},
FieldHelp: map[string]markers.DetailedHelp{},
}
}
func (Minimum) Help() *markers.DefinitionHelp {
return &markers.DefinitionHelp{
Category: "CRD validation",
DetailedHelp: markers.DetailedHelp{
Summary: "specifies the minimum numeric value that this field can have.",
Summary: "specifies the minimum numeric value that this field can have. Negative integers are supported.",
Details: "",
},
FieldHelp: map[string]markers.DetailedHelp{},
@@ -401,7 +423,7 @@ func (XPreserveUnknownFields) Help() *markers.DefinitionHelp {
Category: "CRD processing",
DetailedHelp: markers.DetailedHelp{
Summary: "PreserveUnknownFields stops the apiserver from pruning fields which are not specified. ",
Details: "By default the apiserver drops unknown fields from the request payload during the decoding step. This marker stops the API server from doing so. It affects fields recursively, but switches back to normal pruning behaviour if nested properties or additionalProperties are specified in the schema. This can either be true or undefined. False is forbidden.",
Details: "By default the apiserver drops unknown fields from the request payload during the decoding step. This marker stops the API server from doing so. It affects fields recursively, but switches back to normal pruning behaviour if nested properties or additionalProperties are specified in the schema. This can either be true or undefined. False is forbidden. \n NB: The kubebuilder:validation:XPreserveUnknownFields variant is deprecated in favor of the kubebuilder:pruning:PreserveUnknownFields variant. They function identically.",
},
FieldHelp: map[string]markers.DetailedHelp{},
}

22
vendor/sigs.k8s.io/controller-tools/pkg/crd/parser.go generated vendored
View File

@@ -18,7 +18,6 @@ package crd
import (
"fmt"
"go/ast"
apiext "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
"k8s.io/apimachinery/pkg/runtime/schema"
@@ -216,7 +215,7 @@ func (p *Parser) AddPackage(pkg *loader.Package) {
return
}
p.indexTypes(pkg)
p.Checker.Check(pkg, filterTypesForCRDs)
p.Checker.Check(pkg)
p.packages[pkg] = struct{}{}
}
@@ -236,22 +235,3 @@ func (p *Parser) NeedPackage(pkg *loader.Package) {
}
p.AddPackage(pkg)
}
// filterTypesForCRDs filters out all nodes that aren't used in CRD generation,
// like interfaces and struct fields without JSON tag.
func filterTypesForCRDs(node ast.Node) bool {
switch node := node.(type) {
case *ast.InterfaceType:
// skip interfaces, we never care about references in them
return false
case *ast.StructType:
return true
case *ast.Field:
_, hasTag := loader.ParseAstTag(node.Tag).Lookup("json")
// fields without JSON tags mean we have custom serialization,
// so only visit fields with tags.
return hasTag
default:
return true
}
}

19
vendor/sigs.k8s.io/controller-tools/pkg/crd/schema.go generated vendored
View File

@@ -19,7 +19,6 @@ package crd
import (
"fmt"
"go/ast"
"go/token"
"go/types"
"strings"
@@ -109,11 +108,6 @@ func (c *schemaContext) requestSchema(pkgPath, typeName string) {
// infoToSchema creates a schema for the type in the given set of type information.
func infoToSchema(ctx *schemaContext) *apiext.JSONSchemaProps {
if obj := ctx.pkg.Types.Scope().Lookup(ctx.info.Name); obj != nil && implementsJSONMarshaler(obj.Type()) {
schema := &apiext.JSONSchemaProps{Type: "Any"}
applyMarkers(ctx, ctx.info.Markers, schema, ctx.info.RawSpec.Type)
return schema
}
return typeToSchema(ctx, ctx.info.RawSpec.Type)
}
@@ -431,16 +425,3 @@ func builtinToType(basic *types.Basic, allowDangerousTypes bool) (typ string, fo
return typ, format, nil
}
// Open coded go/types representation of encoding/json.Marshaller
var jsonMarshaler = types.NewInterfaceType([]*types.Func{
types.NewFunc(token.NoPos, nil, "MarshalJSON",
types.NewSignature(nil, nil,
types.NewTuple(
types.NewVar(token.NoPos, nil, "", types.NewSlice(types.Universe.Lookup("byte").Type())),
types.NewVar(token.NoPos, nil, "", types.Universe.Lookup("error").Type())), false)),
}, nil).Complete()
func implementsJSONMarshaler(typ types.Type) bool {
return types.Implements(typ, jsonMarshaler) || types.Implements(types.NewPointer(typ), jsonMarshaler)
}

6
vendor/sigs.k8s.io/controller-tools/pkg/crd/schema_visitor.go generated vendored
View File

@@ -27,6 +27,10 @@ type SchemaVisitor interface {
// this visitor will be called again with `nil` to indicate that
// all children have been visited. If a nil visitor is returned,
// children are not visited.
//
// It is *NOT* safe to save references to the given schema.
// Make deepcopies if you need to keep things around beyond
// the lifetime of the call.
Visit(schema *apiext.JSONSchemaProps) SchemaVisitor
}
@@ -102,6 +106,8 @@ func (w schemaWalker) walkSchema(schema *apiext.JSONSchemaProps) {
// walkMap walks over values of the given map, saving changes to them.
func (w schemaWalker) walkMap(defs map[string]apiext.JSONSchemaProps) {
for name, def := range defs {
// this is iter var reference is because we immediately preseve it below
//nolint:gosec
w.walkSchema(&def)
// make sure the edits actually go through since we can't
// take a reference to the value in the map

20
vendor/sigs.k8s.io/controller-tools/pkg/deepcopy/gen.go generated vendored
View File

@@ -58,6 +58,14 @@ type Generator struct {
Year string `marker:",optional"`
}
func (Generator) CheckFilter() loader.NodeFilter {
return func(node ast.Node) bool {
// ignore interfaces
_, isIface := node.(*ast.InterfaceType)
return !isIface
}
}
func (Generator) RegisterMarkers(into *markers.Registry) error {
if err := markers.RegisterAll(into,
enablePkgMarker, legacyEnablePkgMarker, enableTypeMarker,
@@ -144,7 +152,7 @@ func (d Generator) Generate(ctx *genall.GenerationContext) error {
}
for _, root := range ctx.Roots {
outContents := objGenCtx.GenerateForPackage(root)
outContents := objGenCtx.generateForPackage(root)
if outContents == nil {
continue
}
@@ -186,21 +194,17 @@ import (
}
// GenerateForPackage generates DeepCopy and runtime.Object implementations for
// generateForPackage generates DeepCopy and runtime.Object implementations for
// types in the given package, writing the formatted result to given writer.
// May return nil if source could not be generated.
func (ctx *ObjectGenCtx) GenerateForPackage(root *loader.Package) []byte {
func (ctx *ObjectGenCtx) generateForPackage(root *loader.Package) []byte {
allTypes, err := enabledOnPackage(ctx.Collector, root)
if err != nil {
root.AddError(err)
return nil
}
ctx.Checker.Check(root, func(node ast.Node) bool {
// ignore interfaces
_, isIface := node.(*ast.InterfaceType)
return !isIface
})
ctx.Checker.Check(root)
root.NeedTypesInfo()

53
vendor/sigs.k8s.io/controller-tools/pkg/deepcopy/traverse.go generated vendored
View File

@@ -197,7 +197,7 @@ func (n *namingInfo) Syntax(basePkg *loader.Package, imports *importsList) strin
(&namingInfo{typeInfo: typeInfo.Key()}).Syntax(basePkg, imports),
(&namingInfo{typeInfo: typeInfo.Elem()}).Syntax(basePkg, imports))
default:
basePkg.AddError(fmt.Errorf("name requested for invalid type %s", typeInfo))
basePkg.AddError(fmt.Errorf("name requested for invalid type: %s", typeInfo))
return typeInfo.String()
}
}
@@ -215,7 +215,7 @@ type copyMethodMaker struct {
func (c *copyMethodMaker) GenerateMethodsFor(root *loader.Package, info *markers.TypeInfo) {
typeInfo := root.TypesInfo.TypeOf(info.RawSpec.Name)
if typeInfo == types.Typ[types.Invalid] {
root.AddError(loader.ErrFromNode(fmt.Errorf("unknown type %s", info.Name), info.RawSpec))
root.AddError(loader.ErrFromNode(fmt.Errorf("unknown type: %s", info.Name), info.RawSpec))
}
// figure out if we need to use a pointer receiver -- most types get a pointer receiver,
@@ -293,13 +293,18 @@ func (c *copyMethodMaker) genDeepCopyIntoBlock(actualName *namingInfo, typeInfo
switch last := last.(type) {
case *types.Basic:
// basic types themselves can be "shallow" copied, so all we need
// to do is check if our *actual* type (not the underlying one) has
// a custom method implemented.
if hasMethod, _ := hasDeepCopyMethod(c.pkg, typeInfo); hasMethod {
c.Line("*out = in.DeepCopy()")
switch last.Kind() {
case types.Invalid, types.UnsafePointer:
c.pkg.AddError(fmt.Errorf("invalid type: %s", last))
default:
// basic types themselves can be "shallow" copied, so all we need
// to do is check if our *actual* type (not the underlying one) has
// a custom method implemented.
if hasMethod, _ := hasDeepCopyMethod(c.pkg, typeInfo); hasMethod {
c.Line("*out = in.DeepCopy()")
}
c.Line("*out = *in")
}
c.Line("*out = *in")
case *types.Map:
c.genMapDeepCopy(actualName, last)
case *types.Slice:
@@ -312,7 +317,7 @@ func (c *copyMethodMaker) genDeepCopyIntoBlock(actualName *namingInfo, typeInfo
// handled via the above loop, should never happen
c.pkg.AddError(fmt.Errorf("interface type %s encountered directly, invalid condition", last))
default:
c.pkg.AddError(fmt.Errorf("invalid type %s", last))
c.pkg.AddError(fmt.Errorf("invalid type: %s", last))
}
}
@@ -322,7 +327,7 @@ func (c *copyMethodMaker) genMapDeepCopy(actualName *namingInfo, mapType *types.
// maps *must* have shallow-copiable types, since we just iterate
// through the keys, only trying to deepcopy the values.
if !fineToShallowCopy(mapType.Key()) {
c.pkg.AddError(fmt.Errorf("invalid map key type %s", mapType.Key()))
c.pkg.AddError(fmt.Errorf("invalid map key type: %s", mapType.Key()))
return
}
@@ -383,7 +388,7 @@ func (c *copyMethodMaker) genMapDeepCopy(actualName *namingInfo, mapType *types.
// structs will have deepcopy generated for them, so use that
c.Line("(*out)[key] = *val.DeepCopy()")
default:
c.pkg.AddError(fmt.Errorf("invalid map value type %s", underlyingElem))
c.pkg.AddError(fmt.Errorf("invalid map value type: %s", underlyingElem))
return
}
}
@@ -425,7 +430,7 @@ func (c *copyMethodMaker) genSliceDeepCopy(actualName *namingInfo, sliceType *ty
// structs will always have deepcopy
c.Linef("(*in)[i].DeepCopyInto(&(*out)[i])")
default:
c.pkg.AddError(fmt.Errorf("invalid slice element type %s", underlyingElem))
c.pkg.AddError(fmt.Errorf("invalid slice element type: %s", underlyingElem))
}
})
}
@@ -483,7 +488,13 @@ func (c *copyMethodMaker) genStructDeepCopy(_ *namingInfo, structType *types.Str
// otherwise...
switch underlyingField := underlyingField.(type) {
case *types.Basic:
// nothing to do, initial assignment copied this
switch underlyingField.Kind() {
case types.Invalid, types.UnsafePointer:
c.pkg.AddError(loader.ErrFromNode(fmt.Errorf("invalid field type: %s", underlyingField), field))
return
default:
// nothing to do, initial assignment copied this
}
case *types.Struct:
if fineToShallowCopy(field.Type()) {
c.Linef("out.%[1]s = in.%[1]s", field.Name())
@@ -491,7 +502,7 @@ func (c *copyMethodMaker) genStructDeepCopy(_ *namingInfo, structType *types.Str
c.Linef("in.%[1]s.DeepCopyInto(&out.%[1]s)", field.Name())
}
default:
c.pkg.AddError(fmt.Errorf("invalid field type %s", underlyingField))
c.pkg.AddError(loader.ErrFromNode(fmt.Errorf("invalid field type: %s", underlyingField), field))
return
}
}
@@ -542,7 +553,7 @@ func (c *copyMethodMaker) genPointerDeepCopy(_ *namingInfo, pointerType *types.P
c.Linef("*out = new(%[1]s)", (&namingInfo{typeInfo: pointerType.Elem()}).Syntax(c.pkg, c.importsList))
c.Line("(*in).DeepCopyInto(*out)")
default:
c.pkg.AddError(fmt.Errorf("invalid pointer element type %s", underlyingElem))
c.pkg.AddError(fmt.Errorf("invalid pointer element type: %s", underlyingElem))
return
}
}
@@ -602,7 +613,7 @@ func shouldBeCopied(pkg *loader.Package, info *markers.TypeInfo) bool {
typeInfo := pkg.TypesInfo.TypeOf(info.RawSpec.Name)
if typeInfo == types.Typ[types.Invalid] {
pkg.AddError(loader.ErrFromNode(fmt.Errorf("unknown type %s", info.Name), info.RawSpec))
pkg.AddError(loader.ErrFromNode(fmt.Errorf("unknown type: %s", info.Name), info.RawSpec))
return false
}
@@ -735,8 +746,14 @@ func eventualUnderlyingType(typeInfo types.Type) types.Type {
func fineToShallowCopy(typeInfo types.Type) bool {
switch typeInfo := typeInfo.(type) {
case *types.Basic:
// basic types (int, string, etc) are always fine to shallow-copy
return true
// basic types (int, string, etc) are always fine to shallow-copy,
// except for Invalid and UnsafePointer, which can't be copied at all.
switch typeInfo.Kind() {
case types.Invalid, types.UnsafePointer:
return false
default:
return true
}
case *types.Named:
// aliases are fine to shallow-copy as long as they resolve to a shallow-copyable type
return fineToShallowCopy(typeInfo.Underlying())

41
vendor/sigs.k8s.io/controller-tools/pkg/genall/genall.go generated vendored
View File

@@ -46,6 +46,32 @@ func (g Generators) RegisterMarkers(reg *markers.Registry) error {
return nil
}
// CheckFilters returns the set of NodeFilters for all Generators that
// implement NeedsTypeChecking.
func (g Generators) CheckFilters() []loader.NodeFilter {
var filters []loader.NodeFilter
for _, gen := range g {
withFilter, needsChecking := (*gen).(NeedsTypeChecking)
if !needsChecking {
continue
}
filters = append(filters, withFilter.CheckFilter())
}
return filters
}
// NeedsTypeChecking indicates that a particular generator needs & has opinions
// on typechecking. If this is not implemented, a generator will be given a
// context with a nil typechecker.
type NeedsTypeChecking interface {
// CheckFilter indicates the loader.NodeFilter (if any) that should be used
// to prune out unused types/packages when type-checking (nodes for which
// the filter returns true are considered "interesting"). This filter acts
// as a baseline -- all types the pass through this filter will be checked,
// but more than that may also be checked due to other generators' filters.
CheckFilter() loader.NodeFilter
}
// Generator knows how to register some set of markers, and then produce
// output artifacts based on loaded code containing those markers,
// sharing common loaded data.
@@ -144,7 +170,9 @@ func (g Generators) ForRoots(rootPaths ...string) (*Runtime, error) {
},
Roots: roots,
InputRule: InputFromFileSystem,
Checker: &loader.TypeChecker{},
Checker: &loader.TypeChecker{
NodeFilters: g.CheckFilters(),
},
},
OutputRules: OutputRules{Default: OutputToNothing},
}
@@ -165,14 +193,23 @@ func (r *Runtime) Run() bool {
return true
}
hadErrs := false
for _, gen := range r.Generators {
ctx := r.GenerationContext // make a shallow copy
ctx.OutputRule = r.OutputRules.ForGenerator(gen)
// don't pass a typechecker to generators that don't provide a filter
// to avoid accidents
if _, needsChecking := (*gen).(NeedsTypeChecking); !needsChecking {
ctx.Checker = nil
}
if err := (*gen).Generate(&ctx); err != nil {
fmt.Fprintln(os.Stderr, err)
hadErrs = true
}
}
// skip TypeErrors -- they're probably just from partial typechecking in crd-gen
return loader.PrintErrors(r.Roots, packages.TypeError)
return loader.PrintErrors(r.Roots, packages.TypeError) || hadErrs
}

8
vendor/sigs.k8s.io/controller-tools/pkg/loader/errors.go generated vendored
View File

@@ -18,7 +18,6 @@ package loader
import (
"fmt"
"go/ast"
"go/token"
)
@@ -29,10 +28,15 @@ type PositionedError struct {
error
}
// Node is the intersection of go/ast.Node and go/types.Var.
type Node interface {
Pos() token.Pos // position of first character belonging to the node
}
// ErrFromNode returns the given error, with additional information
// attaching it to the given AST node. It will automatically map
// over error lists.
func ErrFromNode(err error, node ast.Node) error {
func ErrFromNode(err error, node Node) error {
if asList, isList := err.(ErrList); isList {
resList := make(ErrList, len(asList))
for i, baseErr := range asList {

46
vendor/sigs.k8s.io/controller-tools/pkg/loader/refs.go generated vendored
View File

@@ -185,37 +185,51 @@ func allReferencedPackages(pkg *Package, filterNodes NodeFilter) []*Package {
// checking each package's types' externally-referenced types, and only
// type-checking those packages.
type TypeChecker struct {
// NodeFilters are used to filter the set of references that are followed
// when typechecking. If any of the filters returns true for a given node,
// its package will be added to the set of packages to check.
//
// If no filters are specified, all references are followed (this may be slow).
//
// Modifying this after the first call to check may yield strange/invalid
// results.
NodeFilters []NodeFilter
checkedPackages map[*Package]struct{}
filterNodes NodeFilter
sync.Mutex
}
// Check type-checks the given package and all packages referenced
// by types that pass through (have true returned by) filterNodes.
func (c *TypeChecker) Check(root *Package, filterNodes NodeFilter) {
// Check type-checks the given package and all packages referenced by types
// that pass through (have true returned by) any of the NodeFilters.
func (c *TypeChecker) Check(root *Package) {
c.init()
if filterNodes == nil {
filterNodes = c.filterNodes
}
// use a sub-checker with the appropriate settings
(&TypeChecker{
filterNodes: filterNodes,
NodeFilters: c.NodeFilters,
checkedPackages: c.checkedPackages,
}).check(root)
}
func (c *TypeChecker) isNodeInteresting(node ast.Node) bool {
// no filters --> everything is important
if len(c.NodeFilters) == 0 {
return true
}
// otherwise, passing through any one filter means this node is important
for _, filter := range c.NodeFilters {
if filter(node) {
return true
}
}
return false
}
func (c *TypeChecker) init() {
if c.checkedPackages == nil {
c.checkedPackages = make(map[*Package]struct{})
}
if c.filterNodes == nil {
// check every type by default
c.filterNodes = func(_ ast.Node) bool {
return true
}
}
}
// check recursively type-checks the given package, only loading packages that
@@ -232,7 +246,7 @@ func (c *TypeChecker) check(root *Package) {
return
}
refedPackages := allReferencedPackages(root, c.filterNodes)
refedPackages := allReferencedPackages(root, c.isNodeInteresting)
// first, resolve imports for all leaf packages...
var wg sync.WaitGroup

19
vendor/sigs.k8s.io/controller-tools/pkg/markers/parse.go generated vendored
View File

@@ -340,8 +340,13 @@ func guessType(scanner *sc.Scanner, raw string, allowSlice bool) *Argument {
}
}
// then, integers...
if !probablyString {
if nextTok := subScanner.Scan(); nextTok == sc.Int {
nextTok := subScanner.Scan()
if nextTok == '-' {
nextTok = subScanner.Scan()
}
if nextTok == sc.Int {
return &Argument{Type: IntType}
}
}
@@ -481,11 +486,21 @@ func (a *Argument) parse(scanner *sc.Scanner, raw string, out reflect.Value, inS
for tok := scanner.Scan(); tok != sc.EOF; tok = scanner.Scan() {
}
case IntType:
nextChar := scanner.Peek()
isNegative := false
if nextChar == '-' {
isNegative = true
scanner.Scan() // eat the '-'
}
if !expect(scanner, sc.Int, "integer") {
return
}
// TODO(directxman12): respect the size when parsing
val, err := strconv.Atoi(scanner.TokenText())
text := scanner.TokenText()
if isNegative {
text = "-" + text
}
val, err := strconv.Atoi(text)
if err != nil {
scanner.Error(scanner, fmt.Sprintf("unable to parse integer: %v", err))
return

5
vendor/sigs.k8s.io/controller-tools/pkg/schemapatcher/gen.go generated vendored
View File

@@ -32,6 +32,7 @@ import (
crdgen "sigs.k8s.io/controller-tools/pkg/crd"
crdmarkers "sigs.k8s.io/controller-tools/pkg/crd/markers"
"sigs.k8s.io/controller-tools/pkg/genall"
"sigs.k8s.io/controller-tools/pkg/loader"
"sigs.k8s.io/controller-tools/pkg/markers"
yamlop "sigs.k8s.io/controller-tools/pkg/schemapatcher/internal/yaml"
)
@@ -87,6 +88,10 @@ type Generator struct {
var _ genall.Generator = &Generator{}
func (Generator) CheckFilter() loader.NodeFilter {
return crdgen.Generator{}.CheckFilter()
}
func (Generator) RegisterMarkers(into *markers.Registry) error {
return crdmarkers.Register(into)
}

90
vendor/sigs.k8s.io/controller-tools/pkg/webhook/parser.go generated vendored
View File

@@ -19,7 +19,7 @@ limitations under the License.
//
// The markers take the form:
//
// +kubebuilder:webhook:webhookVersions=<[]string>,failurePolicy=<string>,matchPolicy=<string>,groups=<[]string>,resources=<[]string>,verbs=<[]string>,versions=<[]string>,name=<string>,path=<string>,mutating=<bool>,sideEffects=<string>
// +kubebuilder:webhook:webhookVersions=<[]string>,failurePolicy=<string>,matchPolicy=<string>,groups=<[]string>,resources=<[]string>,verbs=<[]string>,versions=<[]string>,name=<string>,path=<string>,mutating=<bool>,sideEffects=<string>,admissionReviewVersions=<[]string>
package webhook
import (
@@ -107,6 +107,12 @@ type Config struct {
// WebhookVersions specifies the target API versions of the {Mutating,Validating}WebhookConfiguration objects
// itself to generate. Defaults to v1.
WebhookVersions []string `marker:"webhookVersions,optional"`
// AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
// versions the Webhook expects.
// For generating v1 {Mutating,Validating}WebhookConfiguration, this is mandatory.
// For generating v1beta1 {Mutating,Validating}WebhookConfiguration, this is optional, and default to v1beta1.
AdmissionReviewVersions []string `marker:"admissionReviewVersions,optional"`
}
// verbToAPIVariant converts a marker's verb to the proper value for the API.
@@ -140,15 +146,13 @@ func (c Config) ToMutatingWebhook() (admissionregv1.MutatingWebhook, error) {
}
return admissionregv1.MutatingWebhook{
Name: c.Name,
Rules: c.rules(),
FailurePolicy: c.failurePolicy(),
MatchPolicy: matchPolicy,
ClientConfig: c.clientConfig(),
SideEffects: c.sideEffects(),
// TODO(jiachengxu): AdmissionReviewVersions becomes required in admissionregistration/v1, here we default it
// to `v1` and `v1beta1`, and we should support to config the `AdmissionReviewVersions` as a marker.
AdmissionReviewVersions: []string{defaultWebhookVersion, "v1beta1"},
Name: c.Name,
Rules: c.rules(),
FailurePolicy: c.failurePolicy(),
MatchPolicy: matchPolicy,
ClientConfig: c.clientConfig(),
SideEffects: c.sideEffects(),
AdmissionReviewVersions: c.AdmissionReviewVersions,
}, nil
}
@@ -164,15 +168,13 @@ func (c Config) ToValidatingWebhook() (admissionregv1.ValidatingWebhook, error)
}
return admissionregv1.ValidatingWebhook{
Name: c.Name,
Rules: c.rules(),
FailurePolicy: c.failurePolicy(),
MatchPolicy: matchPolicy,
ClientConfig: c.clientConfig(),
SideEffects: c.sideEffects(),
// TODO(jiachengxu): AdmissionReviewVersions becomes required in admissionregistration/v1, here we default it
// to `v1` and `v1beta1`, and we should support to config the `AdmissionReviewVersions` as a marker.
AdmissionReviewVersions: []string{defaultWebhookVersion, "v1beta1"},
Name: c.Name,
Rules: c.rules(),
FailurePolicy: c.failurePolicy(),
MatchPolicy: matchPolicy,
ClientConfig: c.clientConfig(),
SideEffects: c.sideEffects(),
AdmissionReviewVersions: c.AdmissionReviewVersions,
}, nil
}
@@ -242,10 +244,6 @@ func (c Config) clientConfig() admissionregv1.WebhookClientConfig {
Namespace: "system",
Path: &path,
},
// OpenAPI marks the field as required before 1.13 because of a bug that got fixed in
// https://github.com/kubernetes/api/commit/e7d9121e9ffd63cea0288b36a82bcc87b073bd1b
// Put "\n" as an placeholder as a workaround til 1.13+ is almost everywhere.
CABundle: []byte("\n"),
}
}
@@ -344,29 +342,26 @@ func (Generator) Generate(ctx *genall.GenerationContext) error {
},
Webhooks: cfgs,
}
// SideEffects in required in admissionregistration/v1, if this is not set or set to `Some` or `Known`,
// we return an error
if version == defaultWebhookVersion {
for i := range objRaw.Webhooks {
// SideEffects is required in admissionregistration/v1, if this is not set or set to `Some` or `Known`,
// we return an error
if err := checkSideEffectsForV1(objRaw.Webhooks[i].SideEffects); err != nil {
return err
}
// AdmissionReviewVersions is required in admissionregistration/v1, if this is not set,
// we return an error
if len(objRaw.Webhooks[i].AdmissionReviewVersions) == 0 {
return fmt.Errorf("AdmissionReviewVersions is mandatory for v1 {Mutating,Validating}WebhookConfiguration")
}
}
}
// AdmissionReviewVersions is optional in admissionregistration/v1beta1, so let kubernetes to default it.
if version == "v1beta1" {
for i := range objRaw.Webhooks {
objRaw.Webhooks[i].AdmissionReviewVersions = nil
}
}
if version != defaultWebhookVersion {
versionedWebhooks[version] = append(versionedWebhooks[version], objRaw)
} else {
conv, err := MutatingWebhookConfigurationAsVersion(objRaw, schema.GroupVersion{Group: admissionregv1.SchemeGroupVersion.Group, Version: version})
versionedWebhooks[version] = append(versionedWebhooks[version], conv)
if err != nil {
return err
}
} else {
versionedWebhooks[version] = append(versionedWebhooks[version], objRaw)
versionedWebhooks[version] = append(versionedWebhooks[version], conv)
}
}
@@ -381,29 +376,26 @@ func (Generator) Generate(ctx *genall.GenerationContext) error {
},
Webhooks: cfgs,
}
// SideEffects in required in admissionregistration/v1, if this is not set or set to `Some` or `Known`,
// we return an error
if version == defaultWebhookVersion {
for i := range objRaw.Webhooks {
// SideEffects is required in admissionregistration/v1, if this is not set or set to `Some` or `Known`,
// we return an error
if err := checkSideEffectsForV1(objRaw.Webhooks[i].SideEffects); err != nil {
return err
}
// AdmissionReviewVersions is required in admissionregistration/v1, if this is not set,
// we return an error
if len(objRaw.Webhooks[i].AdmissionReviewVersions) == 0 {
return fmt.Errorf("AdmissionReviewVersions is mandatory for v1 {Mutating,Validating}WebhookConfiguration")
}
}
}
// AdmissionReviewVersions is optional in admissionregistration/v1beta1, so let kubernetes to default it.
if version == "v1beta1" {
for i := range objRaw.Webhooks {
objRaw.Webhooks[i].AdmissionReviewVersions = nil
}
}
if version != defaultWebhookVersion {
versionedWebhooks[version] = append(versionedWebhooks[version], objRaw)
} else {
conv, err := ValidatingWebhookConfigurationAsVersion(objRaw, schema.GroupVersion{Group: admissionregv1.SchemeGroupVersion.Group, Version: version})
versionedWebhooks[version] = append(versionedWebhooks[version], conv)
if err != nil {
return err
}
} else {
versionedWebhooks[version] = append(versionedWebhooks[version], objRaw)
versionedWebhooks[version] = append(versionedWebhooks[version], conv)
}
}
}

4
vendor/sigs.k8s.io/controller-tools/pkg/webhook/zz_generated.markerhelp.go generated vendored
View File

@@ -76,6 +76,10 @@ func (Config) Help() *markers.DefinitionHelp {
Summary: "specifies the target API versions of the {Mutating,Validating}WebhookConfiguration objects itself to generate. Defaults to v1.",
Details: "",
},
"AdmissionReviewVersions": markers.DetailedHelp{
Summary: "is an ordered list of preferred `AdmissionReview` versions the Webhook expects. For generating v1 {Mutating,Validating}WebhookConfiguration, this is mandatory. For generating v1beta1 {Mutating,Validating}WebhookConfiguration, this is optional, and default to v1beta1.",
Details: "",
},
},
}
}