4ac20ffc2b
add service mesh metrics remove unused circle yaml fix travis misconfiguration fix travis misconfiguration fix travis misconfiguration
764 lines
43 KiB
YAML
Generated
764 lines
43 KiB
YAML
Generated
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
creationTimestamp: null
|
|
labels:
|
|
controller-tools.k8s.io: "1.0"
|
|
name: destinationrules.istio.kubesphere.io
|
|
spec:
|
|
group: istio.kubesphere.io
|
|
names:
|
|
kind: DestinationRule
|
|
plural: destinationrules
|
|
scope: Namespaced
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
properties:
|
|
host:
|
|
description: 'REQUIRED. The name of a service from the service registry.
|
|
Service names are looked up from the platform''s service registry
|
|
(e.g., Kubernetes services, Consul services, etc.) and from the hosts
|
|
declared by [ServiceEntries](#ServiceEntry). Rules defined for services
|
|
that do not exist in the service registry will be ignored. *Note
|
|
for Kubernetes users*: When short names are used (e.g. "reviews" instead
|
|
of "reviews.default.svc.cluster.local"), Istio will interpret the
|
|
short name based on the namespace of the rule, not the service. A
|
|
rule in the "default" namespace containing a host "reviews will be
|
|
interpreted as "reviews.default.svc.cluster.local", irrespective of
|
|
the actual namespace associated with the reviews service. _To avoid
|
|
potential misconfigurations, it is recommended to always use fully
|
|
qualified domain names over short names._ Note that the host field
|
|
applies to both HTTP and TCP services.'
|
|
type: string
|
|
subsets:
|
|
description: One or more named sets that represent individual versions
|
|
of a service. Traffic policies can be overridden at subset level.
|
|
items:
|
|
properties:
|
|
labels:
|
|
description: REQUIRED. Labels apply a filter over the endpoints
|
|
of a service in the service registry. See route rules for examples
|
|
of usage.
|
|
type: object
|
|
name:
|
|
description: REQUIRED. Name of the subset. The service name and
|
|
the subset name can be used for traffic splitting in a route
|
|
rule.
|
|
type: string
|
|
trafficPolicy:
|
|
description: Traffic policies that apply to this subset. Subsets
|
|
inherit the traffic policies specified at the DestinationRule
|
|
level. Settings specified at the subset level will override
|
|
the corresponding settings specified at the DestinationRule
|
|
level.
|
|
properties:
|
|
connectionPool:
|
|
description: Settings controlling the volume of connections
|
|
to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per connection
|
|
to a backend. Setting this parameter to 1 disables
|
|
keep alive.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
description: Maximum number of retries that can be
|
|
outstanding to all hosts in a cluster at a given
|
|
time. Defaults to 3.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and TCP upstream
|
|
connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP connections
|
|
to a destination host.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer algorithms.
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: REQUIRED. Name of the cookie.
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
type: string
|
|
ttl:
|
|
description: REQUIRED. Lifetime of the cookie.
|
|
type: string
|
|
required:
|
|
- name
|
|
- ttl
|
|
type: object
|
|
httpHeaderName:
|
|
description: 'It is required to specify exactly one
|
|
of the fields as hash key: HttpHeaderName, HttpCookie,
|
|
or UseSourceIP. Hash based on a specific HTTP header.'
|
|
type: string
|
|
minimumRingSize:
|
|
description: The minimum number of virtual nodes to
|
|
use for the hash ring. Defaults to 1024. Larger
|
|
ring sizes result in more granular load distributions.
|
|
If the number of hosts in the load balancing pool
|
|
is larger than the ring size, each host will be
|
|
assigned a single virtual node.
|
|
format: int64
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
simple:
|
|
description: 'It is required to specify exactly one of
|
|
the fields: Simple or ConsistentHash'
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
description: Settings controlling eviction of unhealthy hosts
|
|
from the load balancing pool
|
|
properties:
|
|
baseEjectionTime:
|
|
description: 'Minimum ejection duration. A host will remain
|
|
ejected for a period equal to the product of minimum
|
|
ejection duration and the number of times the host has
|
|
been ejected. This technique allows the system to automatically
|
|
increase the ejection period for unhealthy upstream
|
|
servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
|
|
is 30s.'
|
|
type: string
|
|
consecutiveErrors:
|
|
description: Number of errors before a host is ejected
|
|
from the connection pool. Defaults to 5. When the upstream
|
|
host is accessed over HTTP, a 5xx return code qualifies
|
|
as an error. When the upstream host is accessed over
|
|
an opaque TCP connection, connect timeouts and connection
|
|
error/failure events qualify as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection sweep analysis.
|
|
format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
|
|
type: string
|
|
maxEjectionPercent:
|
|
description: Maximum % of hosts in the load balancing
|
|
pool for the upstream service that can be ejected. Defaults
|
|
to 10%.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
portLevelSettings:
|
|
description: Traffic policies specific to individual ports.
|
|
Note that port level settings will override the destination-level
|
|
settings. Traffic settings specified at the destination-level
|
|
will not be inherited when overridden by port-level settings,
|
|
i.e. default values will be applied to fields omitted in
|
|
port-level traffic policies.
|
|
items:
|
|
properties:
|
|
connectionPool:
|
|
description: Settings controlling the volume of connections
|
|
to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per
|
|
connection to a backend. Setting this parameter
|
|
to 1 disables keep alive.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
description: Maximum number of retries that
|
|
can be outstanding to all hosts in a cluster
|
|
at a given time. Defaults to 3.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and TCP
|
|
upstream connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP connections
|
|
to a destination host.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer
|
|
algorithms.
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: REQUIRED. Name of the cookie.
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
type: string
|
|
ttl:
|
|
description: REQUIRED. Lifetime of the cookie.
|
|
type: string
|
|
required:
|
|
- name
|
|
- ttl
|
|
type: object
|
|
httpHeaderName:
|
|
description: 'It is required to specify exactly
|
|
one of the fields as hash key: HttpHeaderName,
|
|
HttpCookie, or UseSourceIP. Hash based on
|
|
a specific HTTP header.'
|
|
type: string
|
|
minimumRingSize:
|
|
description: The minimum number of virtual nodes
|
|
to use for the hash ring. Defaults to 1024.
|
|
Larger ring sizes result in more granular
|
|
load distributions. If the number of hosts
|
|
in the load balancing pool is larger than
|
|
the ring size, each host will be assigned
|
|
a single virtual node.
|
|
format: int64
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
simple:
|
|
description: 'It is required to specify exactly
|
|
one of the fields: Simple or ConsistentHash'
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
description: Settings controlling eviction of unhealthy
|
|
hosts from the load balancing pool
|
|
properties:
|
|
baseEjectionTime:
|
|
description: 'Minimum ejection duration. A host
|
|
will remain ejected for a period equal to the
|
|
product of minimum ejection duration and the number
|
|
of times the host has been ejected. This technique
|
|
allows the system to automatically increase the
|
|
ejection period for unhealthy upstream servers.
|
|
format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is
|
|
30s.'
|
|
type: string
|
|
consecutiveErrors:
|
|
description: Number of errors before a host is ejected
|
|
from the connection pool. Defaults to 5. When
|
|
the upstream host is accessed over HTTP, a 5xx
|
|
return code qualifies as an error. When the upstream
|
|
host is accessed over an opaque TCP connection,
|
|
connect timeouts and connection error/failure
|
|
events qualify as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection sweep
|
|
analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
|
|
Default is 10s.'
|
|
type: string
|
|
maxEjectionPercent:
|
|
description: Maximum % of hosts in the load balancing
|
|
pool for the upstream service that can be ejected.
|
|
Defaults to 10%.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
port:
|
|
description: Specifies the port name or number of a
|
|
port on the destination service on which this policy
|
|
is being applied. Names must comply with DNS label
|
|
syntax (rfc1035) and therefore cannot collide with
|
|
numbers. If there are multiple ports on a service
|
|
with the same protocol the names should be of the
|
|
form <protocol-name>-<DNS label>.
|
|
properties:
|
|
name:
|
|
description: Valid port name
|
|
type: string
|
|
number:
|
|
description: Valid port number
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tls:
|
|
description: TLS related settings for connections to
|
|
the upstream service.
|
|
properties:
|
|
caCertificates:
|
|
description: 'OPTIONAL: The path to the file containing
|
|
certificate authority certificates to use in verifying
|
|
a presented server certificate. If omitted, the
|
|
proxy will not verify the server''s certificate.
|
|
Should be empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`. The path
|
|
to the file holding the client-side TLS certificate
|
|
to use. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: 'REQUIRED: Indicates whether connections
|
|
to this port should be secured using TLS. The
|
|
value of this field determines how TLS is enforced.'
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`. The path
|
|
to the file holding the client's private key.
|
|
Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server
|
|
during TLS handshake. Should be empty if mode
|
|
is `ISTIO_MUTUAL`.
|
|
type: string
|
|
subjectAltNames:
|
|
description: A list of alternate names to verify
|
|
the subject identity in the certificate. If specified,
|
|
the proxy will verify that the server certificate's
|
|
subject alt name matches one of the specified
|
|
values. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- mode
|
|
type: object
|
|
required:
|
|
- port
|
|
type: object
|
|
type: array
|
|
tls:
|
|
description: TLS related settings for connections to the upstream
|
|
service.
|
|
properties:
|
|
caCertificates:
|
|
description: 'OPTIONAL: The path to the file containing
|
|
certificate authority certificates to use in verifying
|
|
a presented server certificate. If omitted, the proxy
|
|
will not verify the server''s certificate. Should be
|
|
empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`. The path to
|
|
the file holding the client-side TLS certificate to
|
|
use. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: 'REQUIRED: Indicates whether connections
|
|
to this port should be secured using TLS. The value
|
|
of this field determines how TLS is enforced.'
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`. The path to
|
|
the file holding the client's private key. Should be
|
|
empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server during
|
|
TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
subjectAltNames:
|
|
description: A list of alternate names to verify the subject
|
|
identity in the certificate. If specified, the proxy
|
|
will verify that the server certificate's subject alt
|
|
name matches one of the specified values. Should be
|
|
empty if mode is `ISTIO_MUTUAL`.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- mode
|
|
type: object
|
|
type: object
|
|
required:
|
|
- name
|
|
- labels
|
|
type: object
|
|
type: array
|
|
trafficPolicy:
|
|
description: Traffic policies to apply (load balancing policy, connection
|
|
pool sizes, outlier detection).
|
|
properties:
|
|
connectionPool:
|
|
description: Settings controlling the volume of connections to an
|
|
upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per connection to
|
|
a backend. Setting this parameter to 1 disables keep alive.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
description: Maximum number of retries that can be outstanding
|
|
to all hosts in a cluster at a given time. Defaults to
|
|
3.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and TCP upstream connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP connections to
|
|
a destination host.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer algorithms.
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: REQUIRED. Name of the cookie.
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
type: string
|
|
ttl:
|
|
description: REQUIRED. Lifetime of the cookie.
|
|
type: string
|
|
required:
|
|
- name
|
|
- ttl
|
|
type: object
|
|
httpHeaderName:
|
|
description: 'It is required to specify exactly one of the
|
|
fields as hash key: HttpHeaderName, HttpCookie, or UseSourceIP.
|
|
Hash based on a specific HTTP header.'
|
|
type: string
|
|
minimumRingSize:
|
|
description: The minimum number of virtual nodes to use
|
|
for the hash ring. Defaults to 1024. Larger ring sizes
|
|
result in more granular load distributions. If the number
|
|
of hosts in the load balancing pool is larger than the
|
|
ring size, each host will be assigned a single virtual
|
|
node.
|
|
format: int64
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
simple:
|
|
description: 'It is required to specify exactly one of the fields:
|
|
Simple or ConsistentHash'
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
description: Settings controlling eviction of unhealthy hosts from
|
|
the load balancing pool
|
|
properties:
|
|
baseEjectionTime:
|
|
description: 'Minimum ejection duration. A host will remain
|
|
ejected for a period equal to the product of minimum ejection
|
|
duration and the number of times the host has been ejected.
|
|
This technique allows the system to automatically increase
|
|
the ejection period for unhealthy upstream servers. format:
|
|
1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.'
|
|
type: string
|
|
consecutiveErrors:
|
|
description: Number of errors before a host is ejected from
|
|
the connection pool. Defaults to 5. When the upstream host
|
|
is accessed over HTTP, a 5xx return code qualifies as an error.
|
|
When the upstream host is accessed over an opaque TCP connection,
|
|
connect timeouts and connection error/failure events qualify
|
|
as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection sweep analysis.
|
|
format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
|
|
type: string
|
|
maxEjectionPercent:
|
|
description: Maximum % of hosts in the load balancing pool for
|
|
the upstream service that can be ejected. Defaults to 10%.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
portLevelSettings:
|
|
description: Traffic policies specific to individual ports. Note
|
|
that port level settings will override the destination-level settings.
|
|
Traffic settings specified at the destination-level will not be
|
|
inherited when overridden by port-level settings, i.e. default
|
|
values will be applied to fields omitted in port-level traffic
|
|
policies.
|
|
items:
|
|
properties:
|
|
connectionPool:
|
|
description: Settings controlling the volume of connections
|
|
to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per connection
|
|
to a backend. Setting this parameter to 1 disables
|
|
keep alive.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
description: Maximum number of retries that can be
|
|
outstanding to all hosts in a cluster at a given
|
|
time. Defaults to 3.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and TCP upstream
|
|
connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP connections
|
|
to a destination host.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer algorithms.
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: REQUIRED. Name of the cookie.
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
type: string
|
|
ttl:
|
|
description: REQUIRED. Lifetime of the cookie.
|
|
type: string
|
|
required:
|
|
- name
|
|
- ttl
|
|
type: object
|
|
httpHeaderName:
|
|
description: 'It is required to specify exactly one
|
|
of the fields as hash key: HttpHeaderName, HttpCookie,
|
|
or UseSourceIP. Hash based on a specific HTTP header.'
|
|
type: string
|
|
minimumRingSize:
|
|
description: The minimum number of virtual nodes to
|
|
use for the hash ring. Defaults to 1024. Larger
|
|
ring sizes result in more granular load distributions.
|
|
If the number of hosts in the load balancing pool
|
|
is larger than the ring size, each host will be
|
|
assigned a single virtual node.
|
|
format: int64
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
simple:
|
|
description: 'It is required to specify exactly one of
|
|
the fields: Simple or ConsistentHash'
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
description: Settings controlling eviction of unhealthy hosts
|
|
from the load balancing pool
|
|
properties:
|
|
baseEjectionTime:
|
|
description: 'Minimum ejection duration. A host will remain
|
|
ejected for a period equal to the product of minimum
|
|
ejection duration and the number of times the host has
|
|
been ejected. This technique allows the system to automatically
|
|
increase the ejection period for unhealthy upstream
|
|
servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default
|
|
is 30s.'
|
|
type: string
|
|
consecutiveErrors:
|
|
description: Number of errors before a host is ejected
|
|
from the connection pool. Defaults to 5. When the upstream
|
|
host is accessed over HTTP, a 5xx return code qualifies
|
|
as an error. When the upstream host is accessed over
|
|
an opaque TCP connection, connect timeouts and connection
|
|
error/failure events qualify as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection sweep analysis.
|
|
format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
|
|
type: string
|
|
maxEjectionPercent:
|
|
description: Maximum % of hosts in the load balancing
|
|
pool for the upstream service that can be ejected. Defaults
|
|
to 10%.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
port:
|
|
description: Specifies the port name or number of a port on
|
|
the destination service on which this policy is being applied. Names
|
|
must comply with DNS label syntax (rfc1035) and therefore
|
|
cannot collide with numbers. If there are multiple ports
|
|
on a service with the same protocol the names should be
|
|
of the form <protocol-name>-<DNS label>.
|
|
properties:
|
|
name:
|
|
description: Valid port name
|
|
type: string
|
|
number:
|
|
description: Valid port number
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tls:
|
|
description: TLS related settings for connections to the upstream
|
|
service.
|
|
properties:
|
|
caCertificates:
|
|
description: 'OPTIONAL: The path to the file containing
|
|
certificate authority certificates to use in verifying
|
|
a presented server certificate. If omitted, the proxy
|
|
will not verify the server''s certificate. Should be
|
|
empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`. The path to
|
|
the file holding the client-side TLS certificate to
|
|
use. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: 'REQUIRED: Indicates whether connections
|
|
to this port should be secured using TLS. The value
|
|
of this field determines how TLS is enforced.'
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`. The path to
|
|
the file holding the client's private key. Should be
|
|
empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server during
|
|
TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
subjectAltNames:
|
|
description: A list of alternate names to verify the subject
|
|
identity in the certificate. If specified, the proxy
|
|
will verify that the server certificate's subject alt
|
|
name matches one of the specified values. Should be
|
|
empty if mode is `ISTIO_MUTUAL`.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- mode
|
|
type: object
|
|
required:
|
|
- port
|
|
type: object
|
|
type: array
|
|
tls:
|
|
description: TLS related settings for connections to the upstream
|
|
service.
|
|
properties:
|
|
caCertificates:
|
|
description: 'OPTIONAL: The path to the file containing certificate
|
|
authority certificates to use in verifying a presented server
|
|
certificate. If omitted, the proxy will not verify the server''s
|
|
certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`. The path to the file
|
|
holding the client-side TLS certificate to use. Should be
|
|
empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: 'REQUIRED: Indicates whether connections to this
|
|
port should be secured using TLS. The value of this field
|
|
determines how TLS is enforced.'
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`. The path to the file
|
|
holding the client's private key. Should be empty if mode
|
|
is `ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server during TLS
|
|
handshake. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
subjectAltNames:
|
|
description: A list of alternate names to verify the subject
|
|
identity in the certificate. If specified, the proxy will
|
|
verify that the server certificate's subject alt name matches
|
|
one of the specified values. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- mode
|
|
type: object
|
|
type: object
|
|
required:
|
|
- host
|
|
type: object
|
|
required:
|
|
- spec
|
|
version: v1alpha3
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|