| // Copyright Istio Authors |
| // |
| // Licensed under the Apache License, Version 2.0 (the "License"); |
| // you may not use this file except in compliance with the License. |
| // You may obtain a copy of the License at |
| // |
| // http://www.apache.org/licenses/LICENSE-2.0 |
| // |
| // Unless required by applicable law or agreed to in writing, software |
| // distributed under the License is distributed on an "AS IS" BASIS, |
| // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| // See the License for the specific language governing permissions and |
| // limitations under the License. |
| |
| |
| syntax = 'proto3'; |
| |
| import "google/protobuf/any.proto"; |
| import "google/protobuf/struct.proto"; |
| import "google/protobuf/wrappers.proto"; |
| import "google/protobuf/duration.proto"; |
| |
| package v1alpha1; |
| |
| // Package-wide variables from generator "generated". |
| option go_package = "github.com/apache/dubbo-go-pixiu/operator/pkg/apis/istio/v1alpha1"; |
| |
| // ArchConfig specifies the pod scheduling target architecture(amd64, ppc64le, s390x, arm64) |
| // for all the Istio control plane components. |
| message ArchConfig { |
| // Sets pod scheduling weight for amd64 arch |
| uint32 amd64 = 1; |
| |
| // Sets pod scheduling weight for ppc64le arch. |
| uint32 ppc64le = 2; |
| |
| // Sets pod scheduling weight for s390x arch. |
| uint32 s390x = 3; |
| |
| // Sets pod scheduling weight for arm64 arch. |
| uint32 arm64 = 4; |
| } |
| |
| // Configuration for CNI. |
| message CNIConfig { |
| // Controls whether CNI is enabled. |
| google.protobuf.BoolValue enabled = 1; |
| |
| string hub = 2; |
| |
| google.protobuf.Value tag = 3; |
| |
| string image = 4; |
| |
| string pullPolicy = 5; |
| |
| string cniBinDir = 6; |
| |
| string cniConfDir = 7; |
| |
| string cniConfFileName = 8; |
| |
| repeated string excludeNamespaces = 9; |
| |
| google.protobuf.Struct podAnnotations = 10 [deprecated=true]; |
| |
| string psp_cluster_role = 11; |
| |
| string logLevel = 12; |
| |
| CNIRepairConfig repair = 13; |
| |
| google.protobuf.BoolValue chained = 14; |
| |
| CNITaintConfig taint = 15; |
| |
| ResourceQuotas resource_quotas = 16; |
| |
| Resources resources = 17; |
| |
| google.protobuf.BoolValue privileged = 18; |
| } |
| |
| |
| message CNITaintConfig { |
| // Controls whether taint behavior is enabled. |
| google.protobuf.BoolValue enabled = 1; |
| } |
| |
| message CNIRepairConfig { |
| // Controls whether repair behavior is enabled. |
| google.protobuf.BoolValue enabled = 1; |
| |
| string hub = 2; |
| |
| google.protobuf.Value tag = 3; |
| |
| string image = 4; |
| |
| // Controls whether various repair behaviors are enabled. |
| bool labelPods = 5; |
| |
| string createEvents = 6 [deprecated=true]; |
| |
| bool deletePods = 7; |
| |
| string brokenPodLabelKey = 8; |
| |
| string brokenPodLabelValue = 9; |
| |
| string initContainerName = 10; |
| } |
| |
| message ResourceQuotas { |
| // Controls whether to create resource quotas or not for the CNI DaemonSet. |
| google.protobuf.BoolValue enabled = 1; |
| |
| int64 pods = 2; |
| } |
| |
| // Configuration for CPU target utilization for HorizontalPodAutoscaler target. |
| message CPUTargetUtilizationConfig { |
| // K8s utilization setting for HorizontalPodAutoscaler target. |
| // |
| // See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ |
| int32 targetAverageUtilization = 1; |
| } |
| |
| // Mirrors Resources for unmarshaling. |
| message Resources { |
| map<string, string> limits = 1; |
| map<string, string> requests = 2; |
| } |
| |
| // Mirrors ServiceAccount for unmarshaling. |
| message ServiceAccount { |
| google.protobuf.Struct annotations = 1; |
| } |
| |
| // DefaultPodDisruptionBudgetConfig specifies the default pod disruption budget configuration. |
| // |
| // See https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
| message DefaultPodDisruptionBudgetConfig { |
| // Controls whether a PodDisruptionBudget with a default minAvailable value of 1 is created for each deployment. |
| google.protobuf.BoolValue enabled = 1; |
| } |
| |
| // DefaultResourcesConfig specifies the default k8s resources settings for all Istio control plane components. |
| message DefaultResourcesConfig { |
| // k8s resources settings. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container |
| ResourcesRequestsConfig requests = 1; |
| } |
| |
| // Configuration for an egress gateway. |
| message EgressGatewayConfig { |
| // Controls whether auto scaling with a HorizontalPodAutoscaler is enabled. |
| google.protobuf.BoolValue autoscaleEnabled = 1; |
| |
| // maxReplicas setting for HorizontalPodAutoscaler. |
| uint32 autoscaleMax = 2; |
| |
| // minReplicas setting for HorizontalPodAutoscaler. |
| uint32 autoscaleMin = 3; |
| |
| // K8s utilization setting for HorizontalPodAutoscaler target. |
| // |
| // See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ |
| CPUTargetUtilizationConfig cpu = 5 [deprecated=true]; |
| |
| // Controls whether an egress gateway is enabled. |
| google.protobuf.BoolValue enabled = 7; |
| |
| // Environment variables passed to the proxy container. |
| google.protobuf.Struct env = 8; |
| |
| map<string, string> labels = 9; |
| |
| string name = 25; |
| |
| // K8s node selector. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector |
| google.protobuf.Struct nodeSelector = 10 [deprecated=true]; |
| |
| // K8s annotations for pods. |
| // |
| // See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
| google.protobuf.Struct podAnnotations = 11 [deprecated=true]; |
| |
| // Pod anti-affinity label selector. |
| // |
| // Specify the pod anti-affinity that allows you to constrain which nodes |
| // your pod is eligible to be scheduled based on labels on pods that are |
| // already running on the node rather than based on labels on nodes. |
| // There are currently two types of anti-affinity: |
| // "requiredDuringSchedulingIgnoredDuringExecution" |
| // "preferredDuringSchedulingIgnoredDuringExecution" |
| // which denote “hard” vs. “soft” requirements, you can define your values |
| // in "podAntiAffinityLabelSelector" and "podAntiAffinityTermLabelSelector" |
| // correspondingly. |
| // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity |
| // |
| // Examples: |
| // podAntiAffinityLabelSelector: |
| // - key: security |
| // operator: In |
| // values: S1,S2 |
| // topologyKey: "kubernetes.io/hostname" |
| // This pod anti-affinity rule says that the pod requires not to be scheduled |
| // onto a node if that node is already running a pod with label having key |
| // “security” and value “S1”. |
| repeated google.protobuf.Struct podAntiAffinityLabelSelector = 12 [deprecated=true]; |
| |
| // See PodAntiAffinityLabelSelector. |
| repeated google.protobuf.Struct podAntiAffinityTermLabelSelector = 13 [deprecated=true]; |
| |
| // Ports Configuration for the egress gateway service. |
| repeated PortsConfig ports = 14; |
| |
| // K8s resources settings. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container |
| Resources resources = 15 [deprecated=true]; |
| |
| // Config for secret volume mounts. |
| repeated SecretVolume secretVolumes = 16; |
| |
| // Annotations to add to the egress gateway service. |
| google.protobuf.Struct serviceAnnotations = 17; |
| |
| // Service type. |
| // |
| // See https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
| string type = 18; |
| |
| // Enables cross-cluster access using SNI matching. |
| ZeroVPNConfig zvpn = 19; |
| |
| repeated google.protobuf.Struct tolerations = 20 [deprecated=true]; |
| |
| // K8s rolling update strategy |
| IntOrString rollingMaxSurge = 21 [deprecated=true]; |
| |
| // K8s rolling update strategy |
| IntOrString rollingMaxUnavailable = 22 [deprecated=true]; |
| |
| repeated google.protobuf.Struct configVolumes = 23; |
| |
| repeated google.protobuf.Struct additionalContainers = 24; |
| |
| google.protobuf.BoolValue runAsRoot = 26; |
| |
| // The injection template to use for the gateway. If not set, no injection will be performed. |
| string injectionTemplate = 27; |
| |
| ServiceAccount serviceAccount = 28; |
| |
| // Next available 29. |
| } |
| |
| // Configuration for gateways. |
| message GatewaysConfig { |
| // Configuration for an egress gateway. |
| EgressGatewayConfig istio_egressgateway = 1 [json_name="istio-egressgateway"]; |
| |
| // Controls whether any gateways are enabled. |
| google.protobuf.BoolValue enabled = 2; |
| |
| // Configuration for an ingress gateway. |
| IngressGatewayConfig istio_ingressgateway = 4 [json_name="istio-ingressgateway"]; |
| } |
| |
| // Global Configuration for Istio components. |
| message GlobalConfig { |
| // Specifies pod scheduling arch(amd64, ppc64le, s390x, arm64) and weight as follows: |
| // 0 - Never scheduled |
| // 1 - Least preferred |
| // 2 - No preference |
| // 3 - Most preferred |
| // |
| // Deprecated: replaced by the affinity k8s settings which allows architecture nodeAffinity configuration of this behavior. |
| ArchConfig arch = 1 [deprecated=true]; |
| |
| string configRootNamespace = 50; |
| |
| // Controls whether the server-side validation is enabled. |
| google.protobuf.BoolValue configValidation = 3; |
| |
| repeated string defaultConfigVisibilitySettings = 52; |
| // Default k8s node selector for all the Istio control plane components |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector |
| google.protobuf.Struct defaultNodeSelector = 6 [deprecated=true]; |
| |
| // Specifies the default pod disruption budget configuration. |
| DefaultPodDisruptionBudgetConfig defaultPodDisruptionBudget = 7 [deprecated=true]; |
| |
| // Default k8s resources settings for all Istio control plane components. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container |
| DefaultResourcesConfig defaultResources = 9 [deprecated=true]; |
| |
| repeated google.protobuf.Struct defaultTolerations = 55 [deprecated=true]; |
| |
| // Specifies the docker hub for Istio images. |
| string hub = 12; |
| |
| // Specifies the image pull policy for the Istio images. one of Always, Never, IfNotPresent. |
| // Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. Cannot be updated. |
| // |
| // More info: https://kubernetes.io/docs/concepts/containers/images#updating-images |
| string imagePullPolicy = 13; |
| // ImagePullPolicy v1.PullPolicy `json:"imagePullPolicy,omitempty"` |
| |
| repeated string imagePullSecrets = 37; |
| |
| // Specifies the default namespace for the Istio control plane components. |
| string istioNamespace = 14; |
| |
| google.protobuf.BoolValue logAsJson = 36; |
| |
| // Specifies the global logging level settings for the Istio control plane components. |
| GlobalLoggingConfig logging = 17; |
| |
| string meshID = 53; |
| |
| // Configure the mesh networks to be used by the Split Horizon EDS. |
| // |
| // The following example defines two networks with different endpoints association methods. |
| // For `network1` all endpoints that their IP belongs to the provided CIDR range will be |
| // mapped to network1. The gateway for this network example is specified by its public IP |
| // address and port. |
| // The second network, `network2`, in this example is defined differently with all endpoints |
| // retrieved through the specified Multi-Cluster registry being mapped to network2. The |
| // gateway is also defined differently with the name of the gateway service on the remote |
| // cluster. The public IP for the gateway will be determined from that remote service (only |
| // LoadBalancer gateway service type is currently supported, for a NodePort type gateway service, |
| // it still need to be configured manually). |
| // |
| // meshNetworks: |
| // network1: |
| // endpoints: |
| // - fromCidr: "192.168.0.1/24" |
| // gateways: |
| // - address: 1.1.1.1 |
| // port: 80 |
| // network2: |
| // endpoints: |
| // - fromRegistry: reg1 |
| // gateways: |
| // - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local |
| // port: 443 |
| // |
| google.protobuf.Struct meshNetworks = 19; |
| |
| // Specifies the Configuration for Istio mesh across multiple clusters through Istio gateways. |
| MultiClusterConfig multiCluster = 22; |
| |
| string network = 39; |
| |
| // Custom DNS config for the pod to resolve names of services in other |
| // clusters. Use this to add additional search domains, and other settings. |
| // see https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config |
| // This does not apply to gateway pods as they typically need a different |
| // set of DNS settings than the normal application pods (e.g. in multicluster scenarios). |
| repeated string podDNSSearchNamespaces = 43; |
| |
| google.protobuf.BoolValue omitSidecarInjectorConfigMap = 38; |
| |
| // Controls whether to restrict the applications namespace the controller manages; |
| // If set it to false, the controller watches all namespaces. |
| google.protobuf.BoolValue oneNamespace = 23; |
| |
| google.protobuf.BoolValue operatorManageWebhooks = 41; |
| |
| // Specifies the k8s priorityClassName for the istio control plane components. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass |
| string priorityClassName = 27 [deprecated=true]; |
| |
| // Specifies how proxies are configured within Istio. |
| ProxyConfig proxy = 28; |
| |
| // Specifies the Configuration for proxy_init container which sets the pods' networking to intercept the inbound/outbound traffic. |
| ProxyInitConfig proxy_init = 29 [json_name="proxy_init"]; |
| |
| // Specifies the Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates. |
| SDSConfig sds = 30; |
| |
| // Specifies the tag for the Istio docker images. |
| google.protobuf.Value tag = 31; |
| |
| // Specifies the Configuration for each of the supported tracers. |
| TracerConfig tracer = 33; |
| |
| // Controls whether to use of Mesh Configuration Protocol to distribute configuration. |
| google.protobuf.BoolValue useMCP = 35; |
| |
| // Specifies the Istio control plane’s pilot Pod IP address or remote cluster DNS resolvable hostname. |
| string remotePilotAddress = 48; |
| |
| // Specifies the configution of istiod |
| IstiodConfig istiod = 54; |
| |
| // Configure the Pilot certificate provider. |
| // Currently, four providers are supported: "kubernetes", "istiod", "custom" and "none". |
| string pilotCertProvider = 56; |
| |
| // Configure the policy for validating JWT. |
| // Currently, two options are supported: "third-party-jwt" and "first-party-jwt". |
| string jwtPolicy = 57; |
| |
| // Specifies the configuration for Security Token Service. |
| STSConfig sts = 58; |
| |
| // Configures the revision this control plane is a part of |
| string revision = 59; |
| |
| // Controls whether the in-cluster MTLS key and certs are loaded from the secret volume mounts. |
| google.protobuf.BoolValue mountMtlsCerts = 60; |
| |
| // The address of the CA for CSR. |
| string caAddress = 61; |
| |
| // Controls whether one external istiod is enabled. |
| google.protobuf.BoolValue externalIstiod = 62; |
| |
| // Controls whether a remote cluster is the config cluster for an external istiod |
| google.protobuf.BoolValue configCluster = 64; |
| |
| // The name of the CA for workloads. |
| // For example, when caName=GkeWorkloadCertificate, GKE workload certificates |
| // will be used as the certificates for workloads. |
| // The default value is "" and when caName="", the CA will be configured by other |
| // mechanisms (e.g., environmental variable CA_PROVIDER). |
| string caName = 65; |
| |
| google.protobuf.BoolValue autoscalingv2API = 66; |
| // The next available key is 67 |
| } |
| |
| // Configuration for Security Token Service (STS) server. |
| // |
| // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 |
| message STSConfig { |
| uint32 servicePort = 1; |
| } |
| |
| message IstiodConfig { |
| // If enabled, istiod will perform config analysis |
| google.protobuf.BoolValue enableAnalysis = 2; |
| } |
| |
| // GlobalLoggingConfig specifies the global logging level settings for the Istio control plane components. |
| message GlobalLoggingConfig { |
| // Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level> |
| // The control plane has different scopes depending on component, but can configure default log level across all components |
| // If empty, default scope and level will be used as configured in code |
| string level = 1; |
| } |
| |
| // Configuration for an ingress gateway. |
| message IngressGatewayConfig { |
| // Controls whether auto scaling with a HorizontalPodAutoscaler is enabled. |
| google.protobuf.BoolValue autoscaleEnabled = 1; |
| |
| // maxReplicas setting for HorizontalPodAutoscaler. |
| uint32 autoscaleMax = 2; |
| |
| // minReplicas setting for HorizontalPodAutoscaler. |
| uint32 autoscaleMin = 3; |
| |
| // K8s utilization setting for HorizontalPodAutoscaler target. |
| // |
| // See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ |
| CPUTargetUtilizationConfig cpu = 5 [deprecated=true]; |
| |
| google.protobuf.BoolValue customService = 6; |
| |
| // Controls whether an ingress gateway is enabled. |
| google.protobuf.BoolValue enabled = 10; |
| |
| // Environment variables passed to the proxy container. |
| google.protobuf.Struct env = 11; |
| |
| map<string, string> labels = 15; |
| |
| string loadBalancerIP = 16; |
| |
| repeated string loadBalancerSourceRanges = 17; |
| |
| string name = 44; |
| |
| // K8s node selector. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector |
| google.protobuf.Struct nodeSelector = 19 [deprecated=true]; |
| |
| // K8s annotations for pods. |
| // |
| // See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
| google.protobuf.Struct podAnnotations = 20 [deprecated=true]; |
| |
| // See EgressGatewayConfig. |
| repeated google.protobuf.Struct podAntiAffinityLabelSelector = 21 [deprecated=true]; |
| |
| // See EgressGatewayConfig. |
| repeated google.protobuf.Struct podAntiAffinityTermLabelSelector = 22 [deprecated=true]; |
| |
| // Port Configuration for the ingress gateway. |
| repeated PortsConfig ports = 23; |
| |
| // Number of replicas for the ingress gateway Deployment. |
| uint32 replicaCount = 24 [deprecated=true]; |
| |
| // K8s resources settings. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container |
| google.protobuf.Struct resources = 25 [deprecated=true]; |
| |
| // Config for secret volume mounts. |
| repeated SecretVolume secretVolumes = 27; |
| |
| // Annotations to add to the egress gateway service. |
| google.protobuf.Struct serviceAnnotations = 28; |
| |
| // Service type. |
| // |
| // See https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types |
| string type = 29; |
| |
| // Enables cross-cluster access using SNI matching. |
| IngressGatewayZvpnConfig zvpn = 30; |
| |
| // K8s rolling update strategy |
| IntOrString rollingMaxSurge = 31 [deprecated=true]; |
| |
| // K8s rolling update strategy |
| IntOrString rollingMaxUnavailable = 32 [deprecated=true]; |
| |
| string externalTrafficPolicy = 34; |
| |
| repeated google.protobuf.Struct tolerations = 35 [deprecated=true]; |
| |
| repeated google.protobuf.Struct ingressPorts = 36; |
| |
| repeated google.protobuf.Struct additionalContainers = 37; |
| |
| repeated google.protobuf.Struct configVolumes = 38; |
| |
| google.protobuf.BoolValue runAsRoot = 45; |
| |
| // The injection template to use for the gateway. If not set, no injection will be performed. |
| string injectionTemplate = 46; |
| |
| ServiceAccount serviceAccount = 47; |
| |
| // Next available 48. |
| } |
| |
| // IngressGatewayZvpnConfig enables cross-cluster access using SNI matching. |
| message IngressGatewayZvpnConfig { |
| // Controls whether ZeroVPN is enabled. |
| google.protobuf.BoolValue enabled = 1; |
| |
| string suffix = 2; |
| } |
| |
| // MultiClusterConfig specifies the Configuration for Istio mesh across multiple clusters through the istio gateways. |
| message MultiClusterConfig { |
| // Enables the connection between two kubernetes clusters via their respective ingressgateway services. |
| // Use if the pods in each cluster cannot directly talk to one another. |
| google.protobuf.BoolValue enabled = 1; |
| |
| string clusterName = 2; |
| string globalDomainSuffix = 3; |
| google.protobuf.BoolValue includeEnvoyFilter = 4; |
| } |
| |
| // OutboundTrafficPolicyConfig controls the default behavior of the sidecar for handling outbound traffic from the application. |
| message OutboundTrafficPolicyConfig { |
| // Specifies the sidecar's default behavior when handling outbound traffic from the application. |
| enum Mode { |
| // Outbound traffic to unknown destinations will be allowed, in case there are no services or ServiceEntries for the destination port |
| ALLOW_ANY = 0; |
| // Restrict outbound traffic to services defined in the service registry as well as those defined through ServiceEntries |
| REGISTRY_ONLY = 1; |
| } |
| Mode mode = 2; |
| } |
| |
| // Configuration for Pilot. |
| message PilotConfig { |
| // Controls whether Pilot is enabled. |
| google.protobuf.BoolValue enabled = 1; |
| |
| // Controls whether a HorizontalPodAutoscaler is installed for Pilot. |
| google.protobuf.BoolValue autoscaleEnabled = 2; |
| |
| // Minimum number of replicas in the HorizontalPodAutoscaler for Pilot. |
| uint32 autoscaleMin = 3; |
| |
| // Maximum number of replicas in the HorizontalPodAutoscaler for Pilot. |
| uint32 autoscaleMax = 4; |
| |
| // Number of replicas in the Pilot Deployment. |
| uint32 replicaCount = 5 [deprecated=true]; |
| |
| // Image name used for Pilot. |
| // |
| // This can be set either to image name if hub is also set, or can be set to the full hub:name string. |
| // |
| // Examples: custom-pilot, docker.io/someuser:custom-pilot |
| string image = 6; |
| |
| // Trace sampling fraction. |
| // |
| // Used to set the fraction of time that traces are sampled. Higher values are more accurate but add CPU overhead. |
| // |
| // Allowed values: 0.0 to 1.0 |
| double traceSampling = 8; |
| |
| // K8s resources settings. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container |
| Resources resources = 9 [deprecated=true]; |
| |
| // Namespace that the configuration management feature is installed into, if different from Pilot namespace. |
| string configNamespace = 10; |
| |
| // Target CPU utilization used in HorizontalPodAutoscaler. |
| // |
| // See https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ |
| CPUTargetUtilizationConfig cpu = 11 [deprecated=true]; |
| |
| // K8s node selector. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector |
| google.protobuf.Struct nodeSelector = 12 [deprecated=true]; |
| |
| // Maximum duration that a sidecar can be connected to a pilot. |
| // |
| // This setting balances out load across pilot instances, but adds some resource overhead. |
| // |
| // Examples: 300s, 30m, 1h |
| google.protobuf.Duration keepaliveMaxServerConnectionAge = 13; |
| |
| // Labels that are added to Pilot deployment and pods. |
| // |
| // See https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ |
| google.protobuf.Struct deploymentLabels = 14; |
| |
| google.protobuf.Struct podLabels = 36; |
| |
| // Configuration settings passed to Pilot as a ConfigMap. |
| // |
| // This controls whether the mesh config map, generated from values.yaml is generated. |
| // If false, pilot wil use default values or user-supplied values, in that order of preference. |
| google.protobuf.BoolValue configMap = 18; |
| |
| // Controls whether Pilot is configured through the Mesh Control Protocol (MCP). |
| // |
| // If set to true, Pilot requires an MCP server (like Galley) to be installed. |
| google.protobuf.BoolValue useMCP = 20; |
| |
| // Environment variables passed to the Pilot container. |
| // |
| // Examples: |
| // env: |
| // ENV_VAR_1: value1 |
| // ENV_VAR_2: value2 |
| google.protobuf.Struct env = 21; |
| |
| // K8s rolling update strategy |
| IntOrString rollingMaxSurge = 24 [deprecated=true]; |
| |
| // K8s rolling update strategy |
| IntOrString rollingMaxUnavailable = 25 [deprecated=true]; |
| |
| // |
| repeated google.protobuf.Struct tolerations = 26 [deprecated=true]; |
| |
| // if protocol sniffing is enabled for outbound |
| google.protobuf.BoolValue enableProtocolSniffingForOutbound = 28; |
| // if protocol sniffing is enabled for inbound |
| google.protobuf.BoolValue enableProtocolSniffingForInbound = 29; |
| |
| // K8s annotations for pods. |
| // |
| // See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ |
| google.protobuf.Struct podAnnotations = 30 [deprecated=true]; |
| |
| google.protobuf.Struct serviceAnnotations = 37; |
| |
| // ConfigSource describes a source of configuration data for networking |
| // rules, and other Istio configuration artifacts. Multiple data sources |
| // can be configured for a single control plane. |
| PilotConfigSource configSource = 31; |
| |
| string jwksResolverExtraRootCA = 32; |
| |
| repeated string plugins = 33; |
| |
| string hub = 34; |
| |
| google.protobuf.Value tag = 35; |
| } |
| |
| // Controls legacy k8s ingress. Only one pilot profile should enable ingress support. |
| message PilotIngressConfig { |
| // Sets the type ingress service for Pilot. |
| // |
| // If empty, node-port is assumed. |
| // |
| // Allowed values: node-port, istio-ingressgateway, ingress |
| string ingressService = 1; |
| |
| ingressControllerMode ingressControllerMode = 2; |
| // If mode is STRICT, this value must be set on "kubernetes.io/ingress.class" annotation to activate. |
| string ingressClass = 3; |
| } |
| |
| // Mode for the ingress controller. |
| enum ingressControllerMode { |
| // Unspecified Istio ingress controller. |
| UNSPECIFIED = 0; |
| // Selects all Ingress resources, with or without Istio annotation. |
| DEFAULT = 1; |
| // Selects only resources with istio annotation. |
| STRICT = 2; |
| // No ingress or sync. |
| OFF = 3; |
| } |
| |
| // Controls whether Istio policy is applied to Pilot. |
| message PilotPolicyConfig { |
| // Controls whether Istio policy is applied to Pilot. |
| google.protobuf.BoolValue enabled = 1; |
| } |
| |
| // Controls telemetry configuration |
| message TelemetryConfig { |
| // Controls whether telemetry is exported for Pilot. |
| google.protobuf.BoolValue enabled = 1; |
| |
| // Use telemetry v2. |
| TelemetryV2Config v2 = 3; |
| } |
| |
| // Controls whether pilot will configure telemetry v2. |
| message TelemetryV2Config { |
| // Controls whether pilot will configure telemetry v2. |
| google.protobuf.BoolValue enabled = 1; |
| |
| TelemetryV2MetadataExchangeConfig metadata_exchange = 4; |
| |
| TelemetryV2PrometheusConfig prometheus = 2; |
| |
| TelemetryV2StackDriverConfig stackdriver = 3; |
| |
| TelemetryV2AccessLogPolicyFilterConfig access_log_policy = 5; |
| } |
| |
| message TelemetryV2MetadataExchangeConfig { |
| // Controls whether enabled WebAssembly runtime for metadata exchange filter. |
| google.protobuf.BoolValue wasmEnabled = 2; |
| } |
| |
| // Conrols telemetry v2 prometheus settings. |
| message TelemetryV2PrometheusConfig { |
| // Controls whether stats envoyfilter would be enabled or not. |
| google.protobuf.BoolValue enabled = 1; |
| |
| // Controls whether enabled WebAssembly runtime for stats filter. |
| google.protobuf.BoolValue wasmEnabled = 2; |
| |
| message ConfigOverride { |
| // Overrides default gateway telemetry v2 configuration. |
| google.protobuf.Struct gateway = 1; |
| |
| // Overrides default inbound sidecar telemetry v2 configuration. |
| google.protobuf.Struct inboundSidecar = 2; |
| |
| // Overrides default outbound sidecar telemetry v2 configuration. |
| google.protobuf.Struct outboundSidecar = 3; |
| } |
| |
| // Overrides default telemetry v2 filter configuration. |
| ConfigOverride config_override = 3; |
| } |
| |
| // Conrols telemetry v2 stackdriver settings. |
| message TelemetryV2StackDriverConfig { |
| // Types of Access logs to export. |
| enum AccessLogging { |
| // No Logs. |
| NONE = 0; |
| // All logs including both success and error logs. |
| FULL = 1; |
| // All error logs. This is currently only available for outbound/client side |
| // logs. A request is classified as error when `status>=400 or |
| // response_flag != "-"` |
| ERRORS_ONLY = 2; |
| }; |
| |
| google.protobuf.BoolValue enabled = 1; |
| |
| google.protobuf.BoolValue logging = 2 [deprecated=true]; |
| |
| google.protobuf.BoolValue monitoring = 3; |
| |
| google.protobuf.BoolValue topology = 4 [deprecated=true]; |
| |
| google.protobuf.BoolValue disableOutbound = 6; |
| |
| google.protobuf.Struct configOverride = 5; |
| |
| AccessLogging outboundAccessLogging = 7; |
| |
| AccessLogging inboundAccessLogging = 8; |
| } |
| |
| // Conrols telemetry v2 access log policy filter settings. |
| message TelemetryV2AccessLogPolicyFilterConfig { |
| google.protobuf.BoolValue enabled = 1; |
| |
| google.protobuf.Duration logWindowDuration = 2; |
| } |
| |
| // PilotConfigSource describes information about a configuration store inside a |
| // mesh. A single control plane instance can interact with one or more data |
| // sources. |
| message PilotConfigSource { |
| // Describes the source of configuration, if nothing is specified default is MCP. |
| repeated string subscribedResources = 1; |
| } |
| |
| // Configuration for a port. |
| message PortsConfig { |
| // Port name. |
| string name = 1; |
| |
| // Port number. |
| int32 port = 2; |
| |
| // NodePort number. |
| int32 nodePort = 3; |
| |
| // Target port number. |
| int32 targetPort = 4; |
| |
| // Protocol name. |
| string protocol = 5; |
| } |
| |
| // Configuration for Proxy. |
| message ProxyConfig { |
| string autoInject = 4; |
| |
| // Domain for the cluster, default: "cluster.local". |
| // |
| // K8s allows this to be customized, see https://kubernetes.io/docs/tasks/administer-cluster/dns-custom-nameservers/ |
| string clusterDomain = 5; |
| |
| // Per Component log level for proxy, applies to gateways and sidecars. |
| // |
| // If a component level is not set, then the global "logLevel" will be used. If left empty, "misc:error" is used. |
| string componentLogLevel = 6; |
| |
| // Enables core dumps for newly injected sidecars. |
| // |
| // If set, newly injected sidecars will have core dumps enabled. |
| google.protobuf.BoolValue enableCoreDump = 9; |
| |
| // Specifies the Istio ingress ports not to capture. |
| string excludeInboundPorts = 12; |
| |
| // Lists the excluded IP ranges of Istio egress traffic that the sidecar captures. |
| string excludeIPRanges = 13; |
| |
| // Image name or path for the proxy, default: "proxyv2". |
| // |
| // If registry or tag are not specified, global.hub and global.tag are used. |
| // |
| // Examples: my-proxy (uses global.hub/tag), docker.io/myrepo/my-proxy:v1.0.0 |
| string image = 14; |
| |
| // Lists the IP ranges of Istio egress traffic that the sidecar captures. |
| // |
| // Example: "172.30.0.0/16,172.20.0.0/16" |
| // This would only capture egress traffic on those two IP Ranges, all other outbound traffic would # be allowed by the sidecar." |
| string includeIPRanges = 16; |
| |
| // Log level for proxy, applies to gateways and sidecars. If left empty, "warning" is used. Expected values are: trace\|debug\|info\|warning\|error\|critical\|off |
| string logLevel = 18; |
| |
| // Enables privileged securityContext for the istio-proxy container. |
| // |
| // See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| google.protobuf.BoolValue privileged = 19; |
| |
| // Sets the initial delay for readiness probes in seconds. |
| uint32 readinessInitialDelaySeconds = 20; |
| |
| // Sets the interval between readiness probes in seconds. |
| uint32 readinessPeriodSeconds = 21; |
| |
| // Sets the number of successive failed probes before indicating readiness failure. |
| uint32 readinessFailureThreshold = 22; |
| |
| // Default port used for the Pilot agent's health checks. |
| uint32 statusPort = 23; |
| |
| // K8s resources settings. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container |
| Resources resources = 24 [deprecated=true]; |
| |
| tracer tracer = 25; |
| |
| string excludeOutboundPorts = 28; |
| |
| google.protobuf.Struct lifecycle = 36; |
| |
| // Controls if sidecar is injected at the front of the container list and blocks the start of the other containers until the proxy is ready |
| // |
| // Deprecated: replaced by ProxyConfig setting which allows per-pod configuration of this behavior. |
| google.protobuf.BoolValue holdApplicationUntilProxyStarts = 37 [deprecated=true]; |
| |
| string includeInboundPorts = 38; |
| |
| string includeOutboundPorts = 39; |
| } |
| |
| // Specifies which tracer to use. |
| enum tracer { |
| zipkin = 0; |
| lightstep = 1; |
| datadog = 2; |
| stackdriver = 3; |
| openCensusAgent = 4; |
| none = 5; |
| } |
| |
| // Configuration for proxy_init container which sets the pods' networking to intercept the inbound/outbound traffic. |
| message ProxyInitConfig { |
| // Specifies the image for the proxy_init container. |
| string image = 1; |
| // K8s resources settings. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#resource-requests-and-limits-of-pod-and-container |
| Resources resources = 5 [deprecated=true]; |
| } |
| |
| // Configuration for K8s resource requests. |
| message ResourcesRequestsConfig { |
| string cpu = 1; |
| |
| string memory = 2; |
| } |
| |
| // Configuration for the SecretDiscoveryService instead of using K8S secrets to mount the certificates. |
| message SDSConfig { |
| google.protobuf.Struct token = 5 [deprecated=true]; |
| } |
| |
| // Configuration for secret volume mounts. |
| // |
| // See https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets. |
| message SecretVolume { |
| string mountPath = 1; |
| |
| string name = 2; |
| |
| string secretName = 3; |
| } |
| |
| // ServiceConfig is described in istio.io documentation. |
| message ServiceConfig { |
| google.protobuf.Struct annotations = 1; |
| |
| uint32 externalPort = 2; |
| |
| string name = 3; |
| |
| string type = 18; |
| } |
| |
| // SidecarInjectorConfig is described in istio.io documentation. |
| message SidecarInjectorConfig { |
| // Enables sidecar auto-injection in namespaces by default. |
| google.protobuf.BoolValue enableNamespacesByDefault = 2; |
| |
| // Instructs Istio to not inject the sidecar on those pods, based on labels that are present in those pods. |
| // |
| // Annotations in the pods have higher precedence than the label selectors. |
| // Order of evaluation: Pod Annotations → NeverInjectSelector → AlwaysInjectSelector → Default Policy. |
| // See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions |
| repeated google.protobuf.Struct neverInjectSelector = 11; |
| |
| // See NeverInjectSelector. |
| repeated google.protobuf.Struct alwaysInjectSelector = 12; |
| |
| // If true, webhook or istioctl injector will rewrite PodSpec for liveness health check to redirect request to sidecar. This makes liveness check work even when mTLS is enabled. |
| google.protobuf.BoolValue rewriteAppHTTPProbe = 16; |
| |
| // injectedAnnotations are additional annotations that will be added to the pod spec after injection |
| // This is primarily to support PSP annotations. |
| google.protobuf.Struct injectedAnnotations = 19; |
| |
| // Enable objectSelector to filter out pods with no need for sidecar before calling istio-sidecar-injector. |
| google.protobuf.Struct objectSelector = 21; |
| |
| // Configure the injection url for sidecar injector webhook |
| string injectionURL = 22; |
| |
| // Templates defines a set of custom injection templates that can be used. For example, defining: |
| // |
| // templates: |
| // hello: | |
| // metadata: |
| // labels: |
| // hello: world |
| // |
| // Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod |
| // being injected with the hello=world labels. |
| // This is intended for advanced configuration only; most users should use the built in template |
| google.protobuf.Struct templates = 23; |
| |
| // Default templates specifies a set of default templates that are used in sidecar injection. |
| // By default, a template `sidecar` is always provided, which contains the template of default sidecar. |
| // To inject other additional templates, define it using the `templates` option, and add it to |
| // the default templates list. |
| // For example: |
| |
| // templates: |
| // hello: | |
| // metadata: |
| // labels: |
| // hello: world |
| |
| // defaultTemplates: ["sidecar", "hello"] |
| repeated string defaultTemplates = 24; |
| |
| // If enabled, the legacy webhook selection logic will be used. This relies on filtering of webhook |
| // requests in Istiod, rather than at the webhook selection level. |
| // This is option is intended for migration purposes only and will be removed in Istio 1.10. |
| google.protobuf.BoolValue useLegacySelectors = 4 [deprecated=true]; |
| } |
| |
| // Configuration for each of the supported tracers. |
| message TracerConfig { |
| // Configuration for the datadog tracing service. |
| TracerDatadogConfig datadog = 1; |
| |
| // Configuration for the lightstep tracing service. |
| TracerLightStepConfig lightstep = 2; |
| |
| // Configuration for the zipkin tracing service. |
| TracerZipkinConfig zipkin = 3; |
| |
| // Configuration for the stackdriver tracing service. |
| TracerStackdriverConfig stackdriver = 4; |
| } |
| |
| // Configuration for the datadog tracing service. |
| message TracerDatadogConfig { |
| // Address in host:port format for reporting trace data to the Datadog agent. |
| string address = 1; |
| } |
| |
| // Configuration for the lightstep tracing service. |
| message TracerLightStepConfig { |
| // Sets the lightstep satellite pool address in host:port format for reporting trace data. |
| string address = 1; |
| |
| // Sets the lightstep access token. |
| string accessToken = 2; |
| } |
| |
| // Configuration for the zipkin tracing service. |
| message TracerZipkinConfig { |
| // Address of zipkin instance in host:port format for reporting trace data. |
| // |
| // Example: <zipkin-collector-service>.<zipkin-collector-namespace>:941 |
| string address = 1; |
| } |
| |
| // Configuration for the stackdriver tracing service. |
| message TracerStackdriverConfig { |
| // enables trace output to stdout. |
| google.protobuf.BoolValue debug = 1; |
| |
| // The global default max number of attributes per span. |
| uint32 maxNumberOfAttributes = 2; |
| |
| // The global default max number of annotation events per span. |
| uint32 maxNumberOfAnnotations = 3; |
| |
| // The global default max number of message events per span. |
| uint32 maxNumberOfMessageEvents = 4; |
| } |
| |
| message BaseConfig { |
| // For Helm2 use, adds the CRDs to templates. |
| google.protobuf.BoolValue enableCRDTemplates = 1; |
| |
| // URL to use for validating webhook. |
| string validationURL = 2; |
| |
| // For istioctl usage to disable istio config crds in base |
| google.protobuf.BoolValue enableIstioConfigCRDs = 3; |
| |
| } |
| |
| message IstiodRemoteConfig { |
| // URL to use for sidecar injector webhook. |
| string injectionURL = 1; |
| // Path to use for the sidecar injector webhook service. |
| string injectionPath = 2; |
| } |
| |
| message Values { |
| CNIConfig cni = 2; |
| |
| GatewaysConfig gateways = 5; |
| |
| GlobalConfig global = 6; |
| |
| PilotConfig pilot = 10; |
| |
| // Controls whether telemetry is exported for Pilot. |
| TelemetryConfig telemetry = 23; |
| |
| SidecarInjectorConfig sidecarInjectorWebhook = 13; |
| |
| CNIConfig istio_cni = 19; |
| |
| string revision = 21; |
| |
| string ownerName = 22; |
| |
| // TODO can this import the real mesh config API? |
| google.protobuf.Value meshConfig = 36; |
| |
| BaseConfig base = 37; |
| |
| IstiodRemoteConfig istiodRemote = 38; |
| |
| repeated string revisionTags = 39; |
| |
| string defaultRevision = 40; |
| } |
| |
| |
| // ZeroVPNConfig enables cross-cluster access using SNI matching. |
| message ZeroVPNConfig { |
| // Controls whether ZeroVPN is enabled. |
| google.protobuf.BoolValue enabled = 1; |
| |
| string suffix = 2; |
| } |
| |
| // IntOrString is a type that can hold an int32 or a string. When used in |
| // JSON or YAML marshalling and unmarshalling, it produces or consumes the |
| // inner type. This allows you to have, for example, a JSON field that can |
| // accept a name or number. |
| // TODO: Rename to Int32OrString |
| // |
| // +protobuf=true |
| // +protobuf.options.(gogoproto.goproto_stringer)=false |
| // +k8s:openapi-gen=true |
| message IntOrString { |
| int64 type = 1; |
| |
| google.protobuf.Int32Value intVal = 2; |
| |
| google.protobuf.StringValue strVal = 3; |
| } |