ea88c8803d
use istio client-go library instead of knative bump kubernetes dependency version change code coverage to codecov
174 lines
8.5 KiB
JSON
174 lines
8.5 KiB
JSON
{
|
|
"openapi": "3.0.0",
|
|
"info": {
|
|
"title": "Configuration affecting edge load balancer.",
|
|
"version": "v1alpha3"
|
|
},
|
|
"components": {
|
|
"schemas": {
|
|
"istio.networking.v1alpha3.Gateway": {
|
|
"description": "Gateway describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections.",
|
|
"type": "object",
|
|
"properties": {
|
|
"servers": {
|
|
"description": "A list of server specifications.",
|
|
"type": "array",
|
|
"items": {
|
|
"$ref": "#/components/schemas/istio.networking.v1alpha3.Server"
|
|
}
|
|
},
|
|
"selector": {
|
|
"description": "One or more labels that indicate a specific set of pods/VMs on which this gateway configuration should be applied. The scope of label search is restricted to the configuration namespace in which the the resource is present. In other words, the Gateway resource must reside in the same namespace as the gateway workload instance.",
|
|
"type": "object",
|
|
"additionalProperties": {
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"istio.networking.v1alpha3.Server": {
|
|
"description": "`Server` describes the properties of the proxy on a given load balancer port. For example,",
|
|
"type": "object",
|
|
"properties": {
|
|
"tls": {
|
|
"$ref": "#/components/schemas/istio.networking.v1alpha3.Server.TLSOptions"
|
|
},
|
|
"port": {
|
|
"$ref": "#/components/schemas/istio.networking.v1alpha3.Port"
|
|
},
|
|
"bind": {
|
|
"description": "The ip or the Unix domain socket to which the listener should be bound to. Format: `x.x.x.x` or `unix:///path/to/uds` or `unix://@foobar` (Linux abstract namespace). When using Unix domain sockets, the port number should be 0.",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"hosts": {
|
|
"description": "One or more hosts exposed by this gateway. While typically applicable to HTTP services, it can also be used for TCP services using TLS with SNI. A host is specified as a `dnsName` with an optional `namespace/` prefix. The `dnsName` should be specified using FQDN format, optionally including a wildcard character in the left-most component (e.g., `prod/*.example.com`). Set the `dnsName` to `*` to select all `VirtualService` hosts from the specified namespace (e.g.,`prod/*`).",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
},
|
|
"defaultEndpoint": {
|
|
"description": "The loopback IP endpoint or Unix domain socket to which traffic should be forwarded to by default. Format should be `127.0.0.1:PORT` or `unix:///path/to/socket` or `unix://@foobar` (Linux abstract namespace).",
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
}
|
|
},
|
|
"istio.networking.v1alpha3.Port": {
|
|
"description": "Port describes the properties of a specific port of a service.",
|
|
"type": "object",
|
|
"properties": {
|
|
"name": {
|
|
"description": "Label assigned to the port.",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"number": {
|
|
"description": "A valid non-negative integer port number.",
|
|
"type": "integer"
|
|
},
|
|
"protocol": {
|
|
"description": "The protocol exposed on the port. MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. TLS implies the connection will be routed based on the SNI header to the destination without terminating the TLS connection.",
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
}
|
|
},
|
|
"istio.networking.v1alpha3.Server.TLSOptions": {
|
|
"type": "object",
|
|
"properties": {
|
|
"mode": {
|
|
"$ref": "#/components/schemas/istio.networking.v1alpha3.Server.TLSOptions.TLSmode"
|
|
},
|
|
"privateKey": {
|
|
"description": "REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file holding the server's private key.",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"caCertificates": {
|
|
"description": "REQUIRED if mode is `MUTUAL`. The path to a file containing certificate authority certificates to use in verifying a presented client side certificate.",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"subjectAltNames": {
|
|
"description": "A list of alternate names to verify the subject identity in the certificate presented by the client.",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
},
|
|
"httpsRedirect": {
|
|
"description": "If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.",
|
|
"type": "boolean"
|
|
},
|
|
"serverCertificate": {
|
|
"description": "REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file holding the server-side TLS certificate to use.",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"credentialName": {
|
|
"description": "The credentialName stands for a unique identifier that can be used to identify the serverCertificate and the privateKey. The credentialName appended with suffix \"-cacert\" is used to identify the CaCertificates associated with this server. Gateway workloads capable of fetching credentials from a remote credential store such as Kubernetes secrets, will be configured to retrieve the serverCertificate and the privateKey using credentialName, instead of using the file system paths specified above. If using mutual TLS, gateway workload instances will retrieve the CaCertificates using credentialName-cacert. The semantics of the name are platform dependent. In Kubernetes, the default Istio supplied credential server expects the credentialName to match the name of the Kubernetes secret that holds the server certificate, the private key, and the CA certificate (if using mutual TLS). Set the `ISTIO_META_USER_SDS` metadata variable in the gateway's proxy to enable the dynamic credential fetching feature.",
|
|
"type": "string",
|
|
"format": "string"
|
|
},
|
|
"verifyCertificateSpki": {
|
|
"description": "An optional list of base64-encoded SHA-256 hashes of the SKPIs of authorized client certificates. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
},
|
|
"verifyCertificateHash": {
|
|
"description": "An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. Both simple and colon separated formats are acceptable. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
},
|
|
"minProtocolVersion": {
|
|
"$ref": "#/components/schemas/istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol"
|
|
},
|
|
"maxProtocolVersion": {
|
|
"$ref": "#/components/schemas/istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol"
|
|
},
|
|
"cipherSuites": {
|
|
"description": "Optional: If specified, only support the specified cipher list. Otherwise default to the default cipher list supported by Envoy.",
|
|
"type": "array",
|
|
"items": {
|
|
"type": "string",
|
|
"format": "string"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"istio.networking.v1alpha3.Server.TLSOptions.TLSmode": {
|
|
"description": "TLS modes enforced by the proxy",
|
|
"type": "string",
|
|
"enum": [
|
|
"PASSTHROUGH",
|
|
"SIMPLE",
|
|
"MUTUAL",
|
|
"AUTO_PASSTHROUGH",
|
|
"ISTIO_MUTUAL"
|
|
]
|
|
},
|
|
"istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol": {
|
|
"description": "TLS protocol versions.",
|
|
"type": "string",
|
|
"enum": [
|
|
"TLS_AUTO",
|
|
"TLSV1_0",
|
|
"TLSV1_1",
|
|
"TLSV1_2",
|
|
"TLSV1_3"
|
|
]
|
|
}
|
|
}
|
|
}
|
|
} |