admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update dependencies

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2020-12-22 16:48:26 +08:00
parent 4a11a50544
commit fe6c5de00f
2857 changed files with 252134 additions and 115656 deletions
Download Patch File Download Diff File Expand all files Collapse all files

436
vendor/istio.io/api/networking/v1alpha3/sidecar.proto generated vendored
View File

@@ -16,11 +16,14 @@ syntax = "proto3";
import "google/api/field_behavior.proto";
import "networking/v1alpha3/gateway.proto";
import "networking/v1alpha3/virtual_service.proto";
import "networking/v1alpha3/destination_rule.proto";
// $schema: istio.networking.v1alpha3.Sidecar
// $title: Sidecar
// $description: Configuration affecting network reachability of a sidecar.
// $location: https://istio.io/docs/reference/config/networking/sidecar.html
// $aliases: [/docs/reference/config/networking/v1alpha3/sidecar.html]
// $aliases: [/docs/reference/config/networking/v1alpha3/sidecar]
// `Sidecar` describes the configuration of the sidecar proxy that mediates
// inbound and outbound communication to the workload instance it is attached to. By
@@ -43,23 +46,29 @@ import "networking/v1alpha3/gateway.proto";
// `workloadSelector` that selects this workload instance, over a `Sidecar` configuration
// without any `workloadSelector`.
//
// NOTE 1: *_Each namespace can have only one `Sidecar` configuration without any
// `workloadSelector`_*. The behavior of the system is undefined if more
// than one selector-less `Sidecar` configurations exist in a given namespace. The
// behavior of the system is undefined if two or more `Sidecar` configurations
// with a `workloadSelector` select the same workload instance.
// **NOTE 1**: *_Each namespace can have only one `Sidecar`
// configuration without any `workloadSelector`_ that specifies the
// default for all pods in that namespace*. It is recommended to use
// the name `default` for the namespace-wide sidecar. The behavior of
// the system is undefined if more than one selector-less `Sidecar`
// configurations exist in a given namespace. The behavior of the
// system is undefined if two or more `Sidecar` configurations with a
// `workloadSelector` select the same workload instance.
//
// NOTE 2: *_A `Sidecar` configuration in the `MeshConfig`
// **NOTE 2**: *_A `Sidecar` configuration in the `MeshConfig`
// [root namespace](https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig)
// will be applied by default to all namespaces without a `Sidecar`
// configuration_*. This global default `Sidecar` configuration should not have
// any `workloadSelector`.
//
// The example below declares a global default `Sidecar` configuration in the
// root namespace called `istio-config`, that configures sidecars in
// all namespaces to allow egress traffic only to other workloads in
// the same namespace, and to services in the `istio-system` namespace.
// The example below declares a global default `Sidecar` configuration
// in the root namespace called `istio-config`, that configures
// sidecars in all namespaces to allow egress traffic only to other
// workloads in the same namespace as well as to services in the
// `istio-system` namespace.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Sidecar
@@ -71,14 +80,33 @@ import "networking/v1alpha3/gateway.proto";
// - hosts:
// - "./*"
// - "istio-system/*"
//```
// ```
// {{</tab>}}
//
// The example below declares a `Sidecar` configuration in the `prod-us1`
// namespace that overrides the global default defined above, and
// configures the sidecars in the namespace to allow egress traffic to
// public services in the `prod-us1`, `prod-apis`, and the `istio-system`
// namespaces.
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Sidecar
// metadata:
// name: default
// namespace: istio-config
// spec:
// egress:
// - hosts:
// - "./*"
// - "istio-system/*"
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The example below declares a `Sidecar` configuration in the
// `prod-us1` namespace that overrides the global default defined
// above, and configures the sidecars in the namespace to allow egress
// traffic to public services in the `prod-us1`, `prod-apis`, and the
// `istio-system` namespaces.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Sidecar
@@ -92,21 +120,46 @@ import "networking/v1alpha3/gateway.proto";
// - "prod-apis/*"
// - "istio-system/*"
// ```
// {{</tab>}}
//
// The example below declares a `Sidecar` configuration in the `prod-us1` namespace
// that accepts inbound HTTP traffic on port 9080 and forwards
// it to the attached workload instance listening on a Unix domain socket. In the
// egress direction, in addition to the `istio-system` namespace, the sidecar
// proxies only HTTP traffic bound for port 9080 for services in the
// `prod-us1` namespace.
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// apiVersion: networking.istio.io/v1beta1
// kind: Sidecar
// metadata:
// name: default
// namespace: prod-us1
// spec:
// egress:
// - hosts:
// - "prod-us1/*"
// - "prod-apis/*"
// - "istio-system/*"
// ```
// {{</tab>}}
// {{</tabset>}}
//
// The following example declares a `Sidecar` configuration in the
// `prod-us1` namespace for all pods with labels `app: ratings`
// belonging to the `ratings.prod-us1` service. The workload accepts
// inbound HTTP traffic on port 9080. The traffic is then forwarded to
// the attached workload instance listening on a Unix domain
// socket. In the egress direction, in addition to the `istio-system`
// namespace, the sidecar proxies only HTTP traffic bound for port
// 9080 for services in the `prod-us1` namespace.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Sidecar
// metadata:
// name: ratings
// namespace: prod-us1
// spec:
// workloadSelector:
// labels:
// app: ratings
// ingress:
// - port:
// number: 9080
@@ -123,20 +176,55 @@ import "networking/v1alpha3/gateway.proto";
// - hosts:
// - "istio-system/*"
// ```
// {{</tab>}}
//
// If the workload is deployed without IPTables-based traffic capture, the
// `Sidecar` configuration is the only way to configure the ports on the proxy
// attached to the workload instance. The following example declares a `Sidecar`
// configuration in the `prod-us1` namespace for all pods with labels
// `app: productpage` belonging to the `productpage.prod-us1` service. Assuming
// that these pods are deployed without IPtable rules (i.e. the `istio-init`
// container) and the proxy metadata `ISTIO_META_INTERCEPTION_MODE` is set to
// `NONE`, the specification, below, allows such pods to receive HTTP traffic
// on port 9080 and forward it to the application listening on
// `127.0.0.1:8080`. It also allows the application to communicate with a
// backing MySQL database on `127.0.0.1:3306`, that then gets proxied to the
// externally hosted MySQL service at `mysql.foo.com:3306`.
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Sidecar
// metadata:
// name: ratings
// namespace: prod-us1
// spec:
// workloadSelector:
// labels:
// app: ratings
// ingress:
// - port:
// number: 9080
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
// protocol: HTTP
// name: egresshttp
// hosts:
// - "prod-us1/*"
// - hosts:
// - "istio-system/*"
// ```
// {{</tab>}}
// {{</tabset>}}
//
// If the workload is deployed without IPTables-based traffic capture,
// the `Sidecar` configuration is the only way to configure the ports
// on the proxy attached to the workload instance. The following
// example declares a `Sidecar` configuration in the `prod-us1`
// namespace for all pods with labels `app: productpage` belonging to
// the `productpage.prod-us1` service. Assuming that these pods are
// deployed without IPtable rules (i.e. the `istio-init` container)
// and the proxy metadata `ISTIO_META_INTERCEPTION_MODE` is set to
// `NONE`, the specification, below, allows such pods to receive HTTP
// traffic on port 9080 (wrapped inside Istio mutual TLS) and forward
// it to the application listening on `127.0.0.1:8080`. It also allows
// the application to communicate with a backing MySQL database on
// `127.0.0.1:3306`, that then gets proxied to the externally hosted
// MySQL service at `mysql.foo.com:3306`.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Sidecar
@@ -164,9 +252,43 @@ import "networking/v1alpha3/gateway.proto";
// hosts:
// - "*/mysql.foo.com"
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Sidecar
// metadata:
// name: no-ip-tables
// namespace: prod-us1
// spec:
// workloadSelector:
// labels:
// app: productpage
// ingress:
// - port:
// number: 9080 # binds to proxy_instance_ip:9080 (0.0.0.0:9080, if no unicast IP is available for the instance)
// protocol: HTTP
// name: somename
// defaultEndpoint: 127.0.0.1:8080
// captureMode: NONE # not needed if metadata is set for entire proxy
// egress:
// - port:
// number: 3306
// protocol: MYSQL
// name: egressmysql
// captureMode: NONE # not needed if metadata is set for entire proxy
// bind: 127.0.0.1
// hosts:
// - "*/mysql.foo.com"
// ```
// {{</tab>}}
// {{</tabset>}}
//
// And the associated service entry for routing to `mysql.foo.com:3306`
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
@@ -183,6 +305,27 @@ import "networking/v1alpha3/gateway.proto";
// location: MESH_EXTERNAL
// resolution: DNS
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: ServiceEntry
// metadata:
// name: external-svc-mysql
// namespace: ns1
// spec:
// hosts:
// - mysql.foo.com
// ports:
// - number: 3306
// name: mysql
// protocol: MYSQL
// location: MESH_EXTERNAL
// resolution: DNS
// ```
// {{</tab>}}
// {{</tabset>}}
//
// It is also possible to mix and match traffic capture modes in a single
// proxy. For example, consider a setup where internal services are on the
@@ -191,11 +334,14 @@ import "networking/v1alpha3/gateway.proto";
// additional network interface on `172.16.0.0/16` subnet for inbound
// traffic. The following `Sidecar` configuration allows the VM to expose a
// listener on `172.16.1.32:80` (the VM's IP) for traffic arriving from the
// `172.16.0.0/16` subnet. Note that in this scenario, the
// `ISTIO_META_INTERCEPTION_MODE` metadata on the proxy in the VM should
// contain `REDIRECT` or `TPROXY` as its value, implying that IP tables
// based traffic capture is active.
// `172.16.0.0/16` subnet.
//
// **NOTE**: The `ISTIO_META_INTERCEPTION_MODE` metadata on the
// proxy in the VM should contain `REDIRECT` or `TPROXY` as its value,
// implying that IP tables based traffic capture is active.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Sidecar
@@ -223,6 +369,38 @@ import "networking/v1alpha3/gateway.proto";
// hosts:
// - "*/*"
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Sidecar
// metadata:
// name: partial-ip-tables
// namespace: prod-us1
// spec:
// workloadSelector:
// labels:
// app: productpage
// ingress:
// - bind: 172.16.1.32
// port:
// number: 80 # binds to 172.16.1.32:80
// protocol: HTTP
// name: somename
// defaultEndpoint: 127.0.0.1:8080
// captureMode: NONE
// egress:
// # use the system detected defaults
// # sets up configuration to handle outbound traffic to services
// # in 192.168.0.0/16 subnet, based on information provided by the
// # service registry
// - captureMode: IPTABLES
// hosts:
// - "*/*"
// ```
// {{</tab>}}
// {{</tabset>}}
//
package istio.networking.v1alpha3;
@@ -232,6 +410,18 @@ option go_package = "istio.io/api/networking/v1alpha3";
// inbound and outbound communication of the workload instance to which it is
// attached.
//
// <!-- crd generation tags
// +cue-gen:Sidecar:groupName:networking.istio.io
// +cue-gen:Sidecar:version:v1alpha3
// +cue-gen:Sidecar:storageVersion
// +cue-gen:Sidecar:annotations:helm.sh/resource-policy=keep
// +cue-gen:Sidecar:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:Sidecar:subresource:status
// +cue-gen:Sidecar:scope:Namespaced
// +cue-gen:Sidecar:resource:categories=istio-io,networking-istio-io
// +cue-gen:Sidecar:preserveUnknownFields:false
// -->
//
// <!-- go code generation tags
// +kubetype-gen
// +kubetype-gen:groupVersion=networking.istio.io/v1alpha3
@@ -253,16 +443,28 @@ message Sidecar {
repeated IstioIngressListener ingress = 2;
// Egress specifies the configuration of the sidecar for processing
// outbound traffic from the attached workload instance to other services in the
// mesh.
repeated IstioEgressListener egress = 3 [(google.api.field_behavior) = REQUIRED];
// outbound traffic from the attached workload instance to other
// services in the mesh. If not specified, inherits the system
// detected defaults from the namespace-wide or the global default Sidecar.
repeated IstioEgressListener egress = 3;
// This allows to configure the outbound traffic policy.
// If your application uses one or more external
// services that are not known apriori, setting the policy to `ALLOW_ANY`
// will cause the sidecars to route any unknown traffic originating from
// the application to its requested destination.
// Configuration for the outbound traffic policy. If your
// application uses one or more external services that are not known
// apriori, setting the policy to `ALLOW_ANY` will cause the
// sidecars to route any unknown traffic originating from the
// application to its requested destination. If not specified,
// inherits the system detected defaults from the namespace-wide or
// the global default Sidecar.
OutboundTrafficPolicy outbound_traffic_policy = 4;
// $hide_from_docs
// `Localhost` describes the sidecar settings related to the
// communication between the sidecar and the workload it is attached to
// in a Kubernetes Pod or a VM. These settings apply to all ingress
// and egress listeners in a sidecar unless overridden. There are no
// built in defaults for this setting. If not specified, the
// features will be disabled.
Localhost localhost = 6;
}
// `IstioIngressListener` specifies the properties of an inbound
@@ -289,6 +491,14 @@ message IstioIngressListener {
// or Unix domain socket where the application workload instance is listening for
// connections. Format should be `127.0.0.1:PORT` or `unix:///path/to/socket`
string default_endpoint = 4 [(google.api.field_behavior) = REQUIRED];
// $hide_from_docs
// TLS settings to be used by the sidecar (client) when forwarding
// traffic from the sidecar to the workload (server) on the
// localhost. Overrides the `localhost` level `clientTls` settings.
//
// **NOTE**: DISABLE, SIMPLE and MUTUAL are the only valid TLS modes.
ClientTLSSettings localhost_client_tls = 6;
}
// `IstioEgressListener` specifies the properties of an outbound traffic
@@ -356,18 +566,32 @@ message IstioEgressListener {
// `istio-system` namespace. This requirement is temporary and will be removed
// in a future Istio release.
repeated string hosts = 4 [(google.api.field_behavior) = REQUIRED];
// $hide_from_docs
// TLS settings to be used by the sidecar (server) when receiving
// traffic from the workload (client) on the
// localhost. Overrides the `localhost` level `serverTls` settings.
//
// **NOTE**: SIMPLE and MUTUAL are the only valid TLS
// modes. `httpsRedirect` and `credentialName` (for fetching
// certificates from Kubernetes secrets) are not valid. All
// certificates must be mounted as files inside the sidecar
// container.
ServerTLSSettings localhost_server_tls = 5;
}
// `WorkloadSelector` specifies the criteria used to determine if the `Gateway`,
// `Sidecar`, or `EnvoyFilter` configuration can be applied to a proxy. The matching criteria
// includes the metadata associated with a proxy, workload instance info such as
// labels attached to the pod/VM, or any other info that the proxy provides
// to Istio during the initial handshake. If multiple conditions are
// specified, all conditions need to match in order for the workload instance to be
// selected. Currently, only label based selection mechanism is supported.
// `WorkloadSelector` specifies the criteria used to determine if the
// `Gateway`, `Sidecar`, or `EnvoyFilter` or `ServiceEntry`
// configuration can be applied to a proxy. The matching criteria
// includes the metadata associated with a proxy, workload instance
// info such as labels attached to the pod/VM, or any other info that
// the proxy provides to Istio during the initial handshake. If
// multiple conditions are specified, all conditions need to match in
// order for the workload instance to be selected. Currently, only
// label based selection mechanism is supported.
message WorkloadSelector {
// One or more labels that indicate a specific set of pods/VMs
// on which this `Sidecar` configuration should be applied. The scope of
// on which the configuration should be applied. The scope of
// label search is restricted to the configuration namespace in which the
// the resource is present.
map<string, string> labels = 1 [(google.api.field_behavior) = REQUIRED];
@@ -397,6 +621,22 @@ message OutboundTrafficPolicy {
ALLOW_ANY = 1;
}
Mode mode = 1;
// Specifies the details of the egress proxy to which unknown
// traffic should be forwarded to from the sidecar. Valid only if
// the mode is set to ALLOW_ANY. If not specified when the mode is
// ALLOW_ANY, the sidecar will send the unknown traffic directly to
// the IP requested by the application.
//
// ** NOTE 1**: The specified egress host must be imported in the
// egress section for the traffic forwarding to work.
//
// ** NOTE 2**: An Envoy based egress gateway is unlikely to be able
// to handle plain text TCP connections forwarded from the sidecar.
// Envoy's dynamic forward proxy can handle only HTTP and TLS
// connections.
// $hide_from_docs
istio.networking.v1alpha3.Destination egress_proxy = 2;
}
@@ -416,3 +656,85 @@ enum CaptureMode {
// the host.
NONE = 2;
}
// $hide_from_docs
// `Localhost` describes the sidecar settings related to the
// communication between the sidecar and the workload it is attached
// to in a Kubernetes Pod or a VM. These settings apply by default to all
// ingress and egress listeners in a sidecar unless overridden.
//
// The following example configures the sidecars on pods of the
// reviews service to use TLS for traffic to/from the sidecar to the
// workload in the same pod, assuming the appropriate
// certificates are mounted in the sidecar.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: Sidecar
// metadata:
// name: reviews-localhost-tls
// namespace: prod-us1
// spec:
// workloadSelector:
// labels:
// app: reviews
// localhost:
// clientTls:
// mode: SIMPLE
// caCertificates: /etc/legacy/ca.pem
// serverTls:
// mode: SIMPLE
// serverCertificate: /etc/legacy/server.pem
// privateKey: /etc/legacy/private.pem
// egress:
// - hosts:
// - "./"
// ```
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: Sidecar
// metadata:
// name: reviews-localhost-tls
// namespace: prod-us1
// spec:
// workloadSelector:
// labels:
// app: reviews
// localhost:
// clientTls:
// mode: SIMPLE
// caCertificates: /etc/legacy/ca.pem
// serverTls:
// mode: SIMPLE
// serverCertificate: /etc/legacy/server.pem
// privateKey: /etc/legacy/private.pem
// egress:
// - hosts:
// - "./"
// ```
// {{</tab>}}
// {{</tabset>}}
//
message Localhost {
// TLS settings to be used by the sidecar (client) when forwarding
// traffic from the sidecar to the workload it is attached to
// (server) on the localhost.
//
// **NOTE**: DISABLE, SIMPLE and MUTUAL are the only valid TLS modes.
ClientTLSSettings client_tls = 1;
// TLS settings to be used by the sidecar (server) when receiving
// traffic from the workload (client) on the localhost.
//
// **NOTE**: SIMPLE and MUTUAL are the only valid TLS
// modes. `httpsRedirect` and `credentialName` (for fetching
// certificates from Kubernetes secrets) are not valid. All
// certificates must be mounted as files inside the sidecar
// container.
ServerTLSSettings server_tls = 2;
}