Google Git
Sign in
apache / dubbo-go-pixiu / de9f1befd6a6e38513ea5e704a5488ed608df7d5 / . / operator / pkg / apis / istio / v1alpha1 / values_types.proto
blob: 6961f4c009f92caae74968f31bc81b89881986da [file] [log] [blame]
// Copyright Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = 'proto3';
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "google/protobuf/duration.proto";
package v1alpha1;
// Package-wide variables from generator "generated".
option go_package = "github.com/apache/dubbo-go-pixiu/operator/pkg/apis/istio/v1alpha1";
// ArchConfig specifies the pod scheduling target architecture(amd64, ppc64le, s390x, arm64)
// for all the Istio control plane components.
message ArchConfig {
// Sets pod scheduling weight for amd64 arch
uint32 amd64 = 1;
// Sets pod scheduling weight for ppc64le arch.
uint32 ppc64le = 2;
// Sets pod scheduling weight for s390x arch.
uint32 s390x = 3;
// Sets pod scheduling weight for arm64 arch.
uint32 arm64 = 4;
}
// Configuration for CNI.
message CNIConfig {
// Controls whether CNI is enabled.
google.protobuf.BoolValue enabled = 1;
string hub = 2;
google.protobuf.Value tag = 3;
string image = 4;
string pullPolicy = 5;
string cniBinDir = 6;
string cniConfDir = 7;
string cniConfFileName = 8;
repeated string excludeNamespaces = 9;
google.protobuf.Struct podAnnotations = 10 [deprecated=true];
string psp_cluster_role = 11;
string logLevel = 12;
CNIRepairConfig repair = 13;
google.protobuf.BoolValue chained = 14;
CNITaintConfig taint = 15;
ResourceQuotas resource_quotas = 16;
Resources resources = 17;
google.protobuf.BoolValue privileged = 18;
}
message CNITaintConfig {
// Controls whether taint behavior is enabled.
google.protobuf.BoolValue enabled = 1;
}
message CNIRepairConfig {
// Controls whether repair behavior is enabled.
google.protobuf.BoolValue enabled = 1;
string hub = 2;
google.protobuf.Value tag = 3;
string image = 4;
// Controls whether various repair behaviors are enabled.
bool labelPods = 5;
string createEvents = 6 [deprecated=true];
bool deletePods = 7;
string brokenPodLabelKey = 8;
string brokenPodLabelValue = 9;
string initContainerName = 10;
}
message ResourceQuotas {
// Controls whether to create resource quotas or not for the CNI DaemonSet.
google.protobuf.BoolValue enabled = 1;
int64 pods = 2;
}
// Configuration for CPU target utilization for HorizontalPodAutoscaler target.
message CPUTargetUtilizationConfig {
// K8s utilization setting for HorizontalPodAutoscaler target.
//
// See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
int32 targetAverageUtilization = 1;
}
// Mirrors Resources for unmarshaling.
message Resources {
map<string, string> limits = 1;
map<string, string> requests = 2;
}
// Mirrors ServiceAccount for unmarshaling.
message ServiceAccount {
google.protobuf.Struct annotations = 1;
}
// DefaultPodDisruptionBudgetConfig specifies the default pod disruption budget configuration.
//
// See https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
message DefaultPodDisruptionBudgetConfig {
// Controls whether a PodDisruptionBudget with a default minAvailable value of 1 is created for each deployment.
google.protobuf.BoolValue enabled = 1;
}
// DefaultResourcesConfig specifies the default k8s resources settings for all Istio control plane components.
message DefaultResourcesConfig {
// k8s resources settings.
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
ResourcesRequestsConfig requests = 1;
}
// Configuration for an egress gateway.
message EgressGatewayConfig {
// Controls whether auto scaling with a HorizontalPodAutoscaler is enabled.
google.protobuf.BoolValue autoscaleEnabled = 1;
// maxReplicas setting for HorizontalPodAutoscaler.
uint32 autoscaleMax = 2;
// minReplicas setting for HorizontalPodAutoscaler.
uint32 autoscaleMin = 3;
// K8s utilization setting for HorizontalPodAutoscaler target.
//
// See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
CPUTargetUtilizationConfig cpu = 5 [deprecated=true];
// Controls whether an egress gateway is enabled.
google.protobuf.BoolValue enabled = 7;
// Environment variables passed to the proxy container.
google.protobuf.Struct env = 8;
map<string, string> labels = 9;
string name = 25;
// K8s node selector.
//
// See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
google.protobuf.Struct nodeSelector = 10 [deprecated=true];
// K8s annotations for pods.
//
// See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
google.protobuf.Struct podAnnotations = 11 [deprecated=true];
// Pod anti-affinity label selector.
//
// Specify the pod anti-affinity that allows you to constrain which nodes
// your pod is eligible to be scheduled based on labels on pods that are
// already running on the node rather than based on labels on nodes.
// There are currently two types of anti-affinity:
// "requiredDuringSchedulingIgnoredDuringExecution"
// "preferredDuringSchedulingIgnoredDuringExecution"
// which denote “hard” vs. “soft” requirements, you can define your values
// in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector"
// correspondingly.
// See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
//
// Examples:
// podAntiAffinityLabelSelector:
// - key: security
// operator: In
// values: S1,S2
// topologyKey: "kubernetes.io/hostname"
// This pod anti-affinity rule says that the pod requires not to be scheduled
// onto a node if that node is already running a pod with label having key
// “security” and value “S1”.
repeated google.protobuf.Struct podAntiAffinityLabelSelector = 12 [deprecated=true];
// See PodAntiAffinityLabelSelector.
repeated google.protobuf.Struct podAntiAffinityTermLabelSelector = 13 [deprecated=true];
// Ports Configuration for the egress gateway service.
repeated PortsConfig ports = 14;
// K8s resources settings.
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
Resources resources = 15 [deprecated=true];
// Config for secret volume mounts.
repeated SecretVolume secretVolumes = 16;
// Annotations to add to the egress gateway service.
google.protobuf.Struct serviceAnnotations = 17;
// Service type.
//
// See https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
string type = 18;
// Enables cross-cluster access using SNI matching.
ZeroVPNConfig zvpn = 19;
repeated google.protobuf.Struct tolerations = 20 [deprecated=true];
// K8s rolling update strategy
IntOrString rollingMaxSurge = 21 [deprecated=true];
// K8s rolling update strategy
IntOrString rollingMaxUnavailable = 22 [deprecated=true];
repeated google.protobuf.Struct configVolumes = 23;
repeated google.protobuf.Struct additionalContainers = 24;
google.protobuf.BoolValue runAsRoot = 26;
// The injection template to use for the gateway. If not set, no injection will be performed.
string injectionTemplate = 27;
ServiceAccount serviceAccount = 28;
// Next available 29.
}
// Configuration for gateways.
message GatewaysConfig {
// Configuration for an egress gateway.
EgressGatewayConfig istio_egressgateway = 1 [json_name="istio-egressgateway"];
// Controls whether any gateways are enabled.
google.protobuf.BoolValue enabled = 2;
// Configuration for an ingress gateway.
IngressGatewayConfig istio_ingressgateway = 4 [json_name="istio-ingressgateway"];
}
// Global Configuration for Istio components.
message GlobalConfig {
// Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows:
// 0 - Never scheduled
// 1 - Least preferred
// 2 - No preference
// 3 - Most preferred
//
// Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior.
ArchConfig arch = 1 [deprecated=true];
string configRootNamespace = 50;
// Controls whether the server-side validation is enabled.
google.protobuf.BoolValue configValidation = 3;
repeated string defaultConfigVisibilitySettings = 52;
// Default k8s node selector for all the Istio control plane components
//
// See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
google.protobuf.Struct defaultNodeSelector = 6 [deprecated=true];
// Specifies the default pod disruption budget configuration.
DefaultPodDisruptionBudgetConfig defaultPodDisruptionBudget = 7 [deprecated=true];
// Default k8s resources settings for all Istio control plane components.
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
DefaultResourcesConfig defaultResources = 9 [deprecated=true];
repeated google.protobuf.Struct defaultTolerations = 55 [deprecated=true];
// Specifies the docker hub for Istio images.
string hub = 12;
// Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent.
// Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated.
//
// More info: https://kubernetes.io/docs/concepts/containers/images#updating-images
string imagePullPolicy = 13;
// ImagePullPolicy v1.PullPolicy `json:"imagePullPolicy,omitempty"`
repeated string imagePullSecrets = 37;
// Specifies the default namespace for the Istio control plane components.
string istioNamespace = 14;
google.protobuf.BoolValue logAsJson = 36;
// Specifies the global logging level settings for the Istio control plane components.
GlobalLoggingConfig logging = 17;
string meshID = 53;
// Configure the mesh networks to be used by the Split Horizon EDS.
//
// The following example defines two networks with different endpoints association methods.
// For `network1` all endpoints that their IP belongs to the provided CIDR range will be
// mapped to network1. The gateway for this network example is specified by its public IP
// address and port.
// The second network, `network2`, in this example is defined differently with all endpoints
// retrieved through the specified Multi-Cluster registry being mapped to network2. The
// gateway is also defined differently with the name of the gateway service on the remote
// cluster. The public IP for the gateway will be determined from that remote service (only
// LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
// it still need to be configured manually).
//
// meshNetworks:
// network1:
// endpoints:
// - fromCidr: "192.168.0.1/24"
// gateways:
// - address: 1.1.1.1
// port: 80
// network2:
// endpoints:
// - fromRegistry: reg1
// gateways:
// - registryServiceName: istio-ingressgateway.dubbo-system.svc.cluster.local
// port: 443
//
google.protobuf.Struct meshNetworks = 19;
// Specifies the Configuration for Istio mesh across multiple clusters through Istio gateways.
MultiClusterConfig multiCluster = 22;
string network = 39;
// Custom DNS config for the pod to resolve names of services in other
// clusters. Use this to add additional search domains, and other settings.
// see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
// This does not apply to gateway pods as they typically need a different
// set of DNS settings than the normal application pods (e.g. in multicluster scenarios).
repeated string podDNSSearchNamespaces = 43;
google.protobuf.BoolValue omitSidecarInjectorConfigMap = 38;
// Controls whether to restrict the applications namespace the controller manages;
// If set it to false, the controller watches all namespaces.
google.protobuf.BoolValue oneNamespace = 23;
google.protobuf.BoolValue operatorManageWebhooks = 41;
// Specifies the k8s priorityClassName for the istio control plane components.
//
// See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
string priorityClassName = 27 [deprecated=true];
// Specifies how proxies are configured within Istio.
ProxyConfig proxy = 28;
// Specifies the Configuration for proxy_init container which sets the pods' networking to intercept the inbound/outbound traffic.
ProxyInitConfig proxy_init = 29 [json_name="proxy_init"];
// Specifies the Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
SDSConfig sds = 30;
// Specifies the tag for the Istio docker images.
google.protobuf.Value tag = 31;
// Specifies the Configuration for each of the supported tracers.
TracerConfig tracer = 33;
// Controls whether to use of Mesh Configuration Protocol to distribute configuration.
google.protobuf.BoolValue useMCP = 35;
// Specifies the Istio control plane’s pilot Pod IP address or remote cluster DNS resolvable hostname.
string remotePilotAddress = 48;
// Specifies the configution of istiod
IstiodConfig istiod = 54;
// Configure the Pilot certificate provider.
// Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none".
string pilotCertProvider = 56;
// Configure the policy for validating JWT.
// Currently, two options are supported: "third-party-jwt" and "first-party-jwt".
string jwtPolicy = 57;
// Specifies the configuration for Security Token Service.
STSConfig sts = 58;
// Configures the revision this control plane is a part of
string revision = 59;
// Controls whether the in-cluster MTLS key and certs are loaded from the secret volume mounts.
google.protobuf.BoolValue mountMtlsCerts = 60;
// The address of the CA for CSR.
string caAddress = 61;
// Controls whether one external istiod is enabled.
google.protobuf.BoolValue externalIstiod = 62;
// Controls whether a remote cluster is the config cluster for an external istiod
google.protobuf.BoolValue configCluster = 64;
// The name of the CA for workloads.
// For example, when caName=GkeWorkloadCertificate, GKE workload certificates
// will be used as the certificates for workloads.
// The default value is "" and when caName="", the CA will be configured by other
// mechanisms (e.g., environmental variable CA_PROVIDER).
string caName = 65;
google.protobuf.BoolValue autoscalingv2API = 66;
// The next available key is 67
}
// Configuration for Security Token Service (STS) server.
//
// See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16
message STSConfig {
uint32 servicePort = 1;
}
message IstiodConfig {
// If enabled, istiod will perform config analysis
google.protobuf.BoolValue enableAnalysis = 2;
}
// GlobalLoggingConfig specifies the global logging level settings for the Istio control plane components.
message GlobalLoggingConfig {
// Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
// The control plane has different scopes depending on component, but can configure default log level across all components
// If empty, default scope and level will be used as configured in code
string level = 1;
}
// Configuration for an ingress gateway.
message IngressGatewayConfig {
// Controls whether auto scaling with a HorizontalPodAutoscaler is enabled.
google.protobuf.BoolValue autoscaleEnabled = 1;
// maxReplicas setting for HorizontalPodAutoscaler.
uint32 autoscaleMax = 2;
// minReplicas setting for HorizontalPodAutoscaler.
uint32 autoscaleMin = 3;
// K8s utilization setting for HorizontalPodAutoscaler target.
//
// See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
CPUTargetUtilizationConfig cpu = 5 [deprecated=true];
google.protobuf.BoolValue customService = 6;
// Controls whether an ingress gateway is enabled.
google.protobuf.BoolValue enabled = 10;
// Environment variables passed to the proxy container.
google.protobuf.Struct env = 11;
map<string, string> labels = 15;
string loadBalancerIP = 16;
repeated string loadBalancerSourceRanges = 17;
string name = 44;
// K8s node selector.
//
// See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
google.protobuf.Struct nodeSelector = 19 [deprecated=true];
// K8s annotations for pods.
//
// See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
google.protobuf.Struct podAnnotations = 20 [deprecated=true];
// See EgressGatewayConfig.
repeated google.protobuf.Struct podAntiAffinityLabelSelector = 21 [deprecated=true];
// See EgressGatewayConfig.
repeated google.protobuf.Struct podAntiAffinityTermLabelSelector = 22 [deprecated=true];
// Port Configuration for the ingress gateway.
repeated PortsConfig ports = 23;
// Number of replicas for the ingress gateway Deployment.
uint32 replicaCount = 24 [deprecated=true];
// K8s resources settings.
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
google.protobuf.Struct resources = 25 [deprecated=true];
// Config for secret volume mounts.
repeated SecretVolume secretVolumes = 27;
// Annotations to add to the egress gateway service.
google.protobuf.Struct serviceAnnotations = 28;
// Service type.
//
// See https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
string type = 29;
// Enables cross-cluster access using SNI matching.
IngressGatewayZvpnConfig zvpn = 30;
// K8s rolling update strategy
IntOrString rollingMaxSurge = 31 [deprecated=true];
// K8s rolling update strategy
IntOrString rollingMaxUnavailable = 32 [deprecated=true];
string externalTrafficPolicy = 34;
repeated google.protobuf.Struct tolerations = 35 [deprecated=true];
repeated google.protobuf.Struct ingressPorts = 36;
repeated google.protobuf.Struct additionalContainers = 37;
repeated google.protobuf.Struct configVolumes = 38;
google.protobuf.BoolValue runAsRoot = 45;
// The injection template to use for the gateway. If not set, no injection will be performed.
string injectionTemplate = 46;
ServiceAccount serviceAccount = 47;
// Next available 48.
}
// IngressGatewayZvpnConfig enables cross-cluster access using SNI matching.
message IngressGatewayZvpnConfig {
// Controls whether ZeroVPN is enabled.
google.protobuf.BoolValue enabled = 1;
string suffix = 2;
}
// MultiClusterConfig specifies the Configuration for Istio mesh across multiple clusters through the istio gateways.
message MultiClusterConfig {
// Enables the connection between two kubernetes clusters via their respective ingressgateway services.
// Use if the pods in each cluster cannot directly talk to one another.
google.protobuf.BoolValue enabled = 1;
string clusterName = 2;
string globalDomainSuffix = 3;
google.protobuf.BoolValue includeEnvoyFilter = 4;
}
// OutboundTrafficPolicyConfig controls the default behavior of the sidecar for handling outbound traffic from the application.
message OutboundTrafficPolicyConfig {
// Specifies the sidecar's default behavior when handling outbound traffic from the application.
enum Mode {
// Outbound traffic to unknown destinations will be allowed, in case there are no services or ServiceEntries for the destination port
ALLOW_ANY = 0;
// Restrict outbound traffic to services defined in the service registry as well as those defined through ServiceEntries
REGISTRY_ONLY = 1;
}
Mode mode = 2;
}
// Configuration for Pilot.
message PilotConfig {
// Controls whether Pilot is enabled.
google.protobuf.BoolValue enabled = 1;
// Controls whether a HorizontalPodAutoscaler is installed for Pilot.
google.protobuf.BoolValue autoscaleEnabled = 2;
// Minimum number of replicas in the HorizontalPodAutoscaler for Pilot.
uint32 autoscaleMin = 3;
// Maximum number of replicas in the HorizontalPodAutoscaler for Pilot.
uint32 autoscaleMax = 4;
// Number of replicas in the Pilot Deployment.
uint32 replicaCount = 5 [deprecated=true];
// Image name used for Pilot.
//
// This can be set either to image name if hub is also set, or can be set to the full hub:name string.
//
// Examples: custom-pilot, docker.io/someuser:custom-pilot
string image = 6;
// Trace sampling fraction.
//
// Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead.
//
// Allowed values: 0.0 to 1.0
double traceSampling = 8;
// K8s resources settings.
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
Resources resources = 9 [deprecated=true];
// Namespace that the configuration management feature is installed into, if different from Pilot namespace.
string configNamespace = 10;
// Target CPU utilization used in HorizontalPodAutoscaler.
//
// See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
CPUTargetUtilizationConfig cpu = 11 [deprecated=true];
// K8s node selector.
//
// See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
google.protobuf.Struct nodeSelector = 12 [deprecated=true];
// Maximum duration that a sidecar can be connected to a pilot.
//
// This setting balances out load across pilot instances, but adds some resource overhead.
//
// Examples: 300s, 30m, 1h
google.protobuf.Duration keepaliveMaxServerConnectionAge = 13;
// Labels that are added to Pilot deployment and pods.
//
// See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
google.protobuf.Struct deploymentLabels = 14;
google.protobuf.Struct podLabels = 36;
// Configuration settings passed to Pilot as a ConfigMap.
//
// This controls whether the mesh config map, generated from values.yaml is generated.
// If false, pilot wil use default values or user-supplied values, in that order of preference.
google.protobuf.BoolValue configMap = 18;
// Controls whether Pilot is configured through the Mesh Control Protocol (MCP).
//
// If set to true, Pilot requires an MCP server (like Galley) to be installed.
google.protobuf.BoolValue useMCP = 20;
// Environment variables passed to the Pilot container.
//
// Examples:
// env:
// ENV_VAR_1: value1
// ENV_VAR_2: value2
google.protobuf.Struct env = 21;
// K8s rolling update strategy
IntOrString rollingMaxSurge = 24 [deprecated=true];
// K8s rolling update strategy
IntOrString rollingMaxUnavailable = 25 [deprecated=true];
//
repeated google.protobuf.Struct tolerations = 26 [deprecated=true];
// if protocol sniffing is enabled for outbound
google.protobuf.BoolValue enableProtocolSniffingForOutbound = 28;
// if protocol sniffing is enabled for inbound
google.protobuf.BoolValue enableProtocolSniffingForInbound = 29;
// K8s annotations for pods.
//
// See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
google.protobuf.Struct podAnnotations = 30 [deprecated=true];
google.protobuf.Struct serviceAnnotations = 37;
// ConfigSource describes a source of configuration data for networking
// rules, and other Istio configuration artifacts. Multiple data sources
// can be configured for a single control plane.
PilotConfigSource configSource = 31;
string jwksResolverExtraRootCA = 32;
repeated string plugins = 33;
string hub = 34;
google.protobuf.Value tag = 35;
}
// Controls legacy k8s ingress. Only one pilot profile should enable ingress support.
message PilotIngressConfig {
// Sets the type ingress service for Pilot.
//
// If empty, node-port is assumed.
//
// Allowed values: node-port, istio-ingressgateway, ingress
string ingressService = 1;
ingressControllerMode ingressControllerMode = 2;
// If mode is STRICT, this value must be set on "kubernetes.io/ingress.class" annotation to activate.
string ingressClass = 3;
}
// Mode for the ingress controller.
enum ingressControllerMode {
// Unspecified Istio ingress controller.
UNSPECIFIED = 0;
// Selects all Ingress resources, with or without Istio annotation.
DEFAULT = 1;
// Selects only resources with istio annotation.
STRICT = 2;
// No ingress or sync.
OFF = 3;
}
// Controls whether Istio policy is applied to Pilot.
message PilotPolicyConfig {
// Controls whether Istio policy is applied to Pilot.
google.protobuf.BoolValue enabled = 1;
}
// Controls telemetry configuration
message TelemetryConfig {
// Controls whether telemetry is exported for Pilot.
google.protobuf.BoolValue enabled = 1;
// Use telemetry v2.
TelemetryV2Config v2 = 3;
}
// Controls whether pilot will configure telemetry v2.
message TelemetryV2Config {
// Controls whether pilot will configure telemetry v2.
google.protobuf.BoolValue enabled = 1;
TelemetryV2MetadataExchangeConfig metadata_exchange = 4;
TelemetryV2PrometheusConfig prometheus = 2;
TelemetryV2StackDriverConfig stackdriver = 3;
TelemetryV2AccessLogPolicyFilterConfig access_log_policy = 5;
}
message TelemetryV2MetadataExchangeConfig {
// Controls whether enabled WebAssembly runtime for metadata exchange filter.
google.protobuf.BoolValue wasmEnabled = 2;
}
// Conrols telemetry v2 prometheus settings.
message TelemetryV2PrometheusConfig {
// Controls whether stats envoyfilter would be enabled or not.
google.protobuf.BoolValue enabled = 1;
// Controls whether enabled WebAssembly runtime for stats filter.
google.protobuf.BoolValue wasmEnabled = 2;
message ConfigOverride {
// Overrides default gateway telemetry v2 configuration.
google.protobuf.Struct gateway = 1;
// Overrides default inbound sidecar telemetry v2 configuration.
google.protobuf.Struct inboundSidecar = 2;
// Overrides default outbound sidecar telemetry v2 configuration.
google.protobuf.Struct outboundSidecar = 3;
}
// Overrides default telemetry v2 filter configuration.
ConfigOverride config_override = 3;
}
// Conrols telemetry v2 stackdriver settings.
message TelemetryV2StackDriverConfig {
// Types of Access logs to export.
enum AccessLogging {
// No Logs.
NONE = 0;
// All logs including both success and error logs.
FULL = 1;
// All error logs. This is currently only available for outbound/client side
// logs. A request is classified as error when `status>=400 or
// response_flag != "-"`
ERRORS_ONLY = 2;
};
google.protobuf.BoolValue enabled = 1;
google.protobuf.BoolValue logging = 2 [deprecated=true];
google.protobuf.BoolValue monitoring = 3;
google.protobuf.BoolValue topology = 4 [deprecated=true];
google.protobuf.BoolValue disableOutbound = 6;
google.protobuf.Struct configOverride = 5;
AccessLogging outboundAccessLogging = 7;
AccessLogging inboundAccessLogging = 8;
}
// Conrols telemetry v2 access log policy filter settings.
message TelemetryV2AccessLogPolicyFilterConfig {
google.protobuf.BoolValue enabled = 1;
google.protobuf.Duration logWindowDuration = 2;
}
// PilotConfigSource describes information about a configuration store inside a
// mesh. A single control plane instance can interact with one or more data
// sources.
message PilotConfigSource {
// Describes the source of configuration, if nothing is specified default is MCP.
repeated string subscribedResources = 1;
}
// Configuration for a port.
message PortsConfig {
// Port name.
string name = 1;
// Port number.
int32 port = 2;
// NodePort number.
int32 nodePort = 3;
// Target port number.
int32 targetPort = 4;
// Protocol name.
string protocol = 5;
}
// Configuration for Proxy.
message ProxyConfig {
string autoInject = 4;
// Domain for the cluster, default: "cluster.local".
//
// K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/
string clusterDomain = 5;
// Per Component log level for proxy, applies to gateways and sidecars.
//
// If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used.
string componentLogLevel = 6;
// Enables core dumps for newly injected sidecars.
//
// If set, newly injected sidecars will have core dumps enabled.
google.protobuf.BoolValue enableCoreDump = 9;
// Specifies the Istio ingress ports not to capture.
string excludeInboundPorts = 12;
// Lists the excluded IP ranges of Istio egress traffic that the sidecar captures.
string excludeIPRanges = 13;
// Image name or path for the proxy, default: "proxyv2".
//
// If registry or tag are not specified, global.hub and global.tag are used.
//
// Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0
string image = 14;
// Lists the IP ranges of Istio egress traffic that the sidecar captures.
//
// Example: "172.30.0.0/16,172.20.0.0/16"
// This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar."
string includeIPRanges = 16;
// Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. Expected values are: trace\|debug\|info\|warning\|error\|critical\|off
string logLevel = 18;
// Enables privileged securityContext for the istio-proxy container.
//
// See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
google.protobuf.BoolValue privileged = 19;
// Sets the initial delay for readiness probes in seconds.
uint32 readinessInitialDelaySeconds = 20;
// Sets the interval between readiness probes in seconds.
uint32 readinessPeriodSeconds = 21;
// Sets the number of successive failed probes before indicating readiness failure.
uint32 readinessFailureThreshold = 22;
// Default port used for the Pilot agent's health checks.
uint32 statusPort = 23;
// K8s resources settings.
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
Resources resources = 24 [deprecated=true];
tracer tracer = 25;
string excludeOutboundPorts = 28;
google.protobuf.Struct lifecycle = 36;
// Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready
//
// Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior.
google.protobuf.BoolValue holdApplicationUntilProxyStarts = 37 [deprecated=true];
string includeInboundPorts = 38;
string includeOutboundPorts = 39;
}
// Specifies which tracer to use.
enum tracer {
zipkin = 0;
lightstep = 1;
datadog = 2;
stackdriver = 3;
openCensusAgent = 4;
none = 5;
}
// Configuration for proxy_init container which sets the pods' networking to intercept the inbound/outbound traffic.
message ProxyInitConfig {
// Specifies the image for the proxy_init container.
string image = 1;
// K8s resources settings.
//
// See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container
Resources resources = 5 [deprecated=true];
}
// Configuration for K8s resource requests.
message ResourcesRequestsConfig {
string cpu = 1;
string memory = 2;
}
// Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates.
message SDSConfig {
google.protobuf.Struct token = 5 [deprecated=true];
}
// Configuration for secret volume mounts.
//
// See https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets.
message SecretVolume {
string mountPath = 1;
string name = 2;
string secretName = 3;
}
// ServiceConfig is described in istio.io documentation.
message ServiceConfig {
google.protobuf.Struct annotations = 1;
uint32 externalPort = 2;
string name = 3;
string type = 18;
}
// SidecarInjectorConfig is described in istio.io documentation.
message SidecarInjectorConfig {
// Enables sidecar auto-injection in namespaces by default.
google.protobuf.BoolValue enableNamespacesByDefault = 2;
// Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods.
//
// Annotations in the pods have higher precedence than the label selectors.
// Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy.
// See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
repeated google.protobuf.Struct neverInjectSelector = 11;
// See NeverInjectSelector.
repeated google.protobuf.Struct alwaysInjectSelector = 12;
// If true, webhook or istioctl injector will rewrite PodSpec for liveness health check to redirect request to sidecar. This makes liveness check work even when mTLS is enabled.
google.protobuf.BoolValue rewriteAppHTTPProbe = 16;
// injectedAnnotations are additional annotations that will be added to the pod spec after injection
// This is primarily to support PSP annotations.
google.protobuf.Struct injectedAnnotations = 19;
// Enable objectSelector to filter out pods with no need for sidecar before calling istio-sidecar-injector.
google.protobuf.Struct objectSelector = 21;
// Configure the injection url for sidecar injector webhook
string injectionURL = 22;
// Templates defines a set of custom injection templates that can be used. For example, defining:
//
// templates:
// hello: |
// metadata:
// labels:
// hello: world
//
// Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
// being injected with the hello=world labels.
// This is intended for advanced configuration only; most users should use the built in template
google.protobuf.Struct templates = 23;
// Default templates specifies a set of default templates that are used in sidecar injection.
// By default, a template `sidecar` is always provided, which contains the template of default sidecar.
// To inject other additional templates, define it using the `templates` option, and add it to
// the default templates list.
// For example:
// templates:
// hello: |
// metadata:
// labels:
// hello: world
// defaultTemplates: ["sidecar", "hello"]
repeated string defaultTemplates = 24;
// If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook
// requests in Istiod, rather than at the webhook selection level.
// This is option is intended for migration purposes only and will be removed in Istio 1.10.
google.protobuf.BoolValue useLegacySelectors = 4 [deprecated=true];
}
// Configuration for each of the supported tracers.
message TracerConfig {
// Configuration for the datadog tracing service.
TracerDatadogConfig datadog = 1;
// Configuration for the lightstep tracing service.
TracerLightStepConfig lightstep = 2;
// Configuration for the zipkin tracing service.
TracerZipkinConfig zipkin = 3;
// Configuration for the stackdriver tracing service.
TracerStackdriverConfig stackdriver = 4;
}
// Configuration for the datadog tracing service.
message TracerDatadogConfig {
// Address in host:port format for reporting trace data to the Datadog agent.
string address = 1;
}
// Configuration for the lightstep tracing service.
message TracerLightStepConfig {
// Sets the lightstep satellite pool address in host:port format for reporting trace data.
string address = 1;
// Sets the lightstep access token.
string accessToken = 2;
}
// Configuration for the zipkin tracing service.
message TracerZipkinConfig {
// Address of zipkin instance in host:port format for reporting trace data.
//
// Example: <zipkin-collector-service>.<zipkin-collector-namespace>:941
string address = 1;
}
// Configuration for the stackdriver tracing service.
message TracerStackdriverConfig {
// enables trace output to stdout.
google.protobuf.BoolValue debug = 1;
// The global default max number of attributes per span.
uint32 maxNumberOfAttributes = 2;
// The global default max number of annotation events per span.
uint32 maxNumberOfAnnotations = 3;
// The global default max number of message events per span.
uint32 maxNumberOfMessageEvents = 4;
}
message BaseConfig {
// For Helm2 use, adds the CRDs to templates.
google.protobuf.BoolValue enableCRDTemplates = 1;
// URL to use for validating webhook.
string validationURL = 2;
// For istioctl usage to disable istio config crds in base
google.protobuf.BoolValue enableIstioConfigCRDs = 3;
}
message IstiodRemoteConfig {
// URL to use for sidecar injector webhook.
string injectionURL = 1;
// Path to use for the sidecar injector webhook service.
string injectionPath = 2;
}
message Values {
CNIConfig cni = 2;
GatewaysConfig gateways = 5;
GlobalConfig global = 6;
PilotConfig pilot = 10;
// Controls whether telemetry is exported for Pilot.
TelemetryConfig telemetry = 23;
SidecarInjectorConfig sidecarInjectorWebhook = 13;
CNIConfig istio_cni = 19;
string revision = 21;
string ownerName = 22;
// TODO can this import the real mesh config API?
google.protobuf.Value meshConfig = 36;
BaseConfig base = 37;
IstiodRemoteConfig istiodRemote = 38;
repeated string revisionTags = 39;
string defaultRevision = 40;
}
// ZeroVPNConfig enables cross-cluster access using SNI matching.
message ZeroVPNConfig {
// Controls whether ZeroVPN is enabled.
google.protobuf.BoolValue enabled = 1;
string suffix = 2;
}
// IntOrString is a type that can hold an int32 or a string. When used in
// JSON or YAML marshalling and unmarshalling, it produces or consumes the
// inner type. This allows you to have, for example, a JSON field that can
// accept a name or number.
// TODO: Rename to Int32OrString
//
// +protobuf=true
// +protobuf.options.(gogoproto.goproto_stringer)=false
// +k8s:openapi-gen=true
message IntOrString {
int64 type = 1;
google.protobuf.Int32Value intVal = 2;
google.protobuf.StringValue strVal = 3;
}