From 44f748face1e402b6d83f0510db45a394e89603f Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Sun, 12 Jan 2025 02:04:33 +0530 Subject: [PATCH 1/9] Upgrade Istio to v1.24.2 Signed-off-by: biswajit-9776 --- .github/workflows/kserve_cni_test.yaml | 2 +- .../notebook_controller_m2m_test.yaml | 2 +- .../workflows/pipeline_run_from_notebook.yaml | 2 +- .github/workflows/pipeline_swfs_test.yaml | 2 +- .github/workflows/pipeline_test.yaml | 2 +- .github/workflows/pss_test.yaml | 2 +- .github/workflows/training_operator_test.yaml | 2 +- README.md | 12 +- common/{istio-1-23 => istio-1-24}/README.md | 0 .../base/cluster-local-gateway.yaml | 55 +- .../base/gateway-authorizationpolicy.yaml | 0 .../cluster-local-gateway/base/gateway.yaml | 0 .../base/kustomization.yaml | 0 .../base/patches/remove-pdb.yaml | 0 .../istio-crds/base/crd.yaml | 3184 +++++++++++++++-- .../istio-crds/base/kustomization.yaml | 0 .../base/deny_all_authorizationpolicy.yaml | 0 .../istio-install/base/gateway.yaml | 0 .../base/gateway_authorizationpolicy.yaml | 0 .../istio-install/base/install.yaml | 649 ++-- .../istio-install/base/kustomization.yaml | 0 .../base/patches/disable-debugging.yaml | 0 .../istio-configmap-disable-tracing.yaml | 0 .../istio-ingressgateway-remove-pdb.yaml | 0 .../base/patches/istiod-remove-pdb.yaml | 0 .../patches/seccomp-istio-ingressgateway.yaml | 0 .../base/patches/seccomp-istiod.yaml | 0 .../istio-install/base/patches/service.yaml | 0 .../overlays/oauth2-proxy/kustomization.yaml | 0 .../istio-namespace/base/kustomization.yaml | 0 .../istio-namespace/base/namespace.yaml | 0 .../base/cluster-roles.yaml | 0 .../base/kf-istio-resources.yaml | 0 .../base/kustomization.yaml | 0 .../profile-overlay.yaml | 0 .../profile.yaml | 2 +- .../split-istio-packages | 0 .../README.md | 0 .../base/cluster-local-gateway.yaml | 55 +- .../base/gateway-authorizationpolicy.yaml | 0 .../cluster-local-gateway/base/gateway.yaml | 0 .../base/kustomization.yaml | 0 .../base/patches/remove-pdb.yaml | 0 .../istio-crds/base/crd.yaml | 3184 +++++++++++++++-- .../istio-crds/base/kustomization.yaml | 0 .../base/deny_all_authorizationpolicy.yaml | 0 .../istio-install/base/gateway.yaml | 0 .../base/gateway_authorizationpolicy.yaml | 0 .../istio-install/base/install.yaml | 713 ++-- .../istio-install/base/kustomization.yaml | 0 .../base/patches/disable-debugging.yaml | 0 .../istio-configmap-disable-tracing.yaml | 0 .../istio-ingressgateway-remove-pdb.yaml | 0 .../base/patches/istiod-remove-pdb.yaml | 0 .../patches/seccomp-istio-ingressgateway.yaml | 0 .../base/patches/seccomp-istiod.yaml | 0 .../istio-install/base/patches/service.yaml | 0 .../overlays/oauth2-proxy/kustomization.yaml | 0 .../istio-namespace/base/kustomization.yaml | 0 .../istio-namespace/base/namespace.yaml | 0 .../base/cluster-roles.yaml | 0 .../base/kf-istio-resources.yaml | 0 .../base/kustomization.yaml | 0 .../profile-overlay.yaml | 0 .../profile.yaml | 2 +- .../split-istio-packages | 0 common/oauth2-proxy/components/README.md | 12 +- contrib/kserve/README.md | 10 +- example/kustomization.yaml | 10 +- hack/trivy_scan.py | 2 +- .../kustomization.yaml | 10 +- tests/gh-actions/install_istio-cni.sh | 2 +- tests/gh-actions/install_istio.sh | 2 +- tests/gh-actions/install_knative-cni.sh | 4 +- tests/gh-actions/install_knative.sh | 4 +- 75 files changed, 6572 insertions(+), 1354 deletions(-) rename common/{istio-1-23 => istio-1-24}/README.md (100%) rename common/{istio-1-23 => istio-1-24}/cluster-local-gateway/base/cluster-local-gateway.yaml (81%) rename common/{istio-1-23 => istio-1-24}/cluster-local-gateway/base/gateway-authorizationpolicy.yaml (100%) rename common/{istio-1-23 => istio-1-24}/cluster-local-gateway/base/gateway.yaml (100%) rename common/{istio-1-23 => istio-1-24}/cluster-local-gateway/base/kustomization.yaml (100%) rename common/{istio-1-23 => istio-1-24}/cluster-local-gateway/base/patches/remove-pdb.yaml (100%) rename common/{istio-cni-1-23 => istio-1-24}/istio-crds/base/crd.yaml (84%) rename common/{istio-1-23 => istio-1-24}/istio-crds/base/kustomization.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/deny_all_authorizationpolicy.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/gateway.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/gateway_authorizationpolicy.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/install.yaml (88%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/kustomization.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/patches/disable-debugging.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/patches/istio-configmap-disable-tracing.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/patches/istiod-remove-pdb.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/patches/seccomp-istio-ingressgateway.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/patches/seccomp-istiod.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/base/patches/service.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-install/overlays/oauth2-proxy/kustomization.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-namespace/base/kustomization.yaml (100%) rename common/{istio-1-23 => istio-1-24}/istio-namespace/base/namespace.yaml (100%) rename common/{istio-1-23 => istio-1-24}/kubeflow-istio-resources/base/cluster-roles.yaml (100%) rename common/{istio-1-23 => istio-1-24}/kubeflow-istio-resources/base/kf-istio-resources.yaml (100%) rename common/{istio-1-23 => istio-1-24}/kubeflow-istio-resources/base/kustomization.yaml (100%) rename common/{istio-1-23 => istio-1-24}/profile-overlay.yaml (100%) rename common/{istio-cni-1-23 => istio-1-24}/profile.yaml (97%) rename common/{istio-1-23 => istio-1-24}/split-istio-packages (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/README.md (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/cluster-local-gateway/base/cluster-local-gateway.yaml (81%) rename common/{istio-cni-1-23 => istio-cni-1-24}/cluster-local-gateway/base/gateway-authorizationpolicy.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/cluster-local-gateway/base/gateway.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/cluster-local-gateway/base/kustomization.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/cluster-local-gateway/base/patches/remove-pdb.yaml (100%) rename common/{istio-1-23 => istio-cni-1-24}/istio-crds/base/crd.yaml (84%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-crds/base/kustomization.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/deny_all_authorizationpolicy.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/gateway.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/gateway_authorizationpolicy.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/install.yaml (89%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/kustomization.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/patches/disable-debugging.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/patches/istio-configmap-disable-tracing.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/patches/istiod-remove-pdb.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/patches/seccomp-istio-ingressgateway.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/patches/seccomp-istiod.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/base/patches/service.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-install/overlays/oauth2-proxy/kustomization.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-namespace/base/kustomization.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/istio-namespace/base/namespace.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/kubeflow-istio-resources/base/cluster-roles.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/kubeflow-istio-resources/base/kf-istio-resources.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/kubeflow-istio-resources/base/kustomization.yaml (100%) rename common/{istio-cni-1-23 => istio-cni-1-24}/profile-overlay.yaml (100%) rename common/{istio-1-23 => istio-cni-1-24}/profile.yaml (97%) rename common/{istio-cni-1-23 => istio-cni-1-24}/split-istio-packages (100%) diff --git a/.github/workflows/kserve_cni_test.yaml b/.github/workflows/kserve_cni_test.yaml index fb12597932..b717dbde0a 100644 --- a/.github/workflows/kserve_cni_test.yaml +++ b/.github/workflows/kserve_cni_test.yaml @@ -4,7 +4,7 @@ on: paths: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/kserve_cni_test.yaml - - common/istio-cni-1-23/** + - common/istio-cni-1-24/** - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** - tests/gh-actions/install_knative-cni.sh diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml index cb70027de1..5bc0616c97 100644 --- a/.github/workflows/notebook_controller_m2m_test.yaml +++ b/.github/workflows/notebook_controller_m2m_test.yaml @@ -34,7 +34,7 @@ jobs: run: ./tests/gh-actions/install_oauth2-proxy.sh - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f - - name: Install KF Multi Tenancy run: ./tests/gh-actions/install_multi_tenancy.sh diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml index 3f1aee3914..5971fd3acf 100644 --- a/.github/workflows/pipeline_run_from_notebook.yaml +++ b/.github/workflows/pipeline_run_from_notebook.yaml @@ -37,7 +37,7 @@ jobs: run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f - - name: Install KF Pipelines run: ./tests/gh-actions/install_pipelines.sh diff --git a/.github/workflows/pipeline_swfs_test.yaml b/.github/workflows/pipeline_swfs_test.yaml index 27b9b4e6e1..0c9a07c20d 100644 --- a/.github/workflows/pipeline_swfs_test.yaml +++ b/.github/workflows/pipeline_swfs_test.yaml @@ -45,7 +45,7 @@ jobs: run: ./tests/gh-actions/install_multi_tenancy.sh - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f - - name: Create KF Profile run: kustomize build common/user-namespace/base | kubectl apply -f - diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml index 792d5937e9..c446410f80 100644 --- a/.github/workflows/pipeline_test.yaml +++ b/.github/workflows/pipeline_test.yaml @@ -44,7 +44,7 @@ jobs: run: ./tests/gh-actions/install_multi_tenancy.sh - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f - - name: Create KF Profile run: kustomize build common/user-namespace/base | kubectl apply -f - diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml index 48998f2412..54771c1067 100644 --- a/.github/workflows/pss_test.yaml +++ b/.github/workflows/pss_test.yaml @@ -51,7 +51,7 @@ jobs: run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - name: Install kubeflow-istio-resources - run: kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f - - name: Install KF Multi Tenancy run: ./tests/gh-actions/install_multi_tenancy.sh diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml index d90957c2bc..14d75a68a9 100644 --- a/.github/workflows/training_operator_test.yaml +++ b/.github/workflows/training_operator_test.yaml @@ -38,7 +38,7 @@ jobs: run: ./tests/gh-actions/install_multi_tenancy.sh - name: Install kubeflow-istio-resources - run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f - - name: Create KF Profile run: kustomize build common/user-namespace/base | kubectl apply -f - diff --git a/README.md b/README.md index 0942dd7939..079624cee7 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,7 @@ used from the different projects of Kubeflow: | Component | Local Manifests Path | Upstream Revision | | - | - | - | -| Istio | common/istio-1-23 | [1.23.2](https://github.com/istio/istio/releases/tag/1.23.2) | +| Istio | common/istio-1-24 | [1.24.2](https://github.com/istio/istio/releases/tag/1.24.2) | | Knative | common/knative/knative-serving
common/knative/knative-eventing | [v1.16.0](https://github.com/knative/serving/releases/tag/knative-v1.16.0)
[v1.16.1](https://github.com/knative/eventing/releases/tag/knative-v1.16.1) | | Cert Manager | common/cert-manager | [1.16.1](https://github.com/cert-manager/cert-manager/releases/tag/v1.16.1) | @@ -211,9 +211,9 @@ Install Istio: ```sh echo "Installing Istio configured with external authorization..." -kustomize build common/istio-1-23/istio-crds/base | kubectl apply -f - -kustomize build common/istio-1-23/istio-namespace/base | kubectl apply -f - -kustomize build common/istio-1-23/istio-install/overlays/oauth2-proxy | kubectl apply -f - +kustomize build common/istio-1-24/istio-crds/base | kubectl apply -f - +kustomize build common/istio-1-24/istio-namespace/base | kubectl apply -f - +kustomize build common/istio-1-24/istio-install/overlays/oauth2-proxy | kubectl apply -f - echo "Waiting for all Istio Pods to become ready..." kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s @@ -343,7 +343,7 @@ Install Knative Serving: ```sh kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f - -kustomize build common/istio-1-23/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-1-24/cluster-local-gateway/base | kubectl apply -f - ``` Optionally, you can install Knative Eventing which can be used for inference request logging: @@ -390,7 +390,7 @@ Create the Kubeflow Gateway, `kubeflow-gateway` and ClusterRole, Install kubeflow istio resources: ```sh -kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f - ``` #### Kubeflow Pipelines diff --git a/common/istio-1-23/README.md b/common/istio-1-24/README.md similarity index 100% rename from common/istio-1-23/README.md rename to common/istio-1-24/README.md diff --git a/common/istio-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml similarity index 81% rename from common/istio-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml rename to common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml index 45441c6a4f..149e7623c2 100644 --- a/common/istio-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml +++ b/common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml @@ -3,6 +3,12 @@ kind: ServiceAccount metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -16,6 +22,12 @@ kind: Deployment metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -42,7 +54,13 @@ spec: sidecar.istio.io/inject: 'false' labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 chart: gateways + helm.sh/chart: istio-ingress-1.24.2 heritage: Tiller install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway @@ -109,7 +127,8 @@ spec: - name: ISTIO_META_WORKLOAD_NAME value: cluster-local-gateway - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway + value: + kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway - name: ISTIO_META_MESH_ID value: cluster.local - name: TRUST_DOMAIN @@ -122,7 +141,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.23.2 + image: docker.io/istio/proxyv2:1.24.2 name: istio-proxy ports: - containerPort: 15020 @@ -235,6 +254,12 @@ kind: PodDisruptionBudget metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -253,6 +278,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: IngressGateways @@ -273,6 +304,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: IngressGateways @@ -292,6 +329,12 @@ kind: HorizontalPodAutoscaler metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -320,6 +363,12 @@ metadata: annotations: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -331,11 +380,9 @@ spec: ports: - name: status-port port: 15020 - protocol: TCP targetPort: 15020 - name: http2 port: 80 - protocol: TCP targetPort: 8080 selector: app: cluster-local-gateway diff --git a/common/istio-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml similarity index 100% rename from common/istio-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml rename to common/istio-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml diff --git a/common/istio-1-23/cluster-local-gateway/base/gateway.yaml b/common/istio-1-24/cluster-local-gateway/base/gateway.yaml similarity index 100% rename from common/istio-1-23/cluster-local-gateway/base/gateway.yaml rename to common/istio-1-24/cluster-local-gateway/base/gateway.yaml diff --git a/common/istio-1-23/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-24/cluster-local-gateway/base/kustomization.yaml similarity index 100% rename from common/istio-1-23/cluster-local-gateway/base/kustomization.yaml rename to common/istio-1-24/cluster-local-gateway/base/kustomization.yaml diff --git a/common/istio-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml similarity index 100% rename from common/istio-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml rename to common/istio-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml diff --git a/common/istio-cni-1-23/istio-crds/base/crd.yaml b/common/istio-1-24/istio-crds/base/crd.yaml similarity index 84% rename from common/istio-cni-1-23/istio-crds/base/crd.yaml rename to common/istio-1-24/istio-crds/base/crd.yaml index 33de713fcc..f194ef7520 100644 --- a/common/istio-cni-1-23/istio-crds/base/crd.yaml +++ b/common/istio-1-24/istio-crds/base/crd.yaml @@ -4,11 +4,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: authorizationpolicies.security.istio.io spec: group: security.istio.io @@ -256,9 +256,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -290,12 +291,85 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -535,9 +609,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -569,12 +644,85 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -590,10 +738,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: destinationrules.networking.istio.io spec: group: networking.istio.io @@ -931,8 +1080,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -1277,9 +1452,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of - Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than @@ -1771,8 +1971,32 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -2111,8 +2335,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -2350,6 +2600,74 @@ spec: - host type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -2679,8 +2997,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -3025,9 +3369,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of - Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than @@ -3519,8 +3888,32 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -3859,8 +4252,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -4098,6 +4517,74 @@ spec: - host type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -4427,8 +4914,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -4773,9 +5286,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of - Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than @@ -5267,8 +5805,32 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -5607,8 +6169,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -5846,7 +6434,75 @@ spec: - host type: object status: - type: object + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object x-kubernetes-preserve-unknown-fields: true type: object served: true @@ -5861,10 +6517,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: envoyfilters.networking.istio.io spec: group: networking.istio.io @@ -6156,9 +6813,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs @@ -6166,13 +6825,89 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6188,10 +6923,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: gateways.networking.istio.io spec: group: networking.istio.io @@ -6361,6 +7097,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6522,6 +7326,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6683,6 +7555,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6698,11 +7638,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: peerauthentications.security.istio.io spec: group: security.istio.io @@ -6802,6 +7742,74 @@ spec: rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() > 0) || !has(self.portLevelMtls) status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6893,6 +7901,74 @@ spec: rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() > 0) || !has(self.portLevelMtls) status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6908,10 +7984,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: proxyconfigs.networking.istio.io spec: group: networking.istio.io @@ -6974,6 +8051,74 @@ spec: type: object type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6989,11 +8134,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: requestauthentications.security.istio.io spec: group: security.istio.io @@ -7175,9 +8320,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -7209,15 +8355,85 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -7391,9 +8607,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -7425,34 +8642,105 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: serviceentries.networking.istio.io spec: group: networking.istio.io @@ -7501,7 +8789,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7514,11 +8804,11 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir - rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ - \ true" + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" labels: additionalProperties: type: string @@ -7563,8 +8853,8 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" maxItems: 4096 type: array exportTo: @@ -7576,6 +8866,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7592,14 +8887,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7607,11 +8907,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7634,17 +8944,106 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -7683,7 +9082,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7696,11 +9097,11 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir - rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ - \ true" + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" labels: additionalProperties: type: string @@ -7745,8 +9146,8 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" maxItems: 4096 type: array exportTo: @@ -7758,6 +9159,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7774,14 +9180,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7789,11 +9200,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7816,17 +9237,106 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -7865,7 +9375,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7878,11 +9390,11 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir - rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ - \ true" + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" labels: additionalProperties: type: string @@ -7927,8 +9439,8 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" maxItems: 4096 type: array exportTo: @@ -7940,6 +9452,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7956,14 +9473,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7971,11 +9493,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7998,17 +9530,106 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true @@ -8022,10 +9643,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: sidecars.networking.istio.io spec: group: networking.istio.io @@ -8451,7 +10073,8 @@ spec: type: object type: array outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. properties: egressProxy: properties: @@ -8489,13 +10112,86 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -8915,7 +10611,8 @@ spec: type: object type: array outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. properties: egressProxy: properties: @@ -8953,13 +10650,86 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -9379,7 +11149,8 @@ spec: type: object type: array outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. properties: egressProxy: properties: @@ -9417,39 +11188,112 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io - telemetry-istio-io kind: Telemetry listKind: TelemetryList @@ -9599,11 +11443,11 @@ spec: type: object x-kubernetes-validations: - message: value must be set when operation is UPSERT - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'UPSERT') ? self.value != '' : true" + rule: "((has(self.operation) ? self.operation : '') + == 'UPSERT') ? self.value != '' : true" - message: value must not be set when operation is REMOVE - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'REMOVE') ? !has(self.value) : true" + rule: "((has(self.operation) ? self.operation : '') + == 'REMOVE') ? !has(self.value) : true" description: Optional. type: object type: object @@ -9677,9 +11521,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -9711,9 +11556,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array tracing: description: Optional. @@ -9825,7 +11672,78 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -9973,11 +11891,11 @@ spec: type: object x-kubernetes-validations: - message: value must be set when operation is UPSERT - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'UPSERT') ? self.value != '' : true" + rule: "((has(self.operation) ? self.operation : '') + == 'UPSERT') ? self.value != '' : true" - message: value must not be set when operation is REMOVE - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'REMOVE') ? !has(self.value) : true" + rule: "((has(self.operation) ? self.operation : '') + == 'REMOVE') ? !has(self.value) : true" description: Optional. type: object type: object @@ -10051,9 +11969,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -10085,9 +12004,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array tracing: description: Optional. @@ -10199,7 +12120,78 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -10215,10 +12207,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: virtualservices.networking.istio.io spec: group: networking.istio.io @@ -11195,6 +13188,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -12163,6 +14224,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -13131,6 +15260,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -13146,10 +15343,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: wasmplugins.extensions.istio.io spec: group: extensions.istio.io @@ -13319,9 +15517,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -13353,9 +15552,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: description: |- @@ -13373,9 +15574,9 @@ spec: type: string x-kubernetes-validations: - message: url must have schema one of [http, https, file, oci] - rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',\ - \ 'oci', 'file']) : (isURL('http://' + self) && url('http://'\ - \ +self).getScheme() in ['', 'http', 'https', 'oci', 'file'])" + rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https', + 'oci', 'file']) : (isURL('http://' + self) && url('http://' +self).getScheme() + in ['', 'http', 'https', 'oci', 'file'])" verificationKey: type: string vmConfig: @@ -13409,8 +15610,8 @@ spec: type: object x-kubernetes-validations: - message: value may only be set when valueFrom is INLINE - rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'\ - \ || !has(self.value)" + rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST' + || !has(self.value)" maxItems: 256 type: array x-kubernetes-list-map-keys: @@ -13420,7 +15621,78 @@ spec: required: - url type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: @@ -13438,10 +15710,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: workloadentries.networking.istio.io spec: group: networking.istio.io @@ -13485,8 +15758,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ - \ || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13533,15 +15806,81 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ - \ : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -13575,8 +15914,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ - \ || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13623,15 +15962,81 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ - \ : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -13665,8 +16070,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ - \ || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13713,15 +16118,81 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ - \ : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: true @@ -13733,10 +16204,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: workloadgroups.networking.istio.io spec: group: networking.istio.io @@ -13775,10 +16247,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -13807,13 +16281,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -13828,6 +16306,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -13841,8 +16320,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -13850,15 +16335,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -13869,12 +16357,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -13888,8 +16380,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13934,14 +16426,84 @@ spec: type: object x-kubernetes-validations: - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" required: - template type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -13970,10 +16532,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -14002,13 +16566,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -14023,6 +16591,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -14036,8 +16605,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -14045,15 +16620,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -14064,12 +16642,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -14083,8 +16665,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -14129,14 +16711,84 @@ spec: type: object x-kubernetes-validations: - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" required: - template type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -14165,10 +16817,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -14197,13 +16851,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -14218,6 +16876,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -14231,8 +16890,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -14240,15 +16905,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -14259,12 +16927,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -14278,8 +16950,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -14324,14 +16996,84 @@ spec: type: object x-kubernetes-validations: - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" required: - template type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/common/istio-1-23/istio-crds/base/kustomization.yaml b/common/istio-1-24/istio-crds/base/kustomization.yaml similarity index 100% rename from common/istio-1-23/istio-crds/base/kustomization.yaml rename to common/istio-1-24/istio-crds/base/kustomization.yaml diff --git a/common/istio-1-23/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-1-24/istio-install/base/deny_all_authorizationpolicy.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/deny_all_authorizationpolicy.yaml rename to common/istio-1-24/istio-install/base/deny_all_authorizationpolicy.yaml diff --git a/common/istio-1-23/istio-install/base/gateway.yaml b/common/istio-1-24/istio-install/base/gateway.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/gateway.yaml rename to common/istio-1-24/istio-install/base/gateway.yaml diff --git a/common/istio-1-23/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-1-24/istio-install/base/gateway_authorizationpolicy.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/gateway_authorizationpolicy.yaml rename to common/istio-1-24/istio-install/base/gateway_authorizationpolicy.yaml diff --git a/common/istio-1-23/istio-install/base/install.yaml b/common/istio-1-24/istio-install/base/install.yaml similarity index 88% rename from common/istio-1-23/istio-install/base/install.yaml rename to common/istio-1-24/istio-install/base/install.yaml index 59d77f1575..414a98dc4c 100644 --- a/common/istio-1-23/istio-install/base/install.yaml +++ b/common/istio-1-24/istio-install/base/install.yaml @@ -1,21 +1,14 @@ apiVersion: v1 kind: ServiceAccount -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-service-account - namespace: istio-system ---- -apiVersion: v1 -kind: ServiceAccount metadata: labels: app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 release: istio name: istio-reader-service-account namespace: istio-system @@ -25,6 +18,12 @@ kind: ServiceAccount metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod namespace: istio-system @@ -34,6 +33,12 @@ kind: ClusterRole metadata: labels: app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istio-reader-clusterrole-istio-system rules: @@ -142,6 +147,12 @@ kind: ClusterRole metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-clusterrole-istio-system rules: @@ -194,6 +205,7 @@ rules: - networking.istio.io resources: - workloadentries/status + - serviceentries/status verbs: - get - watch @@ -203,15 +215,29 @@ rules: - create - delete - apiGroups: - - networking.istio.io + - security.istio.io resources: - - serviceentries/status + - authorizationpolicies/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete +- apiGroups: + - '' + resources: + - services/status verbs: - get - watch - list - update - patch + - create + - delete - apiGroups: - apiextensions.k8s.io resources: @@ -278,7 +304,6 @@ rules: verbs: - create - apiGroups: - - networking.x-k8s.io - gateway.networking.k8s.io resources: - '*' @@ -287,10 +312,17 @@ rules: - watch - list - apiGroups: - - networking.x-k8s.io - gateway.networking.k8s.io resources: - - '*' + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status verbs: - update - patch @@ -335,6 +367,12 @@ kind: ClusterRole metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-gateway-controller-istio-system rules: @@ -380,6 +418,12 @@ kind: ClusterRoleBinding metadata: labels: app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istio-reader-clusterrole-istio-system roleRef: @@ -396,6 +440,12 @@ kind: ClusterRoleBinding metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-clusterrole-istio-system roleRef: @@ -412,6 +462,12 @@ kind: ClusterRoleBinding metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-gateway-controller-istio-system roleRef: @@ -428,6 +484,12 @@ kind: ValidatingWebhookConfiguration metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 istio: istiod istio.io/rev: default release: istio @@ -482,6 +544,12 @@ data: kind: ConfigMap metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -529,7 +597,7 @@ data: {{- end }} {{- end }} {{- end }} - {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} + {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: @@ -550,8 +618,8 @@ data: kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} - {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} - {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} + {{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", @@ -575,7 +643,7 @@ data: (not $nativeSidecar) }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + {{ if .Values.pilot.cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init @@ -627,9 +695,11 @@ data: {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} - {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} @@ -645,14 +715,14 @@ data: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: - {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + {{- if not .Values.pilot.cni.enabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL - {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + {{- if not .Values.pilot.cni.enabled }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false @@ -664,34 +734,6 @@ data: runAsNonRoot: true {{- end }} {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} {{ if not $nativeSidecar }} containers: {{ end }} @@ -887,7 +929,7 @@ data: drop: - ALL privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 @@ -906,7 +948,7 @@ data: drop: - ALL privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false @@ -935,10 +977,6 @@ data: - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} @@ -1014,11 +1052,6 @@ data: configMap: name: istio-ca-root-cert {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs @@ -1689,7 +1722,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 @@ -1712,7 +1744,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 4 }} ownerReferences: @@ -1746,15 +1777,33 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 8}} spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP @@ -1861,13 +1910,10 @@ data: - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} + {{- if .Values.global.waypoint.resources }} resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} startupProbe: failureThreshold: 30 httpGet: @@ -1890,8 +1936,10 @@ data: timeoutSeconds: 1 securityContext: privileged: false + {{- if not (eq .Values.global.platform "openshift") }} runAsGroup: 1337 runAsUser: 1337 + {{- end }} allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true @@ -1903,8 +1951,8 @@ data: {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} {{- end }} volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data @@ -1958,13 +2006,19 @@ data: kind: Service metadata: annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} @@ -2002,7 +2056,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 @@ -2025,7 +2078,7 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 @@ -2057,7 +2110,7 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 8 }} spec: securityContext: @@ -2096,6 +2149,9 @@ data: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP @@ -2309,7 +2365,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} @@ -2319,6 +2374,7 @@ data: name: {{.Name}} uid: {{.UID}} spec: + ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} @@ -2340,7 +2396,6 @@ data: "securityContext": {} }, "global": { - "autoscalingv2API": true, "caAddress": "", "caName": "", "certSigners": [], @@ -2354,7 +2409,6 @@ data: "cpu": "10m" } }, - "enabled": true, "externalIstiod": false, "hub": "docker.io/istio", "imagePullPolicy": "", @@ -2374,7 +2428,6 @@ data: "clusterName": "", "enabled": false }, - "namespace": "istio-system", "network": "", "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, @@ -2384,7 +2437,6 @@ data: "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", - "enableCoreDump": false, "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", @@ -2416,6 +2468,7 @@ data: "tracer": "none" }, "proxy_init": { + "forceApplyIptables": false, "image": "proxyv2" }, "remotePilotAddress": "", @@ -2427,13 +2480,24 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.23.2", - "variant": "" - }, - "istio_cni": { - "chained": true, - "enabled": false, - "provider": "default" + "tag": "1.24.2", + "variant": "", + "waypoint": { + "affinity": {}, + "nodeSelector": {}, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "topologySpreadConstraints": [] + } }, "pilot": { "cni": { @@ -2456,6 +2520,12 @@ data: kind: ConfigMap metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -2468,6 +2538,12 @@ kind: MutatingWebhookConfiguration metadata: labels: app: sidecar-injector + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -2617,228 +2693,15 @@ webhooks: --- apiVersion: apps/v1 kind: Deployment -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - istio.io/rev: default - prometheus.io/path: /stats/prometheus - prometheus.io/port: '15020' - prometheus.io/scrape: 'true' - sidecar.istio.io/inject: 'false' - labels: - app: istio-ingressgateway - chart: gateways - heritage: Tiller - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - service.istio.io/canonical-name: istio-ingressgateway - service.istio.io/canonical-revision: latest - sidecar.istio.io/inject: 'false' - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - requiredDuringSchedulingIgnoredDuringExecution: - containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - env: - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: istio-ingressgateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - - name: ISTIO_META_UNPRIVILEGED_POD - value: 'true' - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.23.2 - name: istio-proxy - ports: - - containerPort: 15021 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8443 - protocol: TCP - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/credential-uds - name: credential-socket - - mountPath: /var/run/secrets/workload-spiffe-credentials - name: workload-certs - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/istio/config - name: config-volume - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/pod - name: podinfo - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true - securityContext: - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - serviceAccountName: istio-ingressgateway-service-account - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: podinfo - - emptyDir: {} - name: istio-envoy - - emptyDir: {} - name: istio-data - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio - optional: true - name: config-volume - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs ---- -apiVersion: apps/v1 -kind: Deployment metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default @@ -2862,6 +2725,12 @@ spec: sidecar.istio.io/inject: 'false' labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/dataplane-mode: none @@ -2915,17 +2784,27 @@ spec: - name: GOMAXPROCS valueFrom: resourceFieldRef: + divisor: '1' resource: limits.cpu - name: PLATFORM value: '' - image: docker.io/istio/pilot:1.23.2 + image: docker.io/istio/pilot:1.24.2 name: discovery ports: - containerPort: 8080 + name: http-debug protocol: TCP - containerPort: 15010 + name: grpc-xds + protocol: TCP + - containerPort: 15012 + name: tls-xds protocol: TCP - containerPort: 15017 + name: https-webhooks + protocol: TCP + - containerPort: 15014 + name: http-monitoring protocol: TCP readinessProbe: httpGet: @@ -2998,28 +2877,15 @@ spec: --- apiVersion: policy/v1 kind: PodDisruptionBudget -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - minAvailable: 1 - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default @@ -3036,29 +2902,15 @@ spec: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role -metadata: - labels: - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-sds - namespace: istio-system -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - - watch - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod namespace: istio-system @@ -3098,27 +2950,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding -metadata: - labels: - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-sds - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-ingressgateway-sds -subjects: -- kind: ServiceAccount - name: istio-ingressgateway-service-account ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod namespace: istio-system @@ -3133,36 +2973,15 @@ subjects: --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - target: - averageUtilization: 80 - type: Utilization - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -3186,41 +3005,15 @@ spec: --- apiVersion: v1 kind: Service -metadata: - annotations: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 8080 - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - selector: - app: istio-ingressgateway - istio: ingressgateway - type: LoadBalancer ---- -apiVersion: v1 -kind: Service metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default diff --git a/common/istio-1-23/istio-install/base/kustomization.yaml b/common/istio-1-24/istio-install/base/kustomization.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/kustomization.yaml rename to common/istio-1-24/istio-install/base/kustomization.yaml diff --git a/common/istio-1-23/istio-install/base/patches/disable-debugging.yaml b/common/istio-1-24/istio-install/base/patches/disable-debugging.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/patches/disable-debugging.yaml rename to common/istio-1-24/istio-install/base/patches/disable-debugging.yaml diff --git a/common/istio-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml rename to common/istio-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml diff --git a/common/istio-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml rename to common/istio-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml diff --git a/common/istio-1-23/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-1-24/istio-install/base/patches/istiod-remove-pdb.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/patches/istiod-remove-pdb.yaml rename to common/istio-1-24/istio-install/base/patches/istiod-remove-pdb.yaml diff --git a/common/istio-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml rename to common/istio-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml diff --git a/common/istio-1-23/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-1-24/istio-install/base/patches/seccomp-istiod.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/patches/seccomp-istiod.yaml rename to common/istio-1-24/istio-install/base/patches/seccomp-istiod.yaml diff --git a/common/istio-1-23/istio-install/base/patches/service.yaml b/common/istio-1-24/istio-install/base/patches/service.yaml similarity index 100% rename from common/istio-1-23/istio-install/base/patches/service.yaml rename to common/istio-1-24/istio-install/base/patches/service.yaml diff --git a/common/istio-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml similarity index 100% rename from common/istio-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml rename to common/istio-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml diff --git a/common/istio-1-23/istio-namespace/base/kustomization.yaml b/common/istio-1-24/istio-namespace/base/kustomization.yaml similarity index 100% rename from common/istio-1-23/istio-namespace/base/kustomization.yaml rename to common/istio-1-24/istio-namespace/base/kustomization.yaml diff --git a/common/istio-1-23/istio-namespace/base/namespace.yaml b/common/istio-1-24/istio-namespace/base/namespace.yaml similarity index 100% rename from common/istio-1-23/istio-namespace/base/namespace.yaml rename to common/istio-1-24/istio-namespace/base/namespace.yaml diff --git a/common/istio-1-23/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-1-24/kubeflow-istio-resources/base/cluster-roles.yaml similarity index 100% rename from common/istio-1-23/kubeflow-istio-resources/base/cluster-roles.yaml rename to common/istio-1-24/kubeflow-istio-resources/base/cluster-roles.yaml diff --git a/common/istio-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml similarity index 100% rename from common/istio-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml rename to common/istio-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml diff --git a/common/istio-1-23/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-1-24/kubeflow-istio-resources/base/kustomization.yaml similarity index 100% rename from common/istio-1-23/kubeflow-istio-resources/base/kustomization.yaml rename to common/istio-1-24/kubeflow-istio-resources/base/kustomization.yaml diff --git a/common/istio-1-23/profile-overlay.yaml b/common/istio-1-24/profile-overlay.yaml similarity index 100% rename from common/istio-1-23/profile-overlay.yaml rename to common/istio-1-24/profile-overlay.yaml diff --git a/common/istio-cni-1-23/profile.yaml b/common/istio-1-24/profile.yaml similarity index 97% rename from common/istio-cni-1-23/profile.yaml rename to common/istio-1-24/profile.yaml index 077b0c86d2..838edaf5fb 100644 --- a/common/istio-cni-1-23/profile.yaml +++ b/common/istio-1-24/profile.yaml @@ -14,7 +14,7 @@ spec: enabled: true hub: docker.io/istio profile: default - tag: 1.23.2 + tag: 1.24.2 values: defaultRevision: "" gateways: diff --git a/common/istio-1-23/split-istio-packages b/common/istio-1-24/split-istio-packages similarity index 100% rename from common/istio-1-23/split-istio-packages rename to common/istio-1-24/split-istio-packages diff --git a/common/istio-cni-1-23/README.md b/common/istio-cni-1-24/README.md similarity index 100% rename from common/istio-cni-1-23/README.md rename to common/istio-cni-1-24/README.md diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml similarity index 81% rename from common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml rename to common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml index 45441c6a4f..149e7623c2 100644 --- a/common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml +++ b/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml @@ -3,6 +3,12 @@ kind: ServiceAccount metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -16,6 +22,12 @@ kind: Deployment metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -42,7 +54,13 @@ spec: sidecar.istio.io/inject: 'false' labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 chart: gateways + helm.sh/chart: istio-ingress-1.24.2 heritage: Tiller install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway @@ -109,7 +127,8 @@ spec: - name: ISTIO_META_WORKLOAD_NAME value: cluster-local-gateway - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway + value: + kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway - name: ISTIO_META_MESH_ID value: cluster.local - name: TRUST_DOMAIN @@ -122,7 +141,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.23.2 + image: docker.io/istio/proxyv2:1.24.2 name: istio-proxy ports: - containerPort: 15020 @@ -235,6 +254,12 @@ kind: PodDisruptionBudget metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -253,6 +278,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: IngressGateways @@ -273,6 +304,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: IngressGateways @@ -292,6 +329,12 @@ kind: HorizontalPodAutoscaler metadata: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -320,6 +363,12 @@ metadata: annotations: labels: app: cluster-local-gateway + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-ingressgateway + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istio-ingress-1.24.2 install.operator.istio.io/owning-resource: unknown istio: cluster-local-gateway istio.io/rev: default @@ -331,11 +380,9 @@ spec: ports: - name: status-port port: 15020 - protocol: TCP targetPort: 15020 - name: http2 port: 80 - protocol: TCP targetPort: 8080 selector: app: cluster-local-gateway diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml rename to common/istio-cni-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/gateway.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/gateway.yaml similarity index 100% rename from common/istio-cni-1-23/cluster-local-gateway/base/gateway.yaml rename to common/istio-cni-1-24/cluster-local-gateway/base/gateway.yaml diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/kustomization.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/cluster-local-gateway/base/kustomization.yaml rename to common/istio-cni-1-24/cluster-local-gateway/base/kustomization.yaml diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml rename to common/istio-cni-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml diff --git a/common/istio-1-23/istio-crds/base/crd.yaml b/common/istio-cni-1-24/istio-crds/base/crd.yaml similarity index 84% rename from common/istio-1-23/istio-crds/base/crd.yaml rename to common/istio-cni-1-24/istio-crds/base/crd.yaml index 33de713fcc..f194ef7520 100644 --- a/common/istio-1-23/istio-crds/base/crd.yaml +++ b/common/istio-cni-1-24/istio-crds/base/crd.yaml @@ -4,11 +4,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: authorizationpolicies.security.istio.io spec: group: security.istio.io @@ -256,9 +256,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -290,12 +291,85 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -535,9 +609,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -569,12 +644,85 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -590,10 +738,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: destinationrules.networking.istio.io spec: group: networking.istio.io @@ -931,8 +1080,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -1277,9 +1452,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of - Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than @@ -1771,8 +1971,32 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -2111,8 +2335,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -2350,6 +2600,74 @@ spec: - host type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -2679,8 +2997,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -3025,9 +3369,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of - Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than @@ -3519,8 +3888,32 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -3859,8 +4252,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -4098,6 +4517,74 @@ spec: - host type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -4427,8 +4914,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -4773,9 +5286,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration + of Service. + properties: + aggression: + description: This parameter controls the speed + of traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of - Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than @@ -5267,8 +5805,32 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of Service. + properties: + aggression: + description: This parameter controls the speed of traffic + increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -5607,8 +6169,34 @@ spec: - ROUND_ROBIN - LEAST_REQUEST type: string + warmup: + description: Represents the warmup configuration of + Service. + properties: + aggression: + description: This parameter controls the speed of + traffic increase over the warmup duration. + format: double + minimum: 1 + nullable: true + type: number + duration: + type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') + minimumPercent: + format: double + maximum: 100 + minimum: 0 + nullable: true + type: number + required: + - duration + type: object warmupDurationSecs: - description: Represents the warmup duration of Service. + description: 'Deprecated: use `warmup` instead.' type: string x-kubernetes-validations: - message: must be a valid duration greater than 1ms @@ -5846,7 +6434,75 @@ spec: - host type: object status: - type: object + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object x-kubernetes-preserve-unknown-fields: true type: object served: true @@ -5861,10 +6517,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: envoyfilters.networking.istio.io spec: group: networking.istio.io @@ -6156,9 +6813,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs @@ -6166,13 +6825,89 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6188,10 +6923,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: gateways.networking.istio.io spec: group: networking.istio.io @@ -6361,6 +7097,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6522,6 +7326,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6683,6 +7555,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6698,11 +7638,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: peerauthentications.security.istio.io spec: group: security.istio.io @@ -6802,6 +7742,74 @@ spec: rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() > 0) || !has(self.portLevelMtls) status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6893,6 +7901,74 @@ spec: rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() > 0) || !has(self.portLevelMtls) status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6908,10 +7984,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: proxyconfigs.networking.istio.io spec: group: networking.istio.io @@ -6974,6 +8051,74 @@ spec: type: object type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -6989,11 +8134,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: security - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: requestauthentications.security.istio.io spec: group: security.istio.io @@ -7175,9 +8320,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -7209,15 +8355,85 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -7391,9 +8607,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -7425,34 +8642,105 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: object x-kubernetes-validations: - - message: only one of targetRefs or workloadSelector can be set + - message: only one of targetRefs or selector can be set rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: serviceentries.networking.istio.io spec: group: networking.istio.io @@ -7501,7 +8789,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7514,11 +8804,11 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir - rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ - \ true" + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" labels: additionalProperties: type: string @@ -7563,8 +8853,8 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" maxItems: 4096 type: array exportTo: @@ -7576,6 +8866,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7592,14 +8887,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7607,11 +8907,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7634,17 +8944,106 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -7683,7 +9082,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7696,11 +9097,11 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir - rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ - \ true" + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" labels: additionalProperties: type: string @@ -7745,8 +9146,8 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" maxItems: 4096 type: array exportTo: @@ -7758,6 +9159,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7774,14 +9180,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7789,11 +9200,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7816,17 +9237,106 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -7865,7 +9375,9 @@ spec: addresses: description: The virtual IP addresses associated with the service. items: + maxLength: 64 type: string + maxItems: 256 type: array endpoints: description: One or more endpoints associated with the service. @@ -7878,11 +9390,11 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir - rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ - \ true" + rule: "self.startsWith('unix://') ? !self.endsWith('/') : + true" labels: additionalProperties: type: string @@ -7927,8 +9439,8 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" maxItems: 4096 type: array exportTo: @@ -7940,6 +9452,11 @@ spec: description: The hosts associated with the ServiceEntry. items: type: string + x-kubernetes-validations: + - message: hostname cannot be wildcard + rule: self != '*' + maxItems: 256 + minItems: 1 type: array location: description: |- @@ -7956,14 +9473,19 @@ spec: properties: name: description: Label assigned to the port. + maxLength: 256 type: string number: description: A valid non-negative integer port number. maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 protocol: description: The protocol exposed on the port. + maxLength: 256 type: string targetPort: description: The port number on the endpoint where the traffic @@ -7971,11 +9493,21 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - number - name type: object + maxItems: 256 type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + x-kubernetes-validations: + - message: port number cannot be duplicated + rule: self.all(l1, self.exists_one(l2, l1.number == l2.number)) resolution: description: |- Service resolution mode for the hosts. @@ -7998,17 +9530,106 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object required: - hosts type: object + x-kubernetes-validations: + - message: only one of WorkloadSelector or Endpoints can be set + rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1 + - message: CIDR addresses are allowed only for NONE/STATIC resolution + types + rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/')) + && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution + != 'NONE'))" + - message: NONE mode cannot set endpoints + rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints) + : true" + - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints + rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN') + ? (!has(self.endpoints) || size(self.endpoints) == 1) : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true @@ -8022,10 +9643,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: sidecars.networking.istio.io spec: group: networking.istio.io @@ -8451,7 +10073,8 @@ spec: type: object type: array outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. properties: egressProxy: properties: @@ -8489,13 +10112,86 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -8915,7 +10611,8 @@ spec: type: object type: array outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. properties: egressProxy: properties: @@ -8953,13 +10650,86 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -9379,7 +11149,8 @@ spec: type: object type: array outboundTrafficPolicy: - description: Configuration for the outbound traffic policy. + description: Set the default behavior of the sidecar for handling + outbound traffic from the application. properties: egressProxy: properties: @@ -9417,39 +11188,112 @@ spec: properties: labels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard is not supported in selector + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which the configuration should be applied. + maxProperties: 256 type: object type: object type: object status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - served: true - storage: true - subresources: - status: {} - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - helm.sh/resource-policy: keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: telemetry - release: istio - name: telemetries.telemetry.istio.io -spec: - group: telemetry.istio.io - names: - categories: - - istio-io + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: + status: {} + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + helm.sh/resource-policy: keep + labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 + name: telemetries.telemetry.istio.io +spec: + group: telemetry.istio.io + names: + categories: + - istio-io - telemetry-istio-io kind: Telemetry listKind: TelemetryList @@ -9599,11 +11443,11 @@ spec: type: object x-kubernetes-validations: - message: value must be set when operation is UPSERT - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'UPSERT') ? self.value != '' : true" + rule: "((has(self.operation) ? self.operation : '') + == 'UPSERT') ? self.value != '' : true" - message: value must not be set when operation is REMOVE - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'REMOVE') ? !has(self.value) : true" + rule: "((has(self.operation) ? self.operation : '') + == 'REMOVE') ? !has(self.value) : true" description: Optional. type: object type: object @@ -9677,9 +11521,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -9711,9 +11556,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array tracing: description: Optional. @@ -9825,7 +11672,78 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -9973,11 +11891,11 @@ spec: type: object x-kubernetes-validations: - message: value must be set when operation is UPSERT - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'UPSERT') ? self.value != '' : true" + rule: "((has(self.operation) ? self.operation : '') + == 'UPSERT') ? self.value != '' : true" - message: value must not be set when operation is REMOVE - rule: "((has(self.operation) ? self.operation : '')\ - \ == 'REMOVE') ? !has(self.value) : true" + rule: "((has(self.operation) ? self.operation : '') + == 'REMOVE') ? !has(self.value) : true" description: Optional. type: object type: object @@ -10051,9 +11969,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -10085,9 +12004,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array tracing: description: Optional. @@ -10199,7 +12120,78 @@ spec: type: object type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -10215,10 +12207,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: virtualservices.networking.istio.io spec: group: networking.istio.io @@ -11195,6 +13188,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -12163,6 +14224,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -13131,6 +15260,74 @@ spec: type: array type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true type: object @@ -13146,10 +15343,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: wasmplugins.extensions.istio.io spec: group: extensions.istio.io @@ -13319,9 +15517,10 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" targetRefs: description: Optional. items: @@ -13353,9 +15552,11 @@ spec: - name type: object x-kubernetes-validations: - - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway - rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ - \ ['gateway.networking.k8s.io','Gateway']]" + - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, + gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'], + ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" + maxItems: 16 type: array type: description: |- @@ -13373,9 +15574,9 @@ spec: type: string x-kubernetes-validations: - message: url must have schema one of [http, https, file, oci] - rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',\ - \ 'oci', 'file']) : (isURL('http://' + self) && url('http://'\ - \ +self).getScheme() in ['', 'http', 'https', 'oci', 'file'])" + rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https', + 'oci', 'file']) : (isURL('http://' + self) && url('http://' +self).getScheme() + in ['', 'http', 'https', 'oci', 'file'])" verificationKey: type: string vmConfig: @@ -13409,8 +15610,8 @@ spec: type: object x-kubernetes-validations: - message: value may only be set when valueFrom is INLINE - rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'\ - \ || !has(self.value)" + rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST' + || !has(self.value)" maxItems: 256 type: array x-kubernetes-list-map-keys: @@ -13420,7 +15621,78 @@ spec: required: - url type: object + x-kubernetes-validations: + - message: only one of targetRefs or selector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: @@ -13438,10 +15710,11 @@ metadata: annotations: helm.sh/resource-policy: keep labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: workloadentries.networking.istio.io spec: group: networking.istio.io @@ -13485,8 +15758,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ - \ || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13533,15 +15806,81 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ - \ : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -13575,8 +15914,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ - \ || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13623,15 +15962,81 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ - \ : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: false @@ -13665,8 +16070,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ - \ || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/' + || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13713,15 +16118,81 @@ spec: - message: Address is required rule: has(self.address) || has(self.network) - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ - \ : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports) + : true" status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true required: - spec - - spec - - spec type: object served: true storage: true @@ -13733,10 +16204,11 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: labels: - app: istio-pilot - chart: istio - heritage: Tiller - release: istio + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 name: workloadgroups.networking.istio.io spec: group: networking.istio.io @@ -13775,10 +16247,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -13807,13 +16281,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -13828,6 +16306,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -13841,8 +16320,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -13850,15 +16335,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -13869,12 +16357,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -13888,8 +16380,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -13934,14 +16426,84 @@ spec: type: object x-kubernetes-validations: - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" required: - template type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -13970,10 +16532,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -14002,13 +16566,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -14023,6 +16591,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -14036,8 +16605,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -14045,15 +16620,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -14064,12 +16642,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -14083,8 +16665,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -14129,14 +16711,84 @@ spec: type: object x-kubernetes-validations: - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" required: - template type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: false @@ -14165,10 +16817,12 @@ spec: annotations: additionalProperties: type: string + maxProperties: 256 type: object labels: additionalProperties: type: string + maxProperties: 256 type: object type: object probe: @@ -14197,13 +16851,17 @@ spec: command: description: Command to run. items: + minLength: 1 type: string type: array + required: + - command type: object failureThreshold: description: Minimum consecutive failures for the probe to be considered failed after having succeeded. format: int32 + minimum: 0 type: integer httpGet: description: '`httpGet` is performed to a given endpoint and the @@ -14218,6 +16876,7 @@ spec: items: properties: name: + pattern: ^[-_A-Za-z0-9]+$ type: string value: type: string @@ -14231,8 +16890,14 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 scheme: type: string + x-kubernetes-validations: + - message: scheme must be one of [HTTP, HTTPS] + rule: self in ['', 'HTTP', 'HTTPS'] required: - port type: object @@ -14240,15 +16905,18 @@ spec: description: Number of seconds after the container has started before readiness probes are initiated. format: int32 + minimum: 0 type: integer periodSeconds: description: How often (in seconds) to perform the probe. format: int32 + minimum: 0 type: integer successThreshold: description: Minimum consecutive successes for the probe to be considered successful after having failed. format: int32 + minimum: 0 type: integer tcpSocket: description: Health is determined by if the proxy is able to connect. @@ -14259,12 +16927,16 @@ spec: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 required: - port type: object timeoutSeconds: description: Number of seconds after which the probe times out. format: int32 + minimum: 0 type: integer type: object template: @@ -14278,8 +16950,8 @@ spec: type: string x-kubernetes-validations: - message: UDS must be an absolute path or abstract socket - rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ - \ '/' || self.substring(7,8) == '@') : true" + rule: "self.startsWith('unix://') ? (self.substring(7,8) == + '/' || self.substring(7,8) == '@') : true" - message: UDS may not be a dir rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: @@ -14324,14 +16996,84 @@ spec: type: object x-kubernetes-validations: - message: UDS may not include ports - rule: "(has(self.address) && self.address.startsWith('unix://'))\ - \ ? !has(self.ports) : true" + rule: "(has(self.address) && self.address.startsWith('unix://')) + ? !has(self.ports) : true" required: - template type: object status: + properties: + conditions: + description: Current service state of the resource. + items: + properties: + lastProbeTime: + description: Last time we probed the condition. + format: date-time + type: string + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: Human-readable message indicating details about + last transition. + type: string + reason: + description: Unique, one-word, CamelCase reason for the condition's + last transition. + type: string + status: + description: Status is the status of the condition. + type: string + type: + description: Type is the type of the condition. + type: string + type: object + type: array + observedGeneration: + anyOf: + - type: integer + - type: string + description: Resource Generation to which the Reconciled Condition + refers. + x-kubernetes-int-or-string: true + validationMessages: + description: Includes any errors or warnings detected by Istio's analyzers. + items: + properties: + documentationUrl: + description: A url pointing to the Istio documentation for this + specific error type. + type: string + level: + description: |- + Represents how severe a message is. + + Valid Options: UNKNOWN, ERROR, WARNING, INFO + enum: + - UNKNOWN + - ERROR + - WARNING + - INFO + type: string + type: + properties: + code: + description: A 7 character code matching `^IST[0-9]{4}$` + intended to uniquely identify the message type. + type: string + name: + description: A human-readable name for the message type. + type: string + type: object + type: object + type: array type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec type: object served: true storage: true diff --git a/common/istio-cni-1-23/istio-crds/base/kustomization.yaml b/common/istio-cni-1-24/istio-crds/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/istio-crds/base/kustomization.yaml rename to common/istio-cni-1-24/istio-crds/base/kustomization.yaml diff --git a/common/istio-cni-1-23/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-cni-1-24/istio-install/base/deny_all_authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/deny_all_authorizationpolicy.yaml rename to common/istio-cni-1-24/istio-install/base/deny_all_authorizationpolicy.yaml diff --git a/common/istio-cni-1-23/istio-install/base/gateway.yaml b/common/istio-cni-1-24/istio-install/base/gateway.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/gateway.yaml rename to common/istio-cni-1-24/istio-install/base/gateway.yaml diff --git a/common/istio-cni-1-23/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-cni-1-24/istio-install/base/gateway_authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/gateway_authorizationpolicy.yaml rename to common/istio-cni-1-24/istio-install/base/gateway_authorizationpolicy.yaml diff --git a/common/istio-cni-1-23/istio-install/base/install.yaml b/common/istio-cni-1-24/istio-install/base/install.yaml similarity index 89% rename from common/istio-cni-1-23/istio-install/base/install.yaml rename to common/istio-cni-1-24/istio-install/base/install.yaml index 7d8c7688c3..e9db53193d 100644 --- a/common/istio-cni-1-23/istio-install/base/install.yaml +++ b/common/istio-cni-1-24/istio-install/base/install.yaml @@ -3,6 +3,12 @@ kind: ServiceAccount metadata: labels: app: istio-cni + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Cni @@ -12,22 +18,15 @@ metadata: --- apiVersion: v1 kind: ServiceAccount -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-service-account - namespace: istio-system ---- -apiVersion: v1 -kind: ServiceAccount metadata: labels: app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: base-1.24.2 release: istio name: istio-reader-service-account namespace: istio-system @@ -37,6 +36,12 @@ kind: ServiceAccount metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod namespace: istio-system @@ -46,6 +51,12 @@ kind: ClusterRole metadata: labels: app: istio-cni + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Cni @@ -68,6 +79,12 @@ kind: ClusterRole metadata: labels: app: istio-cni + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Cni @@ -95,6 +112,12 @@ kind: ClusterRole metadata: labels: app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istio-reader-clusterrole-istio-system rules: @@ -203,6 +226,12 @@ kind: ClusterRole metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-clusterrole-istio-system rules: @@ -255,6 +284,7 @@ rules: - networking.istio.io resources: - workloadentries/status + - serviceentries/status verbs: - get - watch @@ -264,15 +294,29 @@ rules: - create - delete - apiGroups: - - networking.istio.io + - security.istio.io resources: - - serviceentries/status + - authorizationpolicies/status verbs: - get - watch - list - update - patch + - create + - delete +- apiGroups: + - '' + resources: + - services/status + verbs: + - get + - watch + - list + - update + - patch + - create + - delete - apiGroups: - apiextensions.k8s.io resources: @@ -339,7 +383,6 @@ rules: verbs: - create - apiGroups: - - networking.x-k8s.io - gateway.networking.k8s.io resources: - '*' @@ -348,10 +391,17 @@ rules: - watch - list - apiGroups: - - networking.x-k8s.io - gateway.networking.k8s.io resources: - - '*' + - backendtlspolicies/status + - gatewayclasses/status + - gateways/status + - grpcroutes/status + - httproutes/status + - referencegrants/status + - tcproutes/status + - tlsroutes/status + - udproutes/status verbs: - update - patch @@ -396,6 +446,12 @@ kind: ClusterRole metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-gateway-controller-istio-system rules: @@ -441,6 +497,12 @@ kind: ClusterRoleBinding metadata: labels: app: istio-cni + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Cni @@ -459,6 +521,12 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default k8s-app: istio-cni-repair @@ -479,6 +547,12 @@ kind: ClusterRoleBinding metadata: labels: app: istio-reader + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-reader + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istio-reader-clusterrole-istio-system roleRef: @@ -495,6 +569,12 @@ kind: ClusterRoleBinding metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-clusterrole-istio-system roleRef: @@ -511,6 +591,12 @@ kind: ClusterRoleBinding metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod-gateway-controller-istio-system roleRef: @@ -527,6 +613,12 @@ kind: ValidatingWebhookConfiguration metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 istio: istiod istio.io/rev: default release: istio @@ -581,6 +673,12 @@ data: kind: ConfigMap metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -594,8 +692,7 @@ data: AMBIENT_ENABLED: 'false' AMBIENT_IPV6: 'true' CHAINED_CNI_PLUGIN: 'true' - CNI_NET_DIR: /etc/cni/net.d - CURRENT_AGENT_VERSION: 1.23.2 + CURRENT_AGENT_VERSION: 1.24.2 EXCLUDED_NAMESPACES: kube-system REPAIR_BROKEN_POD_LABEL_KEY: cni.istio.io/uninitialized REPAIR_BROKEN_POD_LABEL_VALUE: 'true' @@ -608,6 +705,12 @@ kind: ConfigMap metadata: labels: app: istio-cni + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Cni @@ -655,7 +758,7 @@ data: {{- end }} {{- end }} {{- end }} - {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }} + {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }} {{- $containers := list }} {{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}} metadata: @@ -676,8 +779,8 @@ data: kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}", {{- end }} {{- end }} - {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }} - {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}} + {{- if .Values.pilot.cni.enabled }} + {{- if eq .Values.pilot.cni.provider "multus" }} k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}', {{- end }} sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}", @@ -701,7 +804,7 @@ data: (not $nativeSidecar) }} initContainers: {{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }} - {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + {{ if .Values.pilot.cni.enabled -}} - name: istio-validation {{ else -}} - name: istio-init @@ -753,9 +856,11 @@ data: {{ if .Values.global.logAsJson -}} - "--log_as_json" {{ end -}} - {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}} + {{ if .Values.pilot.cni.enabled -}} - "--run-validation" - "--skip-rule-apply" + {{ else if .Values.global.proxy_init.forceApplyIptables -}} + - "--force-apply" {{ end -}} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} {{- if .ProxyConfig.ProxyMetadata }} @@ -771,14 +876,14 @@ data: allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }} privileged: {{ .Values.global.proxy.privileged }} capabilities: - {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + {{- if not .Values.pilot.cni.enabled }} add: - NET_ADMIN - NET_RAW {{- end }} drop: - ALL - {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }} + {{- if not .Values.pilot.cni.enabled }} readOnlyRootFilesystem: false runAsGroup: 0 runAsNonRoot: false @@ -790,34 +895,6 @@ data: runAsNonRoot: true {{- end }} {{ end -}} - {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} - - name: enable-core-dump - args: - - -c - - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited - command: - - /bin/sh - {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }} - image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}" - {{- else }} - image: "{{ .ProxyImage }}" - {{- end }} - {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} - resources: - {{ template "resources" . }} - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - SYS_ADMIN - drop: - - ALL - privileged: true - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - {{ end }} {{ if not $nativeSidecar }} containers: {{ end }} @@ -1013,7 +1090,7 @@ data: drop: - ALL privileged: true - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: false runAsUser: 0 @@ -1032,7 +1109,7 @@ data: drop: - ALL privileged: {{ .Values.global.proxy.privileged }} - readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }} + readOnlyRootFilesystem: true runAsGroup: {{ .ProxyGID | default "1337" }} {{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}} runAsNonRoot: false @@ -1061,10 +1138,6 @@ data: - mountPath: /var/run/secrets/istio name: istiod-ca-cert {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - mountPath: /var/run/secrets/istio/kubernetes - name: kube-ca-cert - {{- end }} - mountPath: /var/lib/istio/data name: istio-data {{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }} @@ -1140,11 +1213,6 @@ data: configMap: name: istio-ca-root-cert {{- end }} - {{- if eq .Values.global.pilotCertProvider "kubernetes" }} - - name: kube-ca-cert - configMap: - name: kube-root-ca.crt - {{- end }} {{- if .Values.global.mountMtlsCerts }} # Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications. - name: istio-certs @@ -1815,7 +1883,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 @@ -1838,7 +1905,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 4 }} ownerReferences: @@ -1872,15 +1938,33 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name "gateway.istio.io/managed" "istio.io-mesh-controller" ) | nindent 8}} spec: + {{- if .Values.global.waypoint.affinity }} + affinity: + {{- toYaml .Values.global.waypoint.affinity | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.topologySpreadConstraints }} + topologySpreadConstraints: + {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.nodeSelector }} + nodeSelector: + {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.global.waypoint.tolerations }} + tolerations: + {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }} + {{- end }} terminationGracePeriodSeconds: 2 serviceAccountName: {{.ServiceAccount | quote}} containers: - name: istio-proxy ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP @@ -1987,13 +2071,10 @@ data: - name: ISTIO_META_MESH_ID value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}" {{- end }} + {{- if .Values.global.waypoint.resources }} resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 100m - memory: 128Mi + {{- toYaml .Values.global.waypoint.resources | nindent 10 }} + {{- end }} startupProbe: failureThreshold: 30 httpGet: @@ -2016,8 +2097,10 @@ data: timeoutSeconds: 1 securityContext: privileged: false + {{- if not (eq .Values.global.platform "openshift") }} runAsGroup: 1337 runAsUser: 1337 + {{- end }} allowPrivilegeEscalation: false readOnlyRootFilesystem: true runAsNonRoot: true @@ -2029,8 +2112,8 @@ data: {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} {{- end }} volumeMounts: - - name: workload-socket - mountPath: /var/run/secrets/workload-spiffe-uds + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket - mountPath: /var/run/secrets/istio name: istiod-ca-cert - mountPath: /var/lib/istio/data @@ -2084,13 +2167,19 @@ data: kind: Service metadata: annotations: - {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }} + {{ toJsonMap + (strdict "networking.istio.io/traffic-distribution" "PreferClose") + (omit .InfrastructureAnnotations + "kubectl.kubernetes.io/last-applied-configuration" + "gateway.istio.io/name-override" + "gateway.istio.io/service-account" + "gateway.istio.io/controller-version" + ) | nindent 4 }} labels: {{- toJsonMap .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} @@ -2128,7 +2217,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} {{- if ge .KubeVersion 128 }} # Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412 @@ -2151,7 +2239,7 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 4 }} ownerReferences: - apiVersion: gateway.networking.k8s.io/v1beta1 @@ -2183,7 +2271,7 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name + "gateway.istio.io/managed" "istio.io-gateway-controller" ) | nindent 8 }} spec: securityContext: @@ -2222,6 +2310,9 @@ data: runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true ports: + - containerPort: 15020 + name: metrics + protocol: TCP - containerPort: 15021 name: status-port protocol: TCP @@ -2435,7 +2526,6 @@ data: .InfrastructureLabels (strdict "gateway.networking.k8s.io/gateway-name" .Name - "istio.io/gateway-name" .Name ) | nindent 4 }} name: {{.DeploymentName | quote}} namespace: {{.Namespace | quote}} @@ -2445,6 +2535,7 @@ data: name: {{.Name}} uid: {{.UID}} spec: + ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} @@ -2466,7 +2557,6 @@ data: "securityContext": {} }, "global": { - "autoscalingv2API": true, "caAddress": "", "caName": "", "certSigners": [], @@ -2480,7 +2570,6 @@ data: "cpu": "10m" } }, - "enabled": true, "externalIstiod": false, "hub": "docker.io/istio", "imagePullPolicy": "", @@ -2500,7 +2589,6 @@ data: "clusterName": "", "enabled": false }, - "namespace": "istio-system", "network": "", "omitSidecarInjectorConfigMap": false, "operatorManageWebhooks": false, @@ -2510,7 +2598,6 @@ data: "autoInject": "enabled", "clusterDomain": "cluster.local", "componentLogLevel": "misc:error", - "enableCoreDump": false, "excludeIPRanges": "", "excludeInboundPorts": "", "excludeOutboundPorts": "", @@ -2542,6 +2629,7 @@ data: "tracer": "none" }, "proxy_init": { + "forceApplyIptables": false, "image": "proxyv2" }, "remotePilotAddress": "", @@ -2553,17 +2641,28 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.23.2", - "variant": "" - }, - "istio_cni": { - "chained": true, - "enabled": true, - "provider": "default" + "tag": "1.24.2", + "variant": "", + "waypoint": { + "affinity": {}, + "nodeSelector": {}, + "resources": { + "limits": { + "cpu": "2", + "memory": "1Gi" + }, + "requests": { + "cpu": "100m", + "memory": "128Mi" + } + }, + "tolerations": [], + "topologySpreadConstraints": [] + } }, "pilot": { "cni": { - "enabled": false, + "enabled": true, "provider": "default" } }, @@ -2582,6 +2681,12 @@ data: kind: ConfigMap metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -2594,6 +2699,12 @@ kind: MutatingWebhookConfiguration metadata: labels: app: sidecar-injector + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -2745,6 +2856,12 @@ apiVersion: apps/v1 kind: DaemonSet metadata: labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default k8s-app: istio-cni-node @@ -2759,11 +2876,18 @@ spec: template: metadata: annotations: + container.apparmor.security.beta.kubernetes.io/install-cni: unconfined prometheus.io/path: /metrics prometheus.io/port: '15014' prometheus.io/scrape: 'true' sidecar.istio.io/inject: 'false' labels: + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istio-cni + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: cni-1.24.2 istio.io/dataplane-mode: none k8s-app: istio-cni-node sidecar.istio.io/inject: 'false' @@ -2806,8 +2930,12 @@ spec: envFrom: - configMapRef: name: istio-cni-config - image: docker.io/istio/install-cni:1.23.2 + image: docker.io/istio/install-cni:1.24.2 name: install-cni + ports: + - containerPort: 15014 + name: metrics + protocol: TCP readinessProbe: httpGet: path: /readyz @@ -2821,10 +2949,12 @@ spec: add: - NET_ADMIN - NET_RAW + - SYS_PTRACE - SYS_ADMIN + - DAC_OVERRIDE drop: - ALL - privileged: true + privileged: false runAsGroup: 0 runAsNonRoot: false runAsUser: 0 @@ -2875,228 +3005,15 @@ spec: --- apiVersion: apps/v1 kind: Deployment -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway - strategy: - rollingUpdate: - maxSurge: 100% - maxUnavailable: 25% - template: - metadata: - annotations: - istio.io/rev: default - prometheus.io/path: /stats/prometheus - prometheus.io/port: '15020' - prometheus.io/scrape: 'true' - sidecar.istio.io/inject: 'false' - labels: - app: istio-ingressgateway - chart: gateways - heritage: Tiller - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - service.istio.io/canonical-name: istio-ingressgateway - service.istio.io/canonical-revision: latest - sidecar.istio.io/inject: 'false' - spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - requiredDuringSchedulingIgnoredDuringExecution: - containers: - - args: - - proxy - - router - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - env: - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: NODE_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.nodeName - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: ISTIO_CPU_LIMIT - valueFrom: - resourceFieldRef: - resource: limits.cpu - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - fieldPath: spec.serviceAccountName - - name: ISTIO_META_WORKLOAD_NAME - value: istio-ingressgateway - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - - name: ISTIO_META_UNPRIVILEGED_POD - value: 'true' - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_NODE_NAME - valueFrom: - fieldRef: - fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.23.2 - name: istio-proxy - ports: - - containerPort: 15021 - protocol: TCP - - containerPort: 8080 - protocol: TCP - - containerPort: 8443 - protocol: TCP - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 1 - resources: - limits: - cpu: 2000m - memory: 1024Mi - requests: - cpu: 100m - memory: 128Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - volumeMounts: - - mountPath: /var/run/secrets/workload-spiffe-uds - name: workload-socket - - mountPath: /var/run/secrets/credential-uds - name: credential-socket - - mountPath: /var/run/secrets/workload-spiffe-credentials - name: workload-certs - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /etc/istio/config - name: config-volume - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/run/secrets/tokens - name: istio-token - readOnly: true - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/pod - name: podinfo - - mountPath: /etc/istio/ingressgateway-certs - name: ingressgateway-certs - readOnly: true - - mountPath: /etc/istio/ingressgateway-ca-certs - name: ingressgateway-ca-certs - readOnly: true - securityContext: - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - serviceAccountName: istio-ingressgateway-service-account - volumes: - - emptyDir: {} - name: workload-socket - - emptyDir: {} - name: credential-socket - - emptyDir: {} - name: workload-certs - - configMap: - name: istio-ca-root-cert - name: istiod-ca-cert - - downwardAPI: - items: - - fieldRef: - fieldPath: metadata.labels - path: labels - - fieldRef: - fieldPath: metadata.annotations - path: annotations - name: podinfo - - emptyDir: {} - name: istio-envoy - - emptyDir: {} - name: istio-data - - name: istio-token - projected: - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - name: istio - optional: true - name: config-volume - - name: ingressgateway-certs - secret: - optional: true - secretName: istio-ingressgateway-certs - - name: ingressgateway-ca-certs - secret: - optional: true - secretName: istio-ingressgateway-ca-certs ---- -apiVersion: apps/v1 -kind: Deployment metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default @@ -3120,6 +3037,12 @@ spec: sidecar.istio.io/inject: 'false' labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/dataplane-mode: none @@ -3173,17 +3096,27 @@ spec: - name: GOMAXPROCS valueFrom: resourceFieldRef: + divisor: '1' resource: limits.cpu - name: PLATFORM value: '' - image: docker.io/istio/pilot:1.23.2 + image: docker.io/istio/pilot:1.24.2 name: discovery ports: - containerPort: 8080 + name: http-debug protocol: TCP - containerPort: 15010 + name: grpc-xds + protocol: TCP + - containerPort: 15012 + name: tls-xds protocol: TCP - containerPort: 15017 + name: https-webhooks + protocol: TCP + - containerPort: 15014 + name: http-monitoring protocol: TCP readinessProbe: httpGet: @@ -3256,28 +3189,15 @@ spec: --- apiVersion: policy/v1 kind: PodDisruptionBudget -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - minAvailable: 1 - selector: - matchLabels: - app: istio-ingressgateway - istio: ingressgateway ---- -apiVersion: policy/v1 -kind: PodDisruptionBudget metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default @@ -3294,29 +3214,15 @@ spec: --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role -metadata: - labels: - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-sds - namespace: istio-system -rules: -- apiGroups: - - '' - resources: - - secrets - verbs: - - get - - watch - - list ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod namespace: istio-system @@ -3356,27 +3262,15 @@ rules: --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding -metadata: - labels: - install.operator.istio.io/owning-resource: unknown - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway-sds - namespace: istio-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: istio-ingressgateway-sds -subjects: -- kind: ServiceAccount - name: istio-ingressgateway-service-account ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 release: istio name: istiod namespace: istio-system @@ -3391,36 +3285,15 @@ subjects: --- apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler -metadata: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - maxReplicas: 5 - metrics: - - resource: - name: cpu - target: - averageUtilization: 80 - type: Utilization - type: Resource - minReplicas: 1 - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: istio-ingressgateway ---- -apiVersion: autoscaling/v2 -kind: HorizontalPodAutoscaler metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio.io/rev: default operator.istio.io/component: Pilot @@ -3444,41 +3317,15 @@ spec: --- apiVersion: v1 kind: Service -metadata: - annotations: - labels: - app: istio-ingressgateway - install.operator.istio.io/owning-resource: unknown - istio: ingressgateway - istio.io/rev: default - operator.istio.io/component: IngressGateways - release: istio - name: istio-ingressgateway - namespace: istio-system -spec: - ports: - - name: status-port - port: 15021 - protocol: TCP - targetPort: 15021 - - name: http2 - port: 80 - protocol: TCP - targetPort: 8080 - - name: https - port: 443 - protocol: TCP - targetPort: 8443 - selector: - app: istio-ingressgateway - istio: ingressgateway - type: LoadBalancer ---- -apiVersion: v1 -kind: Service metadata: labels: app: istiod + app.kubernetes.io/instance: istio + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: istiod + app.kubernetes.io/part-of: istio + app.kubernetes.io/version: 1.24.2 + helm.sh/chart: istiod-1.24.2 install.operator.istio.io/owning-resource: unknown istio: pilot istio.io/rev: default diff --git a/common/istio-cni-1-23/istio-install/base/kustomization.yaml b/common/istio-cni-1-24/istio-install/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/kustomization.yaml rename to common/istio-cni-1-24/istio-install/base/kustomization.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/disable-debugging.yaml b/common/istio-cni-1-24/istio-install/base/patches/disable-debugging.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/disable-debugging.yaml rename to common/istio-cni-1-24/istio-install/base/patches/disable-debugging.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-cni-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml rename to common/istio-cni-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-cni-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml rename to common/istio-cni-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-cni-1-24/istio-install/base/patches/istiod-remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/istiod-remove-pdb.yaml rename to common/istio-cni-1-24/istio-install/base/patches/istiod-remove-pdb.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-cni-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml rename to common/istio-cni-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-cni-1-24/istio-install/base/patches/seccomp-istiod.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/seccomp-istiod.yaml rename to common/istio-cni-1-24/istio-install/base/patches/seccomp-istiod.yaml diff --git a/common/istio-cni-1-23/istio-install/base/patches/service.yaml b/common/istio-cni-1-24/istio-install/base/patches/service.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/base/patches/service.yaml rename to common/istio-cni-1-24/istio-install/base/patches/service.yaml diff --git a/common/istio-cni-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml rename to common/istio-cni-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml diff --git a/common/istio-cni-1-23/istio-namespace/base/kustomization.yaml b/common/istio-cni-1-24/istio-namespace/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/istio-namespace/base/kustomization.yaml rename to common/istio-cni-1-24/istio-namespace/base/kustomization.yaml diff --git a/common/istio-cni-1-23/istio-namespace/base/namespace.yaml b/common/istio-cni-1-24/istio-namespace/base/namespace.yaml similarity index 100% rename from common/istio-cni-1-23/istio-namespace/base/namespace.yaml rename to common/istio-cni-1-24/istio-namespace/base/namespace.yaml diff --git a/common/istio-cni-1-23/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-cni-1-24/kubeflow-istio-resources/base/cluster-roles.yaml similarity index 100% rename from common/istio-cni-1-23/kubeflow-istio-resources/base/cluster-roles.yaml rename to common/istio-cni-1-24/kubeflow-istio-resources/base/cluster-roles.yaml diff --git a/common/istio-cni-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-cni-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml similarity index 100% rename from common/istio-cni-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml rename to common/istio-cni-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml diff --git a/common/istio-cni-1-23/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-cni-1-24/kubeflow-istio-resources/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-23/kubeflow-istio-resources/base/kustomization.yaml rename to common/istio-cni-1-24/kubeflow-istio-resources/base/kustomization.yaml diff --git a/common/istio-cni-1-23/profile-overlay.yaml b/common/istio-cni-1-24/profile-overlay.yaml similarity index 100% rename from common/istio-cni-1-23/profile-overlay.yaml rename to common/istio-cni-1-24/profile-overlay.yaml diff --git a/common/istio-1-23/profile.yaml b/common/istio-cni-1-24/profile.yaml similarity index 97% rename from common/istio-1-23/profile.yaml rename to common/istio-cni-1-24/profile.yaml index 077b0c86d2..838edaf5fb 100644 --- a/common/istio-1-23/profile.yaml +++ b/common/istio-cni-1-24/profile.yaml @@ -14,7 +14,7 @@ spec: enabled: true hub: docker.io/istio profile: default - tag: 1.23.2 + tag: 1.24.2 values: defaultRevision: "" gateways: diff --git a/common/istio-cni-1-23/split-istio-packages b/common/istio-cni-1-24/split-istio-packages similarity index 100% rename from common/istio-cni-1-23/split-istio-packages rename to common/istio-cni-1-24/split-istio-packages diff --git a/common/oauth2-proxy/components/README.md b/common/oauth2-proxy/components/README.md index 8332d6d5ec..841aa5beba 100644 --- a/common/oauth2-proxy/components/README.md +++ b/common/oauth2-proxy/components/README.md @@ -154,9 +154,9 @@ make the following changes to the `example/kustomization.yaml` file: * use `oauth2-proxy` overlay for istio-install ``` # from - - ../common/istio-1-23/istio-install/base + - ../common/istio-1-24/istio-install/base # to - - ../common/istio-1-23/istio-install/overlays/oauth2-proxy + - ../common/istio-1-24/istio-install/overlays/oauth2-proxy ``` * change `OIDC Authservice` to `oauth2-proxy for OIDC` and use overlay for m2m bearer tokens with self-signed in-cluster issuer @@ -189,12 +189,12 @@ index c1a85789..4a50440c 100644 +++ b/example/kustomization.yaml @@ -38,11 +38,11 @@ resources: # Istio - - ../common/istio-1-23/istio-crds/base - - ../common/istio-1-23/istio-namespace/base --- ../common/istio-1-23/istio-install/base + - ../common/istio-1-24/istio-crds/base + - ../common/istio-1-24/istio-namespace/base +-- ../common/istio-1-24/istio-install/base -# OIDC Authservice -- ../common//oidc-authservice/base -+- ../common/istio-1-23/istio-install/overlays/oauth2-proxy ++- ../common/istio-1-24/istio-install/overlays/oauth2-proxy +# oauth2-proxy for OIDC +- ../common/oauth2-proxy/overlays/m2m-dex-and-kind # Dex diff --git a/contrib/kserve/README.md b/contrib/kserve/README.md index d0ae01118b..3afe5f6841 100644 --- a/contrib/kserve/README.md +++ b/contrib/kserve/README.md @@ -61,15 +61,15 @@ For upgrading see [UPGRADE.md](UPGRADE.md) ``` 5. Install Istio ```sh - kubectl apply -k ../../common/istio-1-23/istio-crds/base - kubectl apply -k ../../common/istio-1-23/istio-namespace/base - kubectl apply -k ../../common/istio-1-23/istio-install/base + kubectl apply -k ../../common/istio-1-24/istio-crds/base + kubectl apply -k ../../common/istio-1-24/istio-namespace/base + kubectl apply -k ../../common/istio-1-24/istio-install/base ``` 6. Install knative ```sh kubectl apply -k ../../common/knative/knative-serving/overlays/gateways - kubectl apply -k ../../common/istio-1-23/cluster-local-gateway/base - kubectl apply -k ../../common/istio-1-23/kubeflow-istio-resources/base + kubectl apply -k ../../common/istio-1-24/cluster-local-gateway/base + kubectl apply -k ../../common/istio-1-24/kubeflow-istio-resources/base ``` 7. Install kserve ```sh diff --git a/example/kustomization.yaml b/example/kustomization.yaml index f2bd43d920..a2d369fd80 100644 --- a/example/kustomization.yaml +++ b/example/kustomization.yaml @@ -37,9 +37,9 @@ resources: - ../common/cert-manager/base - ../common/cert-manager/kubeflow-issuer/base # Istio -- ../common/istio-1-23/istio-crds/base -- ../common/istio-1-23/istio-namespace/base -- ../common/istio-1-23/istio-install/overlays/oauth2-proxy +- ../common/istio-1-24/istio-crds/base +- ../common/istio-1-24/istio-namespace/base +- ../common/istio-1-24/istio-install/overlays/oauth2-proxy # oauth2-proxy # NOTE: only uncomment ONE of the following overlays, depending on your cluster type - ../common/oauth2-proxy/overlays/m2m-dex-only # for all clusters @@ -52,7 +52,7 @@ resources: - ../common/knative/knative-serving/overlays/gateways # Uncomment the following line if `knative-eventing` is required # - ../common/knative/knative-eventing/base -- ../common/istio-1-23/cluster-local-gateway/base +- ../common/istio-1-24/cluster-local-gateway/base # Kubeflow namespace - ../common/kubeflow-namespace/base # NetworkPolicies @@ -60,7 +60,7 @@ resources: # Kubeflow Roles - ../common/kubeflow-roles/base # Kubeflow Istio Resources -- ../common/istio-1-23/kubeflow-istio-resources/base +- ../common/istio-1-24/kubeflow-istio-resources/base # Kubeflow Pipelines diff --git a/hack/trivy_scan.py b/hack/trivy_scan.py index b93334156e..eaf4bcfaf4 100755 --- a/hack/trivy_scan.py +++ b/hack/trivy_scan.py @@ -34,7 +34,7 @@ "automl": "../apps/katib/upstream/installs", "pipelines": "../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env", "training": "../apps/training-operator/upstream/overlays", - "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-23/istio-crds/base ../common/istio-1-23/istio-namespace/base ../common/istio-1-23/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-23/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-23/kubeflow-istio-resources/base", + "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-24/istio-crds/base ../common/istio-1-24/istio-namespace/base ../common/istio-1-24/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-24/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-24/kubeflow-istio-resources/base", "workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/overlays ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays", "serving": "../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow", "model-registry": "../apps/model-registry/upstream", diff --git a/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml b/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml index 3d34b0f0ab..c4c59cf063 100644 --- a/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml +++ b/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml @@ -34,14 +34,14 @@ sortOptions: resources: # Istio -- ../../../common/istio-1-23/istio-crds/base -- ../../../common/istio-1-23/istio-namespace/base -- ../../../common/istio-1-23/istio-install/overlays/oauth2-proxy +- ../../../common/istio-1-24/istio-crds/base +- ../../../common/istio-1-24/istio-namespace/base +- ../../../common/istio-1-24/istio-install/overlays/oauth2-proxy # oauth2-proxy - ../../../common/oauth2-proxy/overlays/m2m-dex-and-kind # Dex - ../../../common/dex/overlays/oauth2-proxy -- ../../../common/istio-1-23/cluster-local-gateway/base +- ../../../common/istio-1-24/cluster-local-gateway/base # Kubeflow namespace - ../../../common/kubeflow-namespace/base # NetworkPolicies @@ -49,7 +49,7 @@ resources: # Kubeflow Roles - ../../../common/kubeflow-roles/base # Kubeflow Istio Resources -- ../../../common/istio-1-23/kubeflow-istio-resources/base +- ../../../common/istio-1-24/kubeflow-istio-resources/base # Central Dashboard - ../../../apps/centraldashboard/overlays/oauth2-proxy # Profiles + KFAM diff --git a/tests/gh-actions/install_istio-cni.sh b/tests/gh-actions/install_istio-cni.sh index 8077247168..2b34d2b07d 100755 --- a/tests/gh-actions/install_istio-cni.sh +++ b/tests/gh-actions/install_istio-cni.sh @@ -1,7 +1,7 @@ #!/bin/bash set -e echo "Installing Istio-cni (with ExtAuthZ from oauth2-proxy) ..." -cd common/istio-cni-1-23 +cd common/istio-cni-1-24 kustomize build istio-crds/base | kubectl apply -f - kustomize build istio-namespace/base | kubectl apply -f - kustomize build istio-install/overlays/oauth2-proxy | kubectl apply -f - diff --git a/tests/gh-actions/install_istio.sh b/tests/gh-actions/install_istio.sh index 5d8e66d427..89e3de6b4c 100755 --- a/tests/gh-actions/install_istio.sh +++ b/tests/gh-actions/install_istio.sh @@ -1,7 +1,7 @@ #!/bin/bash set -e echo "Installing Istio (with ExtAuthZ from oauth2-proxy) ..." -cd common/istio-1-23 +cd common/istio-1-24 kustomize build istio-crds/base | kubectl apply -f - kustomize build istio-namespace/base | kubectl apply -f - kustomize build istio-install/overlays/oauth2-proxy | kubectl apply -f - diff --git a/tests/gh-actions/install_knative-cni.sh b/tests/gh-actions/install_knative-cni.sh index c3d6a71324..b1ff428994 100755 --- a/tests/gh-actions/install_knative-cni.sh +++ b/tests/gh-actions/install_knative-cni.sh @@ -15,8 +15,8 @@ for i in {1..5}; do done set -e -kustomize build common/istio-cni-1-23/cluster-local-gateway/base | kubectl apply -f - -kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-cni-1-24/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s \ --field-selector=status.phase!=Succeeded diff --git a/tests/gh-actions/install_knative.sh b/tests/gh-actions/install_knative.sh index 1d84031d5e..8bbed320ff 100755 --- a/tests/gh-actions/install_knative.sh +++ b/tests/gh-actions/install_knative.sh @@ -15,8 +15,8 @@ for i in {1..5}; do done set -e -kustomize build common/istio-1-23/cluster-local-gateway/base | kubectl apply -f - -kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-1-24/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s \ --field-selector=status.phase!=Succeeded From 2c57595ed065758cfbd2d59b4abf1d0d0b653d0e Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Sun, 12 Jan 2025 02:20:37 +0530 Subject: [PATCH 2/9] Removed service patch in istio Signed-off-by: biswajit-9776 --- common/istio-1-24/istio-install/base/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/istio-1-24/istio-install/base/kustomization.yaml b/common/istio-1-24/istio-install/base/kustomization.yaml index 37d6f0b36e..82d3855d0f 100644 --- a/common/istio-1-24/istio-install/base/kustomization.yaml +++ b/common/istio-1-24/istio-install/base/kustomization.yaml @@ -10,7 +10,7 @@ resources: - gateway.yaml patches: -- path: patches/service.yaml +# - path: patches/service.yaml - path: patches/istio-configmap-disable-tracing.yaml - path: patches/disable-debugging.yaml - path: patches/istio-ingressgateway-remove-pdb.yaml From 09ebe3f2d1def14aa90143c9c652cd39b5500981 Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Sun, 12 Jan 2025 02:26:03 +0530 Subject: [PATCH 3/9] Removed ingressgateway-remove-pdb patch Signed-off-by: biswajit-9776 --- common/istio-1-24/istio-install/base/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/istio-1-24/istio-install/base/kustomization.yaml b/common/istio-1-24/istio-install/base/kustomization.yaml index 82d3855d0f..b9802cdfac 100644 --- a/common/istio-1-24/istio-install/base/kustomization.yaml +++ b/common/istio-1-24/istio-install/base/kustomization.yaml @@ -13,7 +13,7 @@ patches: # - path: patches/service.yaml - path: patches/istio-configmap-disable-tracing.yaml - path: patches/disable-debugging.yaml -- path: patches/istio-ingressgateway-remove-pdb.yaml +# - path: patches/istio-ingressgateway-remove-pdb.yaml - path: patches/istiod-remove-pdb.yaml - path: patches/seccomp-istio-ingressgateway.yaml - path: patches/seccomp-istiod.yaml From c67b0824b302469b9336af8966caf5023f613b5a Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Sun, 12 Jan 2025 02:30:10 +0530 Subject: [PATCH 4/9] Removed ingressgateway deployment patch Signed-off-by: biswajit-9776 --- common/istio-1-24/istio-install/base/kustomization.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/istio-1-24/istio-install/base/kustomization.yaml b/common/istio-1-24/istio-install/base/kustomization.yaml index b9802cdfac..79dbe6191c 100644 --- a/common/istio-1-24/istio-install/base/kustomization.yaml +++ b/common/istio-1-24/istio-install/base/kustomization.yaml @@ -15,5 +15,5 @@ patches: - path: patches/disable-debugging.yaml # - path: patches/istio-ingressgateway-remove-pdb.yaml - path: patches/istiod-remove-pdb.yaml -- path: patches/seccomp-istio-ingressgateway.yaml +# - path: patches/seccomp-istio-ingressgateway.yaml - path: patches/seccomp-istiod.yaml From b7face983f145ef8fe5b3dc2628b016bc069e815 Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Thu, 16 Jan 2025 23:17:15 +0530 Subject: [PATCH 5/9] Adding ingress service to istio Signed-off-by: biswajit-9776 --- .../base/istio-ingressgateway-service.yaml | 31 +++++++++++++++++++ .../istio-install/base/kustomization.yaml | 3 +- .../base/istio-ingressgateway-service.yaml | 31 +++++++++++++++++++ .../istio-install/base/kustomization.yaml | 5 +-- 4 files changed, 67 insertions(+), 3 deletions(-) create mode 100644 common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml create mode 100644 common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml diff --git a/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml b/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml new file mode 100644 index 0000000000..fba8f758eb --- /dev/null +++ b/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: istio-ingressgateway + istio: ingressgateway + type: LoadBalancer diff --git a/common/istio-1-24/istio-install/base/kustomization.yaml b/common/istio-1-24/istio-install/base/kustomization.yaml index 79dbe6191c..ed75e8e86d 100644 --- a/common/istio-1-24/istio-install/base/kustomization.yaml +++ b/common/istio-1-24/istio-install/base/kustomization.yaml @@ -8,9 +8,10 @@ resources: - gateway_authorizationpolicy.yaml - deny_all_authorizationpolicy.yaml - gateway.yaml +- istio-ingressgateway-service.yaml patches: -# - path: patches/service.yaml +- path: patches/service.yaml - path: patches/istio-configmap-disable-tracing.yaml - path: patches/disable-debugging.yaml # - path: patches/istio-ingressgateway-remove-pdb.yaml diff --git a/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml new file mode 100644 index 0000000000..fba8f758eb --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: null + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + ports: + - name: status-port + port: 15021 + protocol: TCP + targetPort: 15021 + - name: http2 + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8443 + selector: + app: istio-ingressgateway + istio: ingressgateway + type: LoadBalancer diff --git a/common/istio-cni-1-24/istio-install/base/kustomization.yaml b/common/istio-cni-1-24/istio-install/base/kustomization.yaml index bb174d2dfa..8e7234f9c4 100644 --- a/common/istio-cni-1-24/istio-install/base/kustomization.yaml +++ b/common/istio-cni-1-24/istio-install/base/kustomization.yaml @@ -6,12 +6,13 @@ resources: - gateway_authorizationpolicy.yaml - deny_all_authorizationpolicy.yaml - gateway.yaml +- istio-ingressgateway-service.yaml patches: - path: patches/service.yaml - path: patches/istio-configmap-disable-tracing.yaml - path: patches/disable-debugging.yaml -- path: patches/istio-ingressgateway-remove-pdb.yaml +# - path: patches/istio-ingressgateway-remove-pdb.yaml - path: patches/istiod-remove-pdb.yaml -- path: patches/seccomp-istio-ingressgateway.yaml +# - path: patches/seccomp-istio-ingressgateway.yaml - path: patches/seccomp-istiod.yaml From a49925e6f4df6c0961a97b28bec806a1d056f2bc Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Fri, 17 Jan 2025 11:39:21 +0530 Subject: [PATCH 6/9] Added deployment for istio-ingressgateway Signed-off-by: biswajit-9776 --- .../base/istio-ingressgateway-deployment.yaml | 218 ++++++++++++++++++ .../base/istio-ingressgateway-service.yaml | 31 +++ .../istio-install/base/kustomization.yaml | 1 + 3 files changed, 250 insertions(+) create mode 100644 common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml diff --git a/common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml b/common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml new file mode 100644 index 0000000000..45a37d7f8f --- /dev/null +++ b/common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml @@ -0,0 +1,218 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + istio.io/rev: default + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + labels: + app: istio-ingressgateway + chart: gateways + heritage: Tiller + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + service.istio.io/canonical-name: istio-ingressgateway + service.istio.io/canonical-revision: latest + sidecar.istio.io/inject: "false" + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: null + requiredDuringSchedulingIgnoredDuringExecution: null + containers: + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + env: + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: istio-ingressgateway + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: docker.io/istio/proxyv2:1.24.2 + name: istio-proxy + ports: + - containerPort: 15021 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true + securityContext: + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + serviceAccountName: istio-ingressgateway-service-account + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + optional: true + name: config-volume + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs diff --git a/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml b/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml index fba8f758eb..9fe22b71b8 100644 --- a/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml +++ b/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml @@ -29,3 +29,34 @@ spec: app: istio-ingressgateway istio: ingressgateway type: LoadBalancer +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-service-account + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-sds + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account \ No newline at end of file diff --git a/common/istio-1-24/istio-install/base/kustomization.yaml b/common/istio-1-24/istio-install/base/kustomization.yaml index ed75e8e86d..71e491be0f 100644 --- a/common/istio-1-24/istio-install/base/kustomization.yaml +++ b/common/istio-1-24/istio-install/base/kustomization.yaml @@ -9,6 +9,7 @@ resources: - deny_all_authorizationpolicy.yaml - gateway.yaml - istio-ingressgateway-service.yaml +- istio-ingressgateway-deployment.yaml patches: - path: patches/service.yaml From 6a27cf1d148ef36b00b3ba07c65c681a44c96c48 Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Fri, 17 Jan 2025 11:42:00 +0530 Subject: [PATCH 7/9] Fixed yaml format Signed-off-by: biswajit-9776 --- .../istio-install/base/istio-ingressgateway-service.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml b/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml index 9fe22b71b8..78c0d98040 100644 --- a/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml +++ b/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml @@ -59,4 +59,4 @@ roleRef: name: istio-ingressgateway-sds subjects: - kind: ServiceAccount - name: istio-ingressgateway-service-account \ No newline at end of file + name: istio-ingressgateway-service-account From a32f643f1dd16af8b74cfad7fc8d64f1cd15b72e Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Fri, 17 Jan 2025 11:51:19 +0530 Subject: [PATCH 8/9] Added service and deployment for istio-cni Signed-off-by: biswajit-9776 --- .../base/istio-ingressgateway-deployment.yaml | 218 ++++++++++++++++++ .../base/istio-ingressgateway-service.yaml | 31 +++ 2 files changed, 249 insertions(+) create mode 100644 common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml diff --git a/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml new file mode 100644 index 0000000000..45a37d7f8f --- /dev/null +++ b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml @@ -0,0 +1,218 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway + namespace: istio-system +spec: + selector: + matchLabels: + app: istio-ingressgateway + istio: ingressgateway + strategy: + rollingUpdate: + maxSurge: 100% + maxUnavailable: 25% + template: + metadata: + annotations: + istio.io/rev: default + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/inject: "false" + labels: + app: istio-ingressgateway + chart: gateways + heritage: Tiller + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + service.istio.io/canonical-name: istio-ingressgateway + service.istio.io/canonical-revision: latest + sidecar.istio.io/inject: "false" + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: null + requiredDuringSchedulingIgnoredDuringExecution: null + containers: + - args: + - proxy + - router + - --domain + - $(POD_NAMESPACE).svc.cluster.local + - --proxyLogLevel=warning + - --proxyComponentLogLevel=misc:error + - --log_output_level=default:info + env: + - name: PILOT_CERT_PROVIDER + value: istiod + - name: CA_ADDR + value: istiod.istio-system.svc:15012 + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: INSTANCE_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + - name: HOST_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.hostIP + - name: ISTIO_CPU_LIMIT + valueFrom: + resourceFieldRef: + resource: limits.cpu + - name: SERVICE_ACCOUNT + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName + - name: ISTIO_META_WORKLOAD_NAME + value: istio-ingressgateway + - name: ISTIO_META_OWNER + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + - name: ISTIO_META_MESH_ID + value: cluster.local + - name: TRUST_DOMAIN + value: cluster.local + - name: ISTIO_META_UNPRIVILEGED_POD + value: "true" + - name: ISTIO_META_CLUSTER_ID + value: Kubernetes + - name: ISTIO_META_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: docker.io/istio/proxyv2:1.24.2 + name: istio-proxy + ports: + - containerPort: 15021 + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 8443 + protocol: TCP + - containerPort: 15090 + name: http-envoy-prom + protocol: TCP + readinessProbe: + failureThreshold: 30 + httpGet: + path: /healthz/ready + port: 15021 + scheme: HTTP + initialDelaySeconds: 1 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + cpu: 2000m + memory: 1024Mi + requests: + cpu: 100m + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /var/run/secrets/workload-spiffe-uds + name: workload-socket + - mountPath: /var/run/secrets/credential-uds + name: credential-socket + - mountPath: /var/run/secrets/workload-spiffe-credentials + name: workload-certs + - mountPath: /etc/istio/proxy + name: istio-envoy + - mountPath: /etc/istio/config + name: config-volume + - mountPath: /var/run/secrets/istio + name: istiod-ca-cert + - mountPath: /var/run/secrets/tokens + name: istio-token + readOnly: true + - mountPath: /var/lib/istio/data + name: istio-data + - mountPath: /etc/istio/pod + name: podinfo + - mountPath: /etc/istio/ingressgateway-certs + name: ingressgateway-certs + readOnly: true + - mountPath: /etc/istio/ingressgateway-ca-certs + name: ingressgateway-ca-certs + readOnly: true + securityContext: + runAsGroup: 1337 + runAsNonRoot: true + runAsUser: 1337 + serviceAccountName: istio-ingressgateway-service-account + volumes: + - emptyDir: {} + name: workload-socket + - emptyDir: {} + name: credential-socket + - emptyDir: {} + name: workload-certs + - configMap: + name: istio-ca-root-cert + name: istiod-ca-cert + - downwardAPI: + items: + - fieldRef: + fieldPath: metadata.labels + path: labels + - fieldRef: + fieldPath: metadata.annotations + path: annotations + name: podinfo + - emptyDir: {} + name: istio-envoy + - emptyDir: {} + name: istio-data + - name: istio-token + projected: + sources: + - serviceAccountToken: + audience: istio-ca + expirationSeconds: 43200 + path: istio-token + - configMap: + name: istio + optional: true + name: config-volume + - name: ingressgateway-certs + secret: + optional: true + secretName: istio-ingressgateway-certs + - name: ingressgateway-ca-certs + secret: + optional: true + secretName: istio-ingressgateway-ca-certs diff --git a/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml index fba8f758eb..78c0d98040 100644 --- a/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml +++ b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml @@ -29,3 +29,34 @@ spec: app: istio-ingressgateway istio: ingressgateway type: LoadBalancer +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: istio-ingressgateway + install.operator.istio.io/owning-resource: unknown + istio: ingressgateway + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-service-account + namespace: istio-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + install.operator.istio.io/owning-resource: unknown + istio.io/rev: default + operator.istio.io/component: IngressGateways + release: istio + name: istio-ingressgateway-sds + namespace: istio-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: istio-ingressgateway-sds +subjects: +- kind: ServiceAccount + name: istio-ingressgateway-service-account From a651024c686e6792348adf6ad6dc6bc699430871 Mon Sep 17 00:00:00 2001 From: biswajit-9776 Date: Fri, 17 Jan 2025 11:58:46 +0530 Subject: [PATCH 9/9] Fixed error Signed-off-by: biswajit-9776 --- common/istio-cni-1-24/istio-install/base/kustomization.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/common/istio-cni-1-24/istio-install/base/kustomization.yaml b/common/istio-cni-1-24/istio-install/base/kustomization.yaml index 8e7234f9c4..e905273b22 100644 --- a/common/istio-cni-1-24/istio-install/base/kustomization.yaml +++ b/common/istio-cni-1-24/istio-install/base/kustomization.yaml @@ -7,6 +7,7 @@ resources: - deny_all_authorizationpolicy.yaml - gateway.yaml - istio-ingressgateway-service.yaml +- istio-ingressgateway-deployment.yaml patches: - path: patches/service.yaml