823 lines
50 KiB
YAML
823 lines
50 KiB
YAML
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
creationTimestamp: null
|
|
labels:
|
|
controller-tools.k8s.io: "1.0"
|
|
name: servicepolicies.servicemesh.kubesphere.io
|
|
spec:
|
|
group: servicemesh.kubesphere.io
|
|
names:
|
|
kind: ServicePolicy
|
|
plural: servicepolicies
|
|
scope: Namespaced
|
|
validation:
|
|
openAPIV3Schema:
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
properties:
|
|
selector:
|
|
description: Label selector for destination rules.
|
|
type: object
|
|
template:
|
|
description: Template used to create a destination rule
|
|
properties:
|
|
spec:
|
|
description: Spec indicates the behavior of a destination rule.
|
|
properties:
|
|
host:
|
|
description: 'REQUIRED. The name of a service from the service
|
|
registry. Service names are looked up from the platform''s
|
|
service registry (e.g., Kubernetes services, Consul services,
|
|
etc.) and from the hosts declared by [ServiceEntries](#ServiceEntry).
|
|
Rules defined for services that do not exist in the service
|
|
registry will be ignored. *Note for Kubernetes users*: When
|
|
short names are used (e.g. "reviews" instead of "reviews.default.svc.cluster.local"),
|
|
Istio will interpret the short name based on the namespace
|
|
of the rule, not the service. A rule in the "default" namespace
|
|
containing a host "reviews will be interpreted as "reviews.default.svc.cluster.local",
|
|
irrespective of the actual namespace associated with the reviews
|
|
service. _To avoid potential misconfigurations, it is recommended
|
|
to always use fully qualified domain names over short names._ Note
|
|
that the host field applies to both HTTP and TCP services.'
|
|
type: string
|
|
subsets:
|
|
description: One or more named sets that represent individual
|
|
versions of a service. Traffic policies can be overridden
|
|
at subset level.
|
|
items:
|
|
properties:
|
|
labels:
|
|
description: REQUIRED. Labels apply a filter over the
|
|
endpoints of a service in the service registry. See
|
|
route rules for examples of usage.
|
|
type: object
|
|
name:
|
|
description: REQUIRED. Name of the subset. The service
|
|
name and the subset name can be used for traffic splitting
|
|
in a route rule.
|
|
type: string
|
|
trafficPolicy:
|
|
description: Traffic policies that apply to this subset.
|
|
Subsets inherit the traffic policies specified at the
|
|
DestinationRule level. Settings specified at the subset
|
|
level will override the corresponding settings specified
|
|
at the DestinationRule level.
|
|
properties:
|
|
connectionPool:
|
|
description: Settings controlling the volume of connections
|
|
to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per
|
|
connection to a backend. Setting this parameter
|
|
to 1 disables keep alive.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
description: Maximum number of retries that
|
|
can be outstanding to all hosts in a cluster
|
|
at a given time. Defaults to 3.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and
|
|
TCP upstream connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP
|
|
connections to a destination host.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer
|
|
algorithms.
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: REQUIRED. Name of the cookie.
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
type: string
|
|
ttl:
|
|
description: REQUIRED. Lifetime of the
|
|
cookie.
|
|
type: string
|
|
required:
|
|
- name
|
|
- ttl
|
|
type: object
|
|
httpHeaderName:
|
|
description: 'It is required to specify exactly
|
|
one of the fields as hash key: HttpHeaderName,
|
|
HttpCookie, or UseSourceIP. Hash based on
|
|
a specific HTTP header.'
|
|
type: string
|
|
minimumRingSize:
|
|
description: The minimum number of virtual
|
|
nodes to use for the hash ring. Defaults
|
|
to 1024. Larger ring sizes result in more
|
|
granular load distributions. If the number
|
|
of hosts in the load balancing pool is larger
|
|
than the ring size, each host will be assigned
|
|
a single virtual node.
|
|
format: int64
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
simple:
|
|
description: 'It is required to specify exactly
|
|
one of the fields: Simple or ConsistentHash'
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
description: Settings controlling eviction of unhealthy
|
|
hosts from the load balancing pool
|
|
properties:
|
|
baseEjectionTime:
|
|
description: 'Minimum ejection duration. A host
|
|
will remain ejected for a period equal to the
|
|
product of minimum ejection duration and the
|
|
number of times the host has been ejected. This
|
|
technique allows the system to automatically
|
|
increase the ejection period for unhealthy upstream
|
|
servers. format: 1h/1m/1s/1ms. MUST BE >=1ms.
|
|
Default is 30s.'
|
|
type: string
|
|
consecutiveErrors:
|
|
description: Number of errors before a host is
|
|
ejected from the connection pool. Defaults to
|
|
5. When the upstream host is accessed over HTTP,
|
|
a 5xx return code qualifies as an error. When
|
|
the upstream host is accessed over an opaque
|
|
TCP connection, connect timeouts and connection
|
|
error/failure events qualify as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection sweep
|
|
analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
|
|
Default is 10s.'
|
|
type: string
|
|
maxEjectionPercent:
|
|
description: Maximum % of hosts in the load balancing
|
|
pool for the upstream service that can be ejected.
|
|
Defaults to 10%.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
portLevelSettings:
|
|
description: Traffic policies specific to individual
|
|
ports. Note that port level settings will override
|
|
the destination-level settings. Traffic settings
|
|
specified at the destination-level will not be inherited
|
|
when overridden by port-level settings, i.e. default
|
|
values will be applied to fields omitted in port-level
|
|
traffic policies.
|
|
items:
|
|
properties:
|
|
connectionPool:
|
|
description: Settings controlling the volume
|
|
of connections to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests
|
|
per connection to a backend. Setting
|
|
this parameter to 1 disables keep
|
|
alive.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
description: Maximum number of retries
|
|
that can be outstanding to all hosts
|
|
in a cluster at a given time. Defaults
|
|
to 3.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP
|
|
and TCP upstream connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1
|
|
/TCP connections to a destination
|
|
host.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer
|
|
algorithms.
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: REQUIRED. Name of the
|
|
cookie.
|
|
type: string
|
|
path:
|
|
description: Path to set for the
|
|
cookie.
|
|
type: string
|
|
ttl:
|
|
description: REQUIRED. Lifetime
|
|
of the cookie.
|
|
type: string
|
|
required:
|
|
- name
|
|
- ttl
|
|
type: object
|
|
httpHeaderName:
|
|
description: 'It is required to specify
|
|
exactly one of the fields as hash
|
|
key: HttpHeaderName, HttpCookie, or
|
|
UseSourceIP. Hash based on a specific
|
|
HTTP header.'
|
|
type: string
|
|
minimumRingSize:
|
|
description: The minimum number of virtual
|
|
nodes to use for the hash ring. Defaults
|
|
to 1024. Larger ring sizes result
|
|
in more granular load distributions.
|
|
If the number of hosts in the load
|
|
balancing pool is larger than the
|
|
ring size, each host will be assigned
|
|
a single virtual node.
|
|
format: int64
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source
|
|
IP address.
|
|
type: boolean
|
|
type: object
|
|
simple:
|
|
description: 'It is required to specify
|
|
exactly one of the fields: Simple or ConsistentHash'
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
description: Settings controlling eviction of
|
|
unhealthy hosts from the load balancing pool
|
|
properties:
|
|
baseEjectionTime:
|
|
description: 'Minimum ejection duration.
|
|
A host will remain ejected for a period
|
|
equal to the product of minimum ejection
|
|
duration and the number of times the host
|
|
has been ejected. This technique allows
|
|
the system to automatically increase the
|
|
ejection period for unhealthy upstream
|
|
servers. format: 1h/1m/1s/1ms. MUST BE
|
|
>=1ms. Default is 30s.'
|
|
type: string
|
|
consecutiveErrors:
|
|
description: Number of errors before a host
|
|
is ejected from the connection pool. Defaults
|
|
to 5. When the upstream host is accessed
|
|
over HTTP, a 5xx return code qualifies
|
|
as an error. When the upstream host is
|
|
accessed over an opaque TCP connection,
|
|
connect timeouts and connection error/failure
|
|
events qualify as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection
|
|
sweep analysis. format: 1h/1m/1s/1ms.
|
|
MUST BE >=1ms. Default is 10s.'
|
|
type: string
|
|
maxEjectionPercent:
|
|
description: Maximum % of hosts in the load
|
|
balancing pool for the upstream service
|
|
that can be ejected. Defaults to 10%.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
port:
|
|
description: Specifies the port name or number
|
|
of a port on the destination service on which
|
|
this policy is being applied. Names must
|
|
comply with DNS label syntax (rfc1035) and
|
|
therefore cannot collide with numbers. If
|
|
there are multiple ports on a service with
|
|
the same protocol the names should be of the
|
|
form <protocol-name>-<DNS label>.
|
|
properties:
|
|
name:
|
|
description: Valid port name
|
|
type: string
|
|
number:
|
|
description: Valid port number
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tls:
|
|
description: TLS related settings for connections
|
|
to the upstream service.
|
|
properties:
|
|
caCertificates:
|
|
description: 'OPTIONAL: The path to the
|
|
file containing certificate authority
|
|
certificates to use in verifying a presented
|
|
server certificate. If omitted, the proxy
|
|
will not verify the server''s certificate.
|
|
Should be empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
The path to the file holding the client-side
|
|
TLS certificate to use. Should be empty
|
|
if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: 'REQUIRED: Indicates whether
|
|
connections to this port should be secured
|
|
using TLS. The value of this field determines
|
|
how TLS is enforced.'
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`.
|
|
The path to the file holding the client's
|
|
private key. Should be empty if mode is
|
|
`ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the
|
|
server during TLS handshake. Should be
|
|
empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
subjectAltNames:
|
|
description: A list of alternate names to
|
|
verify the subject identity in the certificate.
|
|
If specified, the proxy will verify that
|
|
the server certificate's subject alt name
|
|
matches one of the specified values. Should
|
|
be empty if mode is `ISTIO_MUTUAL`.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- mode
|
|
type: object
|
|
required:
|
|
- port
|
|
type: object
|
|
type: array
|
|
tls:
|
|
description: TLS related settings for connections
|
|
to the upstream service.
|
|
properties:
|
|
caCertificates:
|
|
description: 'OPTIONAL: The path to the file containing
|
|
certificate authority certificates to use in
|
|
verifying a presented server certificate. If
|
|
omitted, the proxy will not verify the server''s
|
|
certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`. The
|
|
path to the file holding the client-side TLS
|
|
certificate to use. Should be empty if mode
|
|
is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: 'REQUIRED: Indicates whether connections
|
|
to this port should be secured using TLS. The
|
|
value of this field determines how TLS is enforced.'
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`. The
|
|
path to the file holding the client's private
|
|
key. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server
|
|
during TLS handshake. Should be empty if mode
|
|
is `ISTIO_MUTUAL`.
|
|
type: string
|
|
subjectAltNames:
|
|
description: A list of alternate names to verify
|
|
the subject identity in the certificate. If
|
|
specified, the proxy will verify that the server
|
|
certificate's subject alt name matches one of
|
|
the specified values. Should be empty if mode
|
|
is `ISTIO_MUTUAL`.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- mode
|
|
type: object
|
|
type: object
|
|
required:
|
|
- name
|
|
- labels
|
|
type: object
|
|
type: array
|
|
trafficPolicy:
|
|
description: Traffic policies to apply (load balancing policy,
|
|
connection pool sizes, outlier detection).
|
|
properties:
|
|
connectionPool:
|
|
description: Settings controlling the volume of connections
|
|
to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per connection
|
|
to a backend. Setting this parameter to 1 disables
|
|
keep alive.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
description: Maximum number of retries that can
|
|
be outstanding to all hosts in a cluster at a
|
|
given time. Defaults to 3.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and TCP upstream
|
|
connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP connections
|
|
to a destination host.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer algorithms.
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: REQUIRED. Name of the cookie.
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
type: string
|
|
ttl:
|
|
description: REQUIRED. Lifetime of the cookie.
|
|
type: string
|
|
required:
|
|
- name
|
|
- ttl
|
|
type: object
|
|
httpHeaderName:
|
|
description: 'It is required to specify exactly
|
|
one of the fields as hash key: HttpHeaderName,
|
|
HttpCookie, or UseSourceIP. Hash based on a specific
|
|
HTTP header.'
|
|
type: string
|
|
minimumRingSize:
|
|
description: The minimum number of virtual nodes
|
|
to use for the hash ring. Defaults to 1024. Larger
|
|
ring sizes result in more granular load distributions.
|
|
If the number of hosts in the load balancing pool
|
|
is larger than the ring size, each host will be
|
|
assigned a single virtual node.
|
|
format: int64
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
simple:
|
|
description: 'It is required to specify exactly one
|
|
of the fields: Simple or ConsistentHash'
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
description: Settings controlling eviction of unhealthy
|
|
hosts from the load balancing pool
|
|
properties:
|
|
baseEjectionTime:
|
|
description: 'Minimum ejection duration. A host will
|
|
remain ejected for a period equal to the product of
|
|
minimum ejection duration and the number of times
|
|
the host has been ejected. This technique allows the
|
|
system to automatically increase the ejection period
|
|
for unhealthy upstream servers. format: 1h/1m/1s/1ms.
|
|
MUST BE >=1ms. Default is 30s.'
|
|
type: string
|
|
consecutiveErrors:
|
|
description: Number of errors before a host is ejected
|
|
from the connection pool. Defaults to 5. When the
|
|
upstream host is accessed over HTTP, a 5xx return
|
|
code qualifies as an error. When the upstream host
|
|
is accessed over an opaque TCP connection, connect
|
|
timeouts and connection error/failure events qualify
|
|
as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection sweep analysis.
|
|
format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.'
|
|
type: string
|
|
maxEjectionPercent:
|
|
description: Maximum % of hosts in the load balancing
|
|
pool for the upstream service that can be ejected.
|
|
Defaults to 10%.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
portLevelSettings:
|
|
description: Traffic policies specific to individual ports.
|
|
Note that port level settings will override the destination-level
|
|
settings. Traffic settings specified at the destination-level
|
|
will not be inherited when overridden by port-level settings,
|
|
i.e. default values will be applied to fields omitted
|
|
in port-level traffic policies.
|
|
items:
|
|
properties:
|
|
connectionPool:
|
|
description: Settings controlling the volume of connections
|
|
to an upstream service
|
|
properties:
|
|
http:
|
|
description: HTTP connection pool settings.
|
|
properties:
|
|
maxRequestsPerConnection:
|
|
description: Maximum number of requests per
|
|
connection to a backend. Setting this parameter
|
|
to 1 disables keep alive.
|
|
format: int32
|
|
type: integer
|
|
maxRetries:
|
|
description: Maximum number of retries that
|
|
can be outstanding to all hosts in a cluster
|
|
at a given time. Defaults to 3.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tcp:
|
|
description: Settings common to both HTTP and
|
|
TCP upstream connections.
|
|
properties:
|
|
connectTimeout:
|
|
description: TCP connection timeout.
|
|
type: string
|
|
maxConnections:
|
|
description: Maximum number of HTTP1 /TCP
|
|
connections to a destination host.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
type: object
|
|
loadBalancer:
|
|
description: Settings controlling the load balancer
|
|
algorithms.
|
|
properties:
|
|
consistentHash:
|
|
properties:
|
|
httpCookie:
|
|
description: Hash based on HTTP cookie.
|
|
properties:
|
|
name:
|
|
description: REQUIRED. Name of the cookie.
|
|
type: string
|
|
path:
|
|
description: Path to set for the cookie.
|
|
type: string
|
|
ttl:
|
|
description: REQUIRED. Lifetime of the
|
|
cookie.
|
|
type: string
|
|
required:
|
|
- name
|
|
- ttl
|
|
type: object
|
|
httpHeaderName:
|
|
description: 'It is required to specify exactly
|
|
one of the fields as hash key: HttpHeaderName,
|
|
HttpCookie, or UseSourceIP. Hash based on
|
|
a specific HTTP header.'
|
|
type: string
|
|
minimumRingSize:
|
|
description: The minimum number of virtual
|
|
nodes to use for the hash ring. Defaults
|
|
to 1024. Larger ring sizes result in more
|
|
granular load distributions. If the number
|
|
of hosts in the load balancing pool is larger
|
|
than the ring size, each host will be assigned
|
|
a single virtual node.
|
|
format: int64
|
|
type: integer
|
|
useSourceIp:
|
|
description: Hash based on the source IP address.
|
|
type: boolean
|
|
type: object
|
|
simple:
|
|
description: 'It is required to specify exactly
|
|
one of the fields: Simple or ConsistentHash'
|
|
type: string
|
|
type: object
|
|
outlierDetection:
|
|
description: Settings controlling eviction of unhealthy
|
|
hosts from the load balancing pool
|
|
properties:
|
|
baseEjectionTime:
|
|
description: 'Minimum ejection duration. A host
|
|
will remain ejected for a period equal to the
|
|
product of minimum ejection duration and the
|
|
number of times the host has been ejected. This
|
|
technique allows the system to automatically
|
|
increase the ejection period for unhealthy upstream
|
|
servers. format: 1h/1m/1s/1ms. MUST BE >=1ms.
|
|
Default is 30s.'
|
|
type: string
|
|
consecutiveErrors:
|
|
description: Number of errors before a host is
|
|
ejected from the connection pool. Defaults to
|
|
5. When the upstream host is accessed over HTTP,
|
|
a 5xx return code qualifies as an error. When
|
|
the upstream host is accessed over an opaque
|
|
TCP connection, connect timeouts and connection
|
|
error/failure events qualify as an error.
|
|
format: int32
|
|
type: integer
|
|
interval:
|
|
description: 'Time interval between ejection sweep
|
|
analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms.
|
|
Default is 10s.'
|
|
type: string
|
|
maxEjectionPercent:
|
|
description: Maximum % of hosts in the load balancing
|
|
pool for the upstream service that can be ejected.
|
|
Defaults to 10%.
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
port:
|
|
description: Specifies the port name or number of
|
|
a port on the destination service on which this
|
|
policy is being applied. Names must comply with
|
|
DNS label syntax (rfc1035) and therefore cannot
|
|
collide with numbers. If there are multiple ports
|
|
on a service with the same protocol the names should
|
|
be of the form <protocol-name>-<DNS label>.
|
|
properties:
|
|
name:
|
|
description: Valid port name
|
|
type: string
|
|
number:
|
|
description: Valid port number
|
|
format: int32
|
|
type: integer
|
|
type: object
|
|
tls:
|
|
description: TLS related settings for connections
|
|
to the upstream service.
|
|
properties:
|
|
caCertificates:
|
|
description: 'OPTIONAL: The path to the file containing
|
|
certificate authority certificates to use in
|
|
verifying a presented server certificate. If
|
|
omitted, the proxy will not verify the server''s
|
|
certificate. Should be empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`. The
|
|
path to the file holding the client-side TLS
|
|
certificate to use. Should be empty if mode
|
|
is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: 'REQUIRED: Indicates whether connections
|
|
to this port should be secured using TLS. The
|
|
value of this field determines how TLS is enforced.'
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`. The
|
|
path to the file holding the client's private
|
|
key. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server
|
|
during TLS handshake. Should be empty if mode
|
|
is `ISTIO_MUTUAL`.
|
|
type: string
|
|
subjectAltNames:
|
|
description: A list of alternate names to verify
|
|
the subject identity in the certificate. If
|
|
specified, the proxy will verify that the server
|
|
certificate's subject alt name matches one of
|
|
the specified values. Should be empty if mode
|
|
is `ISTIO_MUTUAL`.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- mode
|
|
type: object
|
|
required:
|
|
- port
|
|
type: object
|
|
type: array
|
|
tls:
|
|
description: TLS related settings for connections to the
|
|
upstream service.
|
|
properties:
|
|
caCertificates:
|
|
description: 'OPTIONAL: The path to the file containing
|
|
certificate authority certificates to use in verifying
|
|
a presented server certificate. If omitted, the proxy
|
|
will not verify the server''s certificate. Should
|
|
be empty if mode is `ISTIO_MUTUAL`.'
|
|
type: string
|
|
clientCertificate:
|
|
description: REQUIRED if mode is `MUTUAL`. The path
|
|
to the file holding the client-side TLS certificate
|
|
to use. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
mode:
|
|
description: 'REQUIRED: Indicates whether connections
|
|
to this port should be secured using TLS. The value
|
|
of this field determines how TLS is enforced.'
|
|
type: string
|
|
privateKey:
|
|
description: REQUIRED if mode is `MUTUAL`. The path
|
|
to the file holding the client's private key. Should
|
|
be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
sni:
|
|
description: SNI string to present to the server during
|
|
TLS handshake. Should be empty if mode is `ISTIO_MUTUAL`.
|
|
type: string
|
|
subjectAltNames:
|
|
description: A list of alternate names to verify the
|
|
subject identity in the certificate. If specified,
|
|
the proxy will verify that the server certificate's
|
|
subject alt name matches one of the specified values.
|
|
Should be empty if mode is `ISTIO_MUTUAL`.
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- mode
|
|
type: object
|
|
type: object
|
|
required:
|
|
- host
|
|
type: object
|
|
type: object
|
|
type: object
|
|
status:
|
|
type: object
|
|
version: v1alpha2
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|