admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update dependencies

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-12-22 16:48:26 +08:00
parent 4a11a50544
commit fe6c5de00f
2857 changed files with 252134 additions and 115656 deletions
Download Patch File Download Diff File Expand all files Collapse all files

491
vendor/istio.io/api/networking/v1alpha3/gateway.proto generated vendored
View File

@@ -16,10 +16,11 @@ syntax = "proto3";
import "google/api/field_behavior.proto";
// $schema: istio.networking.v1alpha3.Gateway
// $title: Gateway
// $description: Configuration affecting edge load balancer.
// $location: https://istio.io/docs/reference/config/networking/gateway.html
// $aliases: [/docs/reference/config/networking/v1alpha3/gateway.html]
// $aliases: [/docs/reference/config/networking/v1alpha3/gateway]
// `Gateway` describes a load balancer operating at the edge of the mesh
// receiving incoming or outgoing HTTP/TCP connections. The specification
@@ -34,6 +35,8 @@ import "google/api/field_behavior.proto";
// on these ports, it is the responsibility of the user to ensure that
// external traffic to these ports are allowed into the mesh.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Gateway
@@ -86,6 +89,63 @@ import "google/api/field_behavior.proto";
// hosts:
// - "*"
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Gateway
// metadata:
// name: my-gateway
// namespace: some-config-namespace
// spec:
// selector:
// app: my-gateway-controller
// servers:
// - port:
// number: 80
// name: http
// protocol: HTTP
// hosts:
// - uk.bookinfo.com
// - eu.bookinfo.com
// tls:
// httpsRedirect: true # sends 301 redirect for http requests
// - port:
// number: 443
// name: https-443
// protocol: HTTPS
// hosts:
// - uk.bookinfo.com
// - eu.bookinfo.com
// tls:
// mode: SIMPLE # enables HTTPS on this port
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// - port:
// number: 9443
// name: https-9443
// protocol: HTTPS
// hosts:
// - "bookinfo-namespace/*.bookinfo.com"
// tls:
// mode: SIMPLE # enables HTTPS on this port
// credentialName: bookinfo-secret # fetches certs from Kubernetes secret
// - port:
// number: 9080
// name: http-wildcard
// protocol: HTTP
// hosts:
// - "*"
// - port:
// number: 2379 # to expose internal service via external port 2379
// name: mongo
// protocol: MONGO
// hosts:
// - "*"
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The Gateway specification above describes the L4-L6 properties of a load
// balancer. A `VirtualService` can then be bound to a gateway to control
@@ -102,6 +162,8 @@ import "google/api/field_behavior.proto";
// applicable across ports 443, 9080. Note that `http://uk.bookinfo.com`
// gets redirected to `https://uk.bookinfo.com` (i.e. 80 redirects to 443).
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: VirtualService
@@ -139,12 +201,56 @@ import "google/api/field_behavior.proto";
// host: reviews.qa.svc.cluster.local
// weight: 20
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: VirtualService
// metadata:
// name: bookinfo-rule
// namespace: bookinfo-namespace
// spec:
// hosts:
// - reviews.prod.svc.cluster.local
// - uk.bookinfo.com
// - eu.bookinfo.com
// gateways:
// - some-config-namespace/my-gateway
// - mesh # applies to all the sidecars in the mesh
// http:
// - match:
// - headers:
// cookie:
// exact: "user=dev-123"
// route:
// - destination:
// port:
// number: 7777
// host: reviews.qa.svc.cluster.local
// - match:
// - uri:
// prefix: /reviews/
// route:
// - destination:
// port:
// number: 9080 # can be omitted if it's the only port for reviews
// host: reviews.prod.svc.cluster.local
// weight: 80
// - destination:
// host: reviews.qa.svc.cluster.local
// weight: 20
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The following VirtualService forwards traffic arriving at (external)
// port 27017 to internal Mongo server on port 5555. This rule is not
// applicable internally in the mesh as the gateway list omits the
// reserved name `mesh`.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: VirtualService
@@ -166,6 +272,32 @@ import "google/api/field_behavior.proto";
// port:
// number: 5555
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: VirtualService
// metadata:
// name: bookinfo-Mongo
// namespace: bookinfo-namespace
// spec:
// hosts:
// - mongosvr.prod.svc.cluster.local # name of internal Mongo service
// gateways:
// - some-config-namespace/my-gateway # can omit the namespace if gateway is in same
// namespace as virtual service.
// tcp:
// - match:
// - port: 27017
// route:
// - destination:
// host: mongo.prod.svc.cluster.local
// port:
// number: 5555
// ```
// {{</tab>}}
// {{</tabset>}}
//
// It is possible to restrict the set of virtual services that can bind to
// a gateway server using the namespace/hostname syntax in the hosts field.
@@ -173,6 +305,8 @@ import "google/api/field_behavior.proto";
// namespace to bind to it, while restricting only the virtual service with
// foo.bar.com host in the ns2 namespace to bind to it.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Gateway
@@ -191,6 +325,29 @@ import "google/api/field_behavior.proto";
// - "ns1/*"
// - "ns2/foo.bar.com"
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Gateway
// metadata:
// name: my-gateway
// namespace: some-config-namespace
// spec:
// selector:
// app: my-gateway-controller
// servers:
// - port:
// number: 80
// name: http
// protocol: HTTP
// hosts:
// - "ns1/*"
// - "ns2/foo.bar.com"
// ```
// {{</tab>}}
// {{</tabset>}}
//
package istio.networking.v1alpha3;
@@ -199,6 +356,18 @@ option go_package = "istio.io/api/networking/v1alpha3";
// Gateway describes a load balancer operating at the edge of the mesh
// receiving incoming or outgoing HTTP/TCP connections.
//
// <!-- crd generation tags
// +cue-gen:Gateway:groupName:networking.istio.io
// +cue-gen:Gateway:version:v1alpha3
// +cue-gen:Gateway:storageVersion
// +cue-gen:Gateway:annotations:helm.sh/resource-policy=keep
// +cue-gen:Gateway:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:Gateway:subresource:status
// +cue-gen:Gateway:scope:Namespaced
// +cue-gen:Gateway:resource:categories=istio-io,networking-istio-io,shortNames=gw
// +cue-gen:Gateway:preserveUnknownFields:false
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=networking.istio.io/v1alpha3
@@ -220,6 +389,8 @@ message Gateway {
// `Server` describes the properties of the proxy on a given load balancer
// port. For example,
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Gateway
@@ -236,9 +407,32 @@ message Gateway {
// hosts:
// - "*"
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Gateway
// metadata:
// name: my-ingress
// spec:
// selector:
// app: my-ingress-gateway
// servers:
// - port:
// number: 80
// name: http2
// protocol: HTTP2
// hosts:
// - "*"
// ```
// {{</tab>}}
// {{</tabset>}}
//
// Another example
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Gateway
@@ -255,9 +449,32 @@ message Gateway {
// hosts:
// - "*"
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Gateway
// metadata:
// name: my-tcp-ingress
// spec:
// selector:
// app: my-tcp-ingress-gateway
// servers:
// - port:
// number: 27018
// name: mongo
// protocol: MONGO
// hosts:
// - "*"
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The following is an example of TLS configuration for port 443
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Gateway
@@ -278,6 +495,32 @@ message Gateway {
// serverCertificate: /etc/certs/server.pem
// privateKey: /etc/certs/privatekey.pem
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Gateway
// metadata:
// name: my-tls-ingress
// spec:
// selector:
// app: my-tls-ingress-gateway
// servers:
// - port:
// number: 443
// name: https
// protocol: HTTPS
// hosts:
// - "*"
// tls:
// mode: SIMPLE
// serverCertificate: /etc/certs/server.pem
// privateKey: /etc/certs/privatekey.pem
// ```
// {{</tab>}}
// {{</tabset>}}
//
message Server {
// The Port on which the proxy should listen for incoming
// connections.
@@ -321,138 +564,16 @@ message Server {
// `DestinationRule`, and `ServiceEntry` configurations for details.
repeated string hosts = 2 [(google.api.field_behavior) = REQUIRED];
message TLSOptions {
// If set to true, the load balancer will send a 301 redirect for all
// http connections, asking the clients to use HTTPS.
bool https_redirect = 1;
// TLS modes enforced by the proxy
enum TLSmode {
// The SNI string presented by the client will be used as the match
// criterion in a VirtualService TLS route to determine the
// destination service from the service registry.
PASSTHROUGH = 0;
// Secure connections with standard TLS semantics.
SIMPLE = 1;
// Secure connections to the downstream using mutual TLS by presenting
// server certificates for authentication.
MUTUAL = 2;
// Similar to the passthrough mode, except servers with this TLS mode
// do not require an associated VirtualService to map from the SNI
// value to service in the registry. The destination details such as
// the service/subset/port are encoded in the SNI value. The proxy
// will forward to the upstream (Envoy) cluster (a group of
// endpoints) specified by the SNI value. This server is typically
// used to provide connectivity between services in disparate L3
// networks that otherwise do not have direct connectivity between
// their respective endpoints. Use of this mode assumes that both the
// source and the destination are using Istio mTLS to secure traffic.
AUTO_PASSTHROUGH = 3;
// Secure connections from the downstream using mutual TLS by presenting
// server certificates for authentication.
// Compared to Mutual mode, this mode uses certificates, representing
// gateway workload identity, generated automatically by Istio for
// mTLS authentication. When this mode is used, all other fields in
// `TLSOptions` should be empty.
ISTIO_MUTUAL = 4;
};
// Optional: Indicates whether connections to this port should be
// secured using TLS. The value of this field determines how TLS is
// enforced.
TLSmode mode = 2;
// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
// holding the server-side TLS certificate to use.
string server_certificate = 3;
// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
// holding the server's private key.
string private_key = 4;
// REQUIRED if mode is `MUTUAL`. The path to a file containing
// certificate authority certificates to use in verifying a presented
// client side certificate.
string ca_certificates = 5;
// The credentialName stands for a unique identifier that can be used
// to identify the serverCertificate and the privateKey. The
// credentialName appended with suffix "-cacert" is used to identify
// the CaCertificates associated with this server. Gateway workloads
// capable of fetching credentials from a remote credential store such
// as Kubernetes secrets, will be configured to retrieve the
// serverCertificate and the privateKey using credentialName, instead
// of using the file system paths specified above. If using mutual TLS,
// gateway workload instances will retrieve the CaCertificates using
// credentialName-cacert. The semantics of the name are platform
// dependent. In Kubernetes, the default Istio supplied credential
// server expects the credentialName to match the name of the
// Kubernetes secret that holds the server certificate, the private
// key, and the CA certificate (if using mutual TLS). Set the
// `ISTIO_META_USER_SDS` metadata variable in the gateway's proxy to
// enable the dynamic credential fetching feature.
string credential_name = 10;
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
repeated string subject_alt_names = 6;
// An optional list of base64-encoded SHA-256 hashes of the SKPIs of
// authorized client certificates.
// Note: When both verify_certificate_hash and verify_certificate_spki
// are specified, a hash matching either value will result in the
// certificate being accepted.
repeated string verify_certificate_spki = 11;
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates. Both simple and colon separated
// formats are acceptable.
// Note: When both verify_certificate_hash and verify_certificate_spki
// are specified, a hash matching either value will result in the
// certificate being accepted.
repeated string verify_certificate_hash = 12;
// TLS protocol versions.
enum TLSProtocol {
// Automatically choose the optimal TLS version.
TLS_AUTO = 0;
// TLS version 1.0
TLSV1_0 = 1;
// TLS version 1.1
TLSV1_1 = 2;
// TLS version 1.2
TLSV1_2 = 3;
// TLS version 1.3
TLSV1_3 = 4;
}
// Optional: Minimum TLS protocol version.
TLSProtocol min_protocol_version = 7;
// Optional: Maximum TLS protocol version.
TLSProtocol max_protocol_version = 8;
// Optional: If specified, only support the specified cipher list.
// Otherwise default to the default cipher list supported by Envoy.
repeated string cipher_suites = 9;
}
// Set of TLS related options that govern the server's behavior. Use
// these options to control if all http requests should be redirected to
// https, and the TLS modes to use.
TLSOptions tls = 3;
ServerTLSSettings tls = 3;
// The loopback IP endpoint or Unix domain socket to which traffic should
// be forwarded to by default. Format should be `127.0.0.1:PORT` or
// `unix:///path/to/socket` or `unix://@foobar` (Linux abstract namespace).
// NOT IMPLEMENTED.
// $hide_from_docs
string default_endpoint = 5;
}
@@ -468,5 +589,121 @@ message Port {
string protocol = 2 [(google.api.field_behavior) = REQUIRED];
// Label assigned to the port.
string name = 3;
string name = 3 [(google.api.field_behavior) = REQUIRED];
}
message ServerTLSSettings {
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
bool https_redirect = 1;
// TLS modes enforced by the proxy
enum TLSmode {
// The SNI string presented by the client will be used as the
// match criterion in a VirtualService TLS route to determine
// the destination service from the service registry.
PASSTHROUGH = 0;
// Secure connections with standard TLS semantics.
SIMPLE = 1;
// Secure connections to the downstream using mutual TLS by
// presenting server certificates for authentication.
MUTUAL = 2;
// Similar to the passthrough mode, except servers with this TLS
// mode do not require an associated VirtualService to map from
// the SNI value to service in the registry. The destination
// details such as the service/subset/port are encoded in the
// SNI value. The proxy will forward to the upstream (Envoy)
// cluster (a group of endpoints) specified by the SNI
// value. This server is typically used to provide connectivity
// between services in disparate L3 networks that otherwise do
// not have direct connectivity between their respective
// endpoints. Use of this mode assumes that both the source and
// the destination are using Istio mTLS to secure traffic.
AUTO_PASSTHROUGH = 3;
// Secure connections from the downstream using mutual TLS by
// presenting server certificates for authentication. Compared
// to Mutual mode, this mode uses certificates, representing
// gateway workload identity, generated automatically by Istio
// for mTLS authentication. When this mode is used, all other
// fields in `TLSOptions` should be empty.
ISTIO_MUTUAL = 4;
};
// Optional: Indicates whether connections to this port should be
// secured using TLS. The value of this field determines how TLS is
// enforced.
TLSmode mode = 2;
// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
// holding the server-side TLS certificate to use.
string server_certificate = 3;
// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
// holding the server's private key.
string private_key = 4;
// REQUIRED if mode is `MUTUAL`. The path to a file containing
// certificate authority certificates to use in verifying a presented
// client side certificate.
string ca_certificates = 5;
// For gateways running on Kubernetes, the name of the secret that
// holds the TLS certs including the CA certificates. Applicable
// only on Kubernetes, and only if the dynamic credential fetching
// feature is enabled in the proxy by setting
// `ISTIO_META_USER_SDS` metadata variable. The secret (of type
// `generic`) should contain the following keys and values: `key:
// <privateKey>`, `cert: <serverCert>`, `cacert: <CACertificate>`.
string credential_name = 10;
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
repeated string subject_alt_names = 6;
// An optional list of base64-encoded SHA-256 hashes of the SKPIs of
// authorized client certificates.
// Note: When both verify_certificate_hash and verify_certificate_spki
// are specified, a hash matching either value will result in the
// certificate being accepted.
repeated string verify_certificate_spki = 11;
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates. Both simple and colon separated
// formats are acceptable.
// Note: When both verify_certificate_hash and verify_certificate_spki
// are specified, a hash matching either value will result in the
// certificate being accepted.
repeated string verify_certificate_hash = 12;
// TLS protocol versions.
enum TLSProtocol {
// Automatically choose the optimal TLS version.
TLS_AUTO = 0;
// TLS version 1.0
TLSV1_0 = 1;
// TLS version 1.1
TLSV1_1 = 2;
// TLS version 1.2
TLSV1_2 = 3;
// TLS version 1.3
TLSV1_3 = 4;
}
// Optional: Minimum TLS protocol version.
TLSProtocol min_protocol_version = 7;
// Optional: Maximum TLS protocol version.
TLSProtocol max_protocol_version = 8;
// Optional: If specified, only support the specified cipher list.
// Otherwise default to the default cipher list supported by Envoy.
repeated string cipher_suites = 9;
}