diff --git a/.github/workflows/kserve_cni_test.yaml b/.github/workflows/kserve_cni_test.yaml index f8c8c5cd53..fb12597932 100644 --- a/.github/workflows/kserve_cni_test.yaml +++ b/.github/workflows/kserve_cni_test.yaml @@ -4,7 +4,7 @@ on: paths: - tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh - .github/workflows/kserve_cni_test.yaml - - common/istio-cni-1-22/** + - common/istio-cni-1-23/** - tests/gh-actions/install_cert_manager.sh - common/cert-manager/** - tests/gh-actions/install_knative-cni.sh diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml index fd28b64e13..d1dac7477c 100644 --- a/.github/workflows/pss_test.yaml +++ b/.github/workflows/pss_test.yaml @@ -50,7 +50,7 @@ jobs: run: kustomize build common/kubeflow-namespace/base | kubectl apply -f - - name: Install kubeflow-istio-resources - run: kustomize build common/istio-cni-1-22/kubeflow-istio-resources/base | kubectl apply -f - + run: kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - - name: Install KF Multi Tenancy run: ./tests/gh-actions/install_multi_tenancy.sh diff --git a/README.md b/README.md index cd3599066e..b041d000fd 100755 --- a/README.md +++ b/README.md @@ -65,7 +65,7 @@ used from the different projects of Kubeflow: | Component | Local Manifests Path | Upstream Revision | | - | - | - | -| Istio | common/istio-1-22 | [1.22.1](https://github.com/istio/istio/releases/tag/1.22.1) | +| Istio | common/istio-1-22 | [1.23.2](https://github.com/istio/istio/releases/tag/1.23.2) | | Knative | common/knative/knative-serving
common/knative/knative-eventing | [v1.12.4](https://github.com/knative/serving/releases/tag/knative-v1.12.4)
[v1.12.6](https://github.com/knative/eventing/releases/tag/knative-v1.12.6) | | Cert Manager | common/cert-manager | [1.14.5](https://github.com/cert-manager/cert-manager/releases/tag/v1.12.2) | diff --git a/common/istio-cni-1-22/README.md b/common/istio-cni-1-23/README.md similarity index 100% rename from common/istio-cni-1-22/README.md rename to common/istio-cni-1-23/README.md diff --git a/common/istio-cni-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml similarity index 98% rename from common/istio-cni-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml rename to common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml index 93265e3e8c..45441c6a4f 100644 --- a/common/istio-cni-1-22/cluster-local-gateway/base/cluster-local-gateway.yaml +++ b/common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml @@ -109,8 +109,7 @@ spec: - name: ISTIO_META_WORKLOAD_NAME value: cluster-local-gateway - name: ISTIO_META_OWNER - value: - kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway - name: ISTIO_META_MESH_ID value: cluster.local - name: TRUST_DOMAIN @@ -123,7 +122,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.22.1 + image: docker.io/istio/proxyv2:1.23.2 name: istio-proxy ports: - containerPort: 15020 diff --git a/common/istio-cni-1-22/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-cni-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-22/cluster-local-gateway/base/gateway-authorizationpolicy.yaml rename to common/istio-cni-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml diff --git a/common/istio-cni-1-22/cluster-local-gateway/base/gateway.yaml b/common/istio-cni-1-23/cluster-local-gateway/base/gateway.yaml similarity index 100% rename from common/istio-cni-1-22/cluster-local-gateway/base/gateway.yaml rename to common/istio-cni-1-23/cluster-local-gateway/base/gateway.yaml diff --git a/common/istio-cni-1-22/cluster-local-gateway/base/kustomization.yaml b/common/istio-cni-1-23/cluster-local-gateway/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-22/cluster-local-gateway/base/kustomization.yaml rename to common/istio-cni-1-23/cluster-local-gateway/base/kustomization.yaml diff --git a/common/istio-cni-1-22/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-cni-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-22/cluster-local-gateway/base/patches/remove-pdb.yaml rename to common/istio-cni-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml diff --git a/common/istio-cni-1-22/istio-crds/base/crd.yaml b/common/istio-cni-1-23/istio-crds/base/crd.yaml similarity index 88% rename from common/istio-cni-1-22/istio-crds/base/crd.yaml rename to common/istio-cni-1-23/istio-crds/base/crd.yaml index 6907d037fa..33de713fcc 100644 --- a/common/istio-cni-1-22/istio-crds/base/crd.yaml +++ b/common/istio-cni-1-23/istio-crds/base/crd.yaml @@ -212,43 +212,87 @@ spec: properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" type: array type: object status: @@ -447,43 +491,87 @@ spec: properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" type: array type: object status: @@ -598,6 +686,10 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -626,12 +718,24 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -645,6 +749,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the @@ -657,6 +765,10 @@ spec: needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -822,12 +934,18 @@ spec: warmupDurationSecs: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -855,6 +973,9 @@ spec: interval: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -905,6 +1026,10 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 @@ -935,12 +1060,24 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -954,6 +1091,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before @@ -966,6 +1107,10 @@ spec: needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -1136,12 +1281,20 @@ spec: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -1170,6 +1323,10 @@ spec: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -1252,6 +1409,7 @@ spec: type: array type: object type: object + maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. @@ -1378,6 +1536,9 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -1405,12 +1566,21 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -1424,6 +1594,9 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection @@ -1436,6 +1609,9 @@ spec: to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -1598,12 +1774,18 @@ spec: warmupDurationSecs: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -1631,6 +1813,9 @@ spec: interval: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -1681,6 +1866,10 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -1709,12 +1898,24 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -1728,6 +1929,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the @@ -1740,6 +1945,10 @@ spec: needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -1905,12 +2114,18 @@ spec: warmupDurationSecs: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -1938,6 +2153,9 @@ spec: interval: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -2017,6 +2235,7 @@ spec: type: array type: object type: object + maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. @@ -2112,10 +2331,20 @@ spec: properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object required: - host @@ -2205,6 +2434,10 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -2233,12 +2466,24 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -2252,6 +2497,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the @@ -2264,6 +2513,10 @@ spec: needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -2429,12 +2682,18 @@ spec: warmupDurationSecs: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -2462,6 +2721,9 @@ spec: interval: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -2512,6 +2774,10 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 @@ -2542,12 +2808,24 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -2561,6 +2839,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before @@ -2573,6 +2855,10 @@ spec: needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -2743,12 +3029,20 @@ spec: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -2777,6 +3071,10 @@ spec: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -2859,6 +3157,7 @@ spec: type: array type: object type: object + maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. @@ -2985,6 +3284,9 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -3012,12 +3314,21 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -3031,6 +3342,9 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection @@ -3043,6 +3357,9 @@ spec: to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -3205,12 +3522,18 @@ spec: warmupDurationSecs: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -3238,6 +3561,9 @@ spec: interval: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -3288,6 +3614,10 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -3316,12 +3646,24 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -3335,6 +3677,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the @@ -3347,6 +3693,10 @@ spec: needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -3512,12 +3862,18 @@ spec: warmupDurationSecs: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -3545,6 +3901,9 @@ spec: interval: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -3624,6 +3983,7 @@ spec: type: array type: object type: object + maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. @@ -3719,10 +4079,20 @@ spec: properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object required: - host @@ -3812,6 +4182,10 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -3840,12 +4214,24 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -3859,6 +4245,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the @@ -3871,6 +4261,10 @@ spec: needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -4036,12 +4430,18 @@ spec: warmupDurationSecs: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -4069,6 +4469,9 @@ spec: interval: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -4119,6 +4522,10 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 @@ -4149,12 +4556,24 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -4168,6 +4587,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before @@ -4180,6 +4603,10 @@ spec: needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -4350,12 +4777,20 @@ spec: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -4384,6 +4819,10 @@ spec: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -4466,6 +4905,7 @@ spec: type: array type: object type: object + maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. @@ -4592,6 +5032,9 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -4619,12 +5062,21 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -4638,6 +5090,9 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection @@ -4650,6 +5105,9 @@ spec: to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -4812,12 +5270,18 @@ spec: warmupDurationSecs: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -4845,6 +5309,9 @@ spec: interval: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -4895,6 +5362,10 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -4923,12 +5394,24 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -4942,6 +5425,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the @@ -4954,6 +5441,10 @@ spec: needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater + than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -5119,12 +5610,18 @@ spec: warmupDurationSecs: description: Represents the warmup duration of Service. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object outlierDetection: properties: baseEjectionTime: description: Minimum ejection duration. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') consecutive5xxErrors: description: Number of 5xx errors before a host is ejected from the connection pool. @@ -5152,6 +5649,9 @@ spec: interval: description: Time interval between ejection sweep analysis. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxEjectionPercent: description: Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. @@ -5231,6 +5731,7 @@ spec: type: array type: object type: object + maxItems: 4096 type: array proxyProtocol: description: The upstream PROXY protocol settings. @@ -5326,10 +5827,20 @@ spec: properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object required: - host @@ -5620,17 +6131,34 @@ spec: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" type: array workloadSelector: description: Criteria used to select the specific set of pods/VMs @@ -6242,19 +6770,37 @@ spec: type: string type: object description: Port specific mutual TLS settings. + minProperties: 1 type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) selector: description: The selector determines the workloads to apply the PeerAuthentication on. properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() + > 0) || !has(self.portLevelMtls) status: type: object x-kubernetes-preserve-unknown-fields: true @@ -6315,19 +6861,37 @@ spec: type: string type: object description: Port specific mutual TLS settings. + minProperties: 1 type: object + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: self.all(key, 0 < int(key) && int(key) <= 65535) selector: description: The selector determines the workloads to apply the PeerAuthentication on. properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object type: object + x-kubernetes-validations: + - message: portLevelMtls requires selector + rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size() + > 0) || !has(self.portLevelMtls) status: type: object x-kubernetes-preserve-unknown-fields: true @@ -6372,10 +6936,12 @@ spec: concurrency: description: The number of worker threads to run. format: int32 + minimum: 0 nullable: true type: integer environmentVariables: additionalProperties: + maxLength: 2048 type: string description: Additional environment variables for the proxy. type: object @@ -6391,10 +6957,20 @@ spec: properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object type: object status: @@ -6450,6 +7026,7 @@ spec: description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. items: + minLength: 1 type: string type: array forwardOriginalToken: @@ -6459,6 +7036,7 @@ spec: fromCookies: description: List of cookie names from which JWT is expected. items: + minLength: 1 type: string type: array fromHeaders: @@ -6467,6 +7045,7 @@ spec: properties: name: description: The HTTP header name. + minLength: 1 type: string prefix: description: The prefix that should be stripped before @@ -6479,10 +7058,12 @@ spec: fromParams: description: List of query parameters from which JWT is expected. items: + minLength: 1 type: string type: array issuer: description: Identifies the issuer that issued the JWT. + minLength: 1 type: string jwks: description: JSON Web Key Set of public keys to validate signature @@ -6491,11 +7072,21 @@ spec: jwks_uri: description: URL of the provider's public key set to validate signature of the JWT. + maxLength: 2048 + minLength: 1 type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] jwksUri: description: URL of the provider's public key set to validate signature of the JWT. + maxLength: 2048 + minLength: 1 type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] outputClaimToHeaders: description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. @@ -6503,10 +7094,16 @@ spec: properties: claim: description: The name of the claim to be copied from. + minLength: 1 type: string header: description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ type: string + required: + - header + - claim type: object type: array outputPayloadToHeader: @@ -6518,54 +7115,108 @@ spec: by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') required: - issuer type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 + maxItems: 4096 type: array selector: description: Optional. properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: type: object x-kubernetes-preserve-unknown-fields: true @@ -6591,6 +7242,7 @@ spec: description: The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. items: + minLength: 1 type: string type: array forwardOriginalToken: @@ -6600,6 +7252,7 @@ spec: fromCookies: description: List of cookie names from which JWT is expected. items: + minLength: 1 type: string type: array fromHeaders: @@ -6608,6 +7261,7 @@ spec: properties: name: description: The HTTP header name. + minLength: 1 type: string prefix: description: The prefix that should be stripped before @@ -6620,10 +7274,12 @@ spec: fromParams: description: List of query parameters from which JWT is expected. items: + minLength: 1 type: string type: array issuer: description: Identifies the issuer that issued the JWT. + minLength: 1 type: string jwks: description: JSON Web Key Set of public keys to validate signature @@ -6632,11 +7288,21 @@ spec: jwks_uri: description: URL of the provider's public key set to validate signature of the JWT. + maxLength: 2048 + minLength: 1 type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] jwksUri: description: URL of the provider's public key set to validate signature of the JWT. + maxLength: 2048 + minLength: 1 type: string + x-kubernetes-validations: + - message: url must have scheme http:// or https:// + rule: url(self).getScheme() in ['http', 'https'] outputClaimToHeaders: description: This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. @@ -6644,10 +7310,16 @@ spec: properties: claim: description: The name of the claim to be copied from. + minLength: 1 type: string header: description: The name of the header to be created. + minLength: 1 + pattern: ^[-_A-Za-z0-9]+$ type: string + required: + - header + - claim type: object type: array outputPayloadToHeader: @@ -6659,54 +7331,108 @@ spec: by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') required: - issuer type: object + x-kubernetes-validations: + - message: only one of jwks or jwksUri can be set + rule: (has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1 + maxItems: 4096 type: array selector: description: Optional. properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" type: array type: object + x-kubernetes-validations: + - message: only one of targetRefs or workloadSelector can be set + rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1 status: type: object x-kubernetes-preserve-unknown-fields: true @@ -6784,29 +7510,48 @@ spec: address: description: Address associated with the network endpoint without the port. + maxLength: 256 type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ + \ '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ + \ true" labels: additionalProperties: type: string description: One or more labels associated with the endpoint. + maxProperties: 256 type: object locality: description: The locality associated with the endpoint. + maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. + maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. + maxProperties: 128 type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. + maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. @@ -6814,6 +7559,13 @@ spec: minimum: 0 type: integer type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://'))\ + \ ? !has(self.ports) : true" + maxItems: 4096 type: array exportTo: description: A list of namespaces to which this service is exported. @@ -6940,29 +7692,48 @@ spec: address: description: Address associated with the network endpoint without the port. + maxLength: 256 type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ + \ '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ + \ true" labels: additionalProperties: type: string description: One or more labels associated with the endpoint. + maxProperties: 256 type: object locality: description: The locality associated with the endpoint. + maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. + maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. + maxProperties: 128 type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. + maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. @@ -6970,6 +7741,13 @@ spec: minimum: 0 type: integer type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://'))\ + \ ? !has(self.ports) : true" + maxItems: 4096 type: array exportTo: description: A list of namespaces to which this service is exported. @@ -7096,29 +7874,48 @@ spec: address: description: Address associated with the network endpoint without the port. + maxLength: 256 type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ + \ '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') :\ + \ true" labels: additionalProperties: type: string description: One or more labels associated with the endpoint. + maxProperties: 256 type: object locality: description: The locality associated with the endpoint. + maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. + maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. + maxProperties: 128 type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. + maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. @@ -7126,6 +7923,13 @@ spec: minimum: 0 type: integer type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://'))\ + \ ? !has(self.ports) : true" + maxItems: 4096 type: array exportTo: description: A list of namespaces to which this service is exported. @@ -7322,6 +8126,9 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -7348,12 +8155,21 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -7366,6 +8182,9 @@ spec: interval: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. @@ -7376,6 +8195,9 @@ spec: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -7429,6 +8251,9 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -7456,12 +8281,21 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -7475,6 +8309,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection @@ -7487,6 +8325,10 @@ spec: to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -7748,6 +8590,9 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -7774,12 +8619,21 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -7792,6 +8646,9 @@ spec: interval: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. @@ -7802,6 +8659,9 @@ spec: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -7855,6 +8715,9 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -7882,12 +8745,21 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -7901,6 +8773,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection @@ -7913,6 +8789,10 @@ spec: to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -8174,6 +9054,9 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -8200,12 +9083,21 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -8218,6 +9110,9 @@ spec: interval: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection is dead. @@ -8228,6 +9123,9 @@ spec: description: The time duration a connection needs to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -8281,6 +9179,9 @@ spec: description: The idle timeout for upstream connection pool connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConcurrentStreams: description: The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection. @@ -8308,12 +9209,21 @@ spec: connectTimeout: description: TCP connection timeout. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') idleTimeout: description: The idle timeout for TCP connections. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnectionDuration: description: The maximum duration of a connection. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') maxConnections: description: Maximum number of HTTP1 /TCP connections to a destination host. @@ -8327,6 +9237,10 @@ spec: description: The time duration between keep-alive probes. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') probes: description: Maximum number of keepalive probes to send without response before deciding the connection @@ -8339,6 +9253,10 @@ spec: to be idle before keep-alive probes start being sent. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than + 1ms + rule: duration(self) >= duration('1ms') type: object type: object type: object @@ -8681,11 +9599,11 @@ spec: type: object x-kubernetes-validations: - message: value must be set when operation is UPSERT - rule: "((has(self.operation) ? self.operation : '') - == 'UPSERT') ? self.value != '' : true" + rule: "((has(self.operation) ? self.operation : '')\ + \ == 'UPSERT') ? self.value != '' : true" - message: value must not be set when operation is REMOVE - rule: "((has(self.operation) ? self.operation : '') - == 'REMOVE') ? !has(self.value) : true" + rule: "((has(self.operation) ? self.operation : '')\ + \ == 'REMOVE') ? !has(self.value) : true" description: Optional. type: object type: object @@ -8705,6 +9623,9 @@ spec: reportingInterval: description: Optional. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: array selector: @@ -8712,43 +9633,87 @@ spec: properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" type: array tracing: description: Optional. @@ -9008,11 +9973,11 @@ spec: type: object x-kubernetes-validations: - message: value must be set when operation is UPSERT - rule: "((has(self.operation) ? self.operation : '') - == 'UPSERT') ? self.value != '' : true" + rule: "((has(self.operation) ? self.operation : '')\ + \ == 'UPSERT') ? self.value != '' : true" - message: value must not be set when operation is REMOVE - rule: "((has(self.operation) ? self.operation : '') - == 'REMOVE') ? !has(self.value) : true" + rule: "((has(self.operation) ? self.operation : '')\ + \ == 'REMOVE') ? !has(self.value) : true" description: Optional. type: object type: object @@ -9032,6 +9997,9 @@ spec: reportingInterval: description: Optional. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: array selector: @@ -9039,43 +10007,87 @@ spec: properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" type: array tracing: description: Optional. @@ -9316,7 +10328,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object type: array @@ -9330,6 +10342,19 @@ spec: description: Specifies how long the results of a preflight request can be cached. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string type: object delegate: description: Delegate is used to specify the particular VirtualService @@ -9437,10 +10462,16 @@ spec: properties: exponentialDelay: type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') fixedDelay: description: Add a fixed delay before forwarding the request. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') percent: description: Percentage of requests on which the delay will be injected (0-100). @@ -9498,7 +10529,7 @@ spec: description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -9520,7 +10551,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object gateways: @@ -9552,7 +10583,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: The header keys must be lowercase and use @@ -9566,7 +10597,7 @@ spec: description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -9588,7 +10619,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object name: @@ -9623,7 +10654,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: Query parameters for matching. @@ -9632,7 +10663,7 @@ spec: description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -9654,7 +10685,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object sourceLabels: @@ -9676,7 +10707,7 @@ spec: description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -9698,7 +10729,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object withoutHeaders: @@ -9724,7 +10755,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: withoutHeader has the same syntax with the @@ -9876,6 +10907,9 @@ spec: description: Timeout per attempt for a given request, including the initial call and any retries. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') retryOn: description: Specifies the conditions under which retry takes place. @@ -9902,7 +10936,7 @@ spec: specified regex. properties: match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string rewrite: description: The string that should replace into matching @@ -9984,6 +11018,9 @@ spec: timeout: description: Timeout for HTTP requests, default is disabled. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: array tcp: @@ -10259,7 +11296,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object type: array @@ -10273,6 +11310,19 @@ spec: description: Specifies how long the results of a preflight request can be cached. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string type: object delegate: description: Delegate is used to specify the particular VirtualService @@ -10380,10 +11430,16 @@ spec: properties: exponentialDelay: type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') fixedDelay: description: Add a fixed delay before forwarding the request. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') percent: description: Percentage of requests on which the delay will be injected (0-100). @@ -10441,7 +11497,7 @@ spec: description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -10463,7 +11519,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object gateways: @@ -10495,7 +11551,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: The header keys must be lowercase and use @@ -10509,7 +11565,7 @@ spec: description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -10531,7 +11587,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object name: @@ -10566,7 +11622,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: Query parameters for matching. @@ -10575,7 +11631,7 @@ spec: description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -10597,7 +11653,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object sourceLabels: @@ -10619,7 +11675,7 @@ spec: description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -10641,7 +11697,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object withoutHeaders: @@ -10667,7 +11723,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: withoutHeader has the same syntax with the @@ -10819,6 +11875,9 @@ spec: description: Timeout per attempt for a given request, including the initial call and any retries. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') retryOn: description: Specifies the conditions under which retry takes place. @@ -10845,7 +11904,7 @@ spec: specified regex. properties: match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string rewrite: description: The string that should replace into matching @@ -10927,6 +11986,9 @@ spec: timeout: description: Timeout for HTTP requests, default is disabled. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: array tcp: @@ -11202,7 +12264,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object type: array @@ -11216,6 +12278,19 @@ spec: description: Specifies how long the results of a preflight request can be cached. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') + unmatchedPreflights: + description: |- + Indicates whether preflight requests not matching the configured allowed origin shouldn't be forwarded to the upstream. + + Valid Options: FORWARD, IGNORE + enum: + - UNSPECIFIED + - FORWARD + - IGNORE + type: string type: object delegate: description: Delegate is used to specify the particular VirtualService @@ -11323,10 +12398,16 @@ spec: properties: exponentialDelay: type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') fixedDelay: description: Add a fixed delay before forwarding the request. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') percent: description: Percentage of requests on which the delay will be injected (0-100). @@ -11384,7 +12465,7 @@ spec: description: 'HTTP Authority values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - - `regex: "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + - `regex: "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -11406,7 +12487,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object gateways: @@ -11438,7 +12519,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: The header keys must be lowercase and use @@ -11452,7 +12533,7 @@ spec: description: 'HTTP Method values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -11474,7 +12555,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object name: @@ -11509,7 +12590,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: Query parameters for matching. @@ -11518,7 +12599,7 @@ spec: description: 'URI Scheme values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -11540,7 +12621,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object sourceLabels: @@ -11562,7 +12643,7 @@ spec: description: 'URI to match values are case-sensitive and formatted as follows: - `exact: "value"` for exact string match - `prefix: "value"` for prefix-based match - `regex: - "value"` for RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).' + "value"` for [RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' oneOf: - not: anyOf: @@ -11584,7 +12665,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object withoutHeaders: @@ -11610,7 +12691,7 @@ spec: prefix: type: string regex: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string type: object description: withoutHeader has the same syntax with the @@ -11762,6 +12843,9 @@ spec: description: Timeout per attempt for a given request, including the initial call and any retries. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') retryOn: description: Specifies the conditions under which retry takes place. @@ -11788,7 +12872,7 @@ spec: specified regex. properties: match: - description: RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax). + description: '[RE2 style regex-based match](https://github.com/google/re2/wiki/Syntax).' type: string rewrite: description: The string that should replace into matching @@ -11870,6 +12954,9 @@ spec: timeout: description: Timeout for HTTP requests, default is disabled. type: string + x-kubernetes-validations: + - message: must be a valid duration greater than 1ms + rule: duration(self) >= duration('1ms') type: object type: array tcp: @@ -12183,10 +13270,20 @@ spec: properties: matchLabels: additionalProperties: + maxLength: 63 type: string + x-kubernetes-validations: + - message: wildcard not allowed in label value match + rule: "!self.contains('*')" description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. + maxProperties: 4096 type: object + x-kubernetes-validations: + - message: wildcard not allowed in label key match + rule: self.all(key, !key.contains('*')) + - message: key must not be empty + rule: self.all(key, key.size() != 0) type: object sha256: description: SHA256 checksum that will be used to verify Wasm module @@ -12197,34 +13294,68 @@ spec: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. + maxLength: 253 + minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string + x-kubernetes-validations: + - message: cross namespace referencing is not currently supported + rule: self.size() == 0 + required: + - kind + - name type: object + x-kubernetes-validations: + - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway + rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\ + \ ['gateway.networking.k8s.io','Gateway']]" type: array type: description: |- @@ -12242,9 +13373,9 @@ spec: type: string x-kubernetes-validations: - message: url must have schema one of [http, https, file, oci] - rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https', - 'oci', 'file']) : (isURL('http://' + self) && url('http://' +self).getScheme() - in ['', 'http', 'https', 'oci', 'file'])" + rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',\ + \ 'oci', 'file']) : (isURL('http://' + self) && url('http://'\ + \ +self).getScheme() in ['', 'http', 'https', 'oci', 'file'])" verificationKey: type: string vmConfig: @@ -12278,8 +13409,8 @@ spec: type: object x-kubernetes-validations: - message: value may only be set when valueFrom is INLINE - rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST' - || !has(self.value)" + rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'\ + \ || !has(self.value)" maxItems: 256 type: array x-kubernetes-list-map-keys: @@ -12350,29 +13481,47 @@ spec: address: description: Address associated with the network endpoint without the port. + maxLength: 256 type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ + \ || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: additionalProperties: type: string description: One or more labels associated with the endpoint. + maxProperties: 256 type: object locality: description: The locality associated with the endpoint. + maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. + maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. + maxProperties: 128 type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. + maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. @@ -12380,9 +13529,19 @@ spec: minimum: 0 type: integer type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ + \ : true" status: type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec + - spec + - spec type: object served: true storage: false @@ -12412,29 +13571,47 @@ spec: address: description: Address associated with the network endpoint without the port. + maxLength: 256 type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ + \ || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: additionalProperties: type: string description: One or more labels associated with the endpoint. + maxProperties: 256 type: object locality: description: The locality associated with the endpoint. + maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. + maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. + maxProperties: 128 type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. + maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. @@ -12442,9 +13619,19 @@ spec: minimum: 0 type: integer type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ + \ : true" status: type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec + - spec + - spec type: object served: true storage: false @@ -12474,29 +13661,47 @@ spec: address: description: Address associated with the network endpoint without the port. + maxLength: 256 type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\ + \ || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: additionalProperties: type: string description: One or more labels associated with the endpoint. + maxProperties: 256 type: object locality: description: The locality associated with the endpoint. + maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. + maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. + maxProperties: 128 type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. + maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. @@ -12504,9 +13709,19 @@ spec: minimum: 0 type: integer type: object + x-kubernetes-validations: + - message: Address is required + rule: has(self.address) || has(self.network) + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\ + \ : true" status: type: object x-kubernetes-preserve-unknown-fields: true + required: + - spec + - spec + - spec type: object served: true storage: true @@ -12551,10 +13766,8 @@ spec: openAPIV3Schema: properties: spec: - description: '`WorkloadGroup` enables specifying the properties of a single - workload for bootstrap and provides a template for `WorkloadEntry`, - similar to how `Deployment` specifies properties of workloads via `Pod` - templates.' + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' properties: metadata: description: Metadata that will be used for all corresponding `WorkloadEntries`. @@ -12671,29 +13884,47 @@ spec: address: description: Address associated with the network endpoint without the port. + maxLength: 256 type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ + \ '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: additionalProperties: type: string description: One or more labels associated with the endpoint. + maxProperties: 256 type: object locality: description: The locality associated with the endpoint. + maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. + maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. + maxProperties: 128 type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. + maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. @@ -12701,6 +13932,10 @@ spec: minimum: 0 type: integer type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://'))\ + \ ? !has(self.ports) : true" required: - template type: object @@ -12844,29 +14079,47 @@ spec: address: description: Address associated with the network endpoint without the port. + maxLength: 256 type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ + \ '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: additionalProperties: type: string description: One or more labels associated with the endpoint. + maxProperties: 256 type: object locality: description: The locality associated with the endpoint. + maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. + maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. + maxProperties: 128 type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. + maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. @@ -12874,6 +14127,10 @@ spec: minimum: 0 type: integer type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://'))\ + \ ? !has(self.ports) : true" required: - template type: object @@ -12899,10 +14156,8 @@ spec: openAPIV3Schema: properties: spec: - description: '`WorkloadGroup` enables specifying the properties of a single - workload for bootstrap and provides a template for `WorkloadEntry`, - similar to how `Deployment` specifies properties of workloads via `Pod` - templates.' + description: 'Describes a collection of workload instances. See more details + at: https://istio.io/docs/reference/config/networking/workload-group.html' properties: metadata: description: Metadata that will be used for all corresponding `WorkloadEntries`. @@ -13019,29 +14274,47 @@ spec: address: description: Address associated with the network endpoint without the port. + maxLength: 256 type: string + x-kubernetes-validations: + - message: UDS must be an absolute path or abstract socket + rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\ + \ '/' || self.substring(7,8) == '@') : true" + - message: UDS may not be a dir + rule: "self.startsWith('unix://') ? !self.endsWith('/') : true" labels: additionalProperties: type: string description: One or more labels associated with the endpoint. + maxProperties: 256 type: object locality: description: The locality associated with the endpoint. + maxLength: 2048 type: string network: description: Network enables Istio to group endpoints resident in the same L3 domain/network. + maxLength: 2048 type: string ports: additionalProperties: maximum: 4294967295 minimum: 0 type: integer + x-kubernetes-validations: + - message: port must be between 1-65535 + rule: 0 < self && self <= 65535 description: Set of ports associated with the endpoint. + maxProperties: 128 type: object + x-kubernetes-validations: + - message: port name must be valid + rule: self.all(key, size(key) < 63 && key.matches('^[a-zA-Z0-9](?:[-a-zA-Z0-9]*[a-zA-Z0-9])?$')) serviceAccount: description: The service account associated with the workload if a sidecar is present in the workload. + maxLength: 253 type: string weight: description: The load balancing weight associated with the endpoint. @@ -13049,6 +14322,10 @@ spec: minimum: 0 type: integer type: object + x-kubernetes-validations: + - message: UDS may not include ports + rule: "(has(self.address) && self.address.startsWith('unix://'))\ + \ ? !has(self.ports) : true" required: - template type: object diff --git a/common/istio-cni-1-22/istio-crds/base/kustomization.yaml b/common/istio-cni-1-23/istio-crds/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-22/istio-crds/base/kustomization.yaml rename to common/istio-cni-1-23/istio-crds/base/kustomization.yaml diff --git a/common/istio-cni-1-22/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-cni-1-23/istio-install/base/deny_all_authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/deny_all_authorizationpolicy.yaml rename to common/istio-cni-1-23/istio-install/base/deny_all_authorizationpolicy.yaml diff --git a/common/istio-cni-1-22/istio-install/base/gateway.yaml b/common/istio-cni-1-23/istio-install/base/gateway.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/gateway.yaml rename to common/istio-cni-1-23/istio-install/base/gateway.yaml diff --git a/common/istio-cni-1-22/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-cni-1-23/istio-install/base/gateway_authorizationpolicy.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/gateway_authorizationpolicy.yaml rename to common/istio-cni-1-23/istio-install/base/gateway_authorizationpolicy.yaml diff --git a/common/istio-cni-1-22/istio-install/base/install.yaml b/common/istio-cni-1-23/istio-install/base/install.yaml similarity index 97% rename from common/istio-cni-1-22/istio-install/base/install.yaml rename to common/istio-cni-1-23/istio-install/base/install.yaml index 569f70e2b5..7d8c7688c3 100644 --- a/common/istio-cni-1-22/istio-install/base/install.yaml +++ b/common/istio-cni-1-23/istio-install/base/install.yaml @@ -263,6 +263,16 @@ rules: - patch - create - delete +- apiGroups: + - networking.istio.io + resources: + - serviceentries/status + verbs: + - get + - watch + - list + - update + - patch - apiGroups: - apiextensions.k8s.io resources: @@ -453,6 +463,7 @@ metadata: istio.io/rev: default k8s-app: istio-cni-repair operator.istio.io/component: Cni + release: istio name: istio-cni-repair-rolebinding roleRef: apiGroup: rbac.authorization.k8s.io @@ -522,7 +533,6 @@ metadata: name: istio-validator-istio-system webhooks: - admissionReviewVersions: - - v1beta1 - v1 clientConfig: service: @@ -580,12 +590,20 @@ metadata: --- apiVersion: v1 data: - cni_network_config: "{\n \"cniVersion\": \"0.3.1\",\n \"name\": \"istio-cni\"\ - ,\n \"type\": \"istio-cni\",\n \"log_level\": \"debug\",\n \"log_uds_address\"\ - : \"__LOG_UDS_ADDRESS__\",\n \n \"cni_event_address\": \"__CNI_EVENT_ADDRESS__\"\ - ,\n \"kubernetes\": {\n \"kubeconfig\": \"__KUBECONFIG_FILEPATH__\",\n \ - \ \"cni_bin_dir\": \"/opt/cni/bin\",\n \"exclude_namespaces\": [ \"kube-system\"\ - \ ]\n }\n}" + AMBIENT_DNS_CAPTURE: 'false' + AMBIENT_ENABLED: 'false' + AMBIENT_IPV6: 'true' + CHAINED_CNI_PLUGIN: 'true' + CNI_NET_DIR: /etc/cni/net.d + CURRENT_AGENT_VERSION: 1.23.2 + EXCLUDED_NAMESPACES: kube-system + REPAIR_BROKEN_POD_LABEL_KEY: cni.istio.io/uninitialized + REPAIR_BROKEN_POD_LABEL_VALUE: 'true' + REPAIR_DELETE_PODS: 'false' + REPAIR_ENABLED: 'true' + REPAIR_INIT_CONTAINER_NAME: istio-validation + REPAIR_LABEL_PODS: 'false' + REPAIR_REPAIR_PODS: 'true' kind: ConfigMap metadata: labels: @@ -828,6 +846,9 @@ data: {{- if .Values.global.logAsJson }} - --log_as_json {{- end }} + {{- if .Values.global.proxy.outlierLogPath }} + - --outlierLogPath={{ .Values.global.proxy.outlierLogPath }} + {{- end}} {{- if .Values.global.proxy.lifecycle }} lifecycle: {{ toYaml .Values.global.proxy.lifecycle | indent 6 }} @@ -1169,12 +1190,16 @@ data: } spec: securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 4 }} + {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" + {{- end }} containers: - name: istio-proxy - {{- if contains "/" .Values.global.proxy.image }} + {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image) }} image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy.image }}" {{- else }} image: "{{ .ProxyImage }}" @@ -1992,10 +2017,17 @@ data: securityContext: privileged: false runAsGroup: 1337 - runAsUser: 0 + runAsUser: 1337 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true capabilities: drop: - ALL + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 12 }} + {{- end }} volumeMounts: - name: workload-socket mountPath: /var/run/secrets/workload-spiffe-uds @@ -2068,6 +2100,7 @@ data: name: "{{.Name}}" uid: "{{.UID}}" spec: + ipFamilyPolicy: PreferDualStack ports: {{- range $key, $val := .Ports }} - name: {{ $val.Name | quote }} @@ -2153,12 +2186,17 @@ data: "istio.io/gateway-name" .Name ) | nindent 8 }} spec: - {{- if ge .KubeVersion 122 }} - {{/* safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326. */}} securityContext: + {{- if .Values.gateways.securityContext }} + {{- toYaml .Values.gateways.securityContext | nindent 8 }} + {{- else }} sysctls: - name: net.ipv4.ip_unprivileged_port_start value: "0" + {{- if .Values.gateways.seccompProfile }} + seccompProfile: + {{- toYaml .Values.gateways.seccompProfile | nindent 10 }} + {{- end }} {{- end }} serviceAccountName: {{.ServiceAccount | quote}} containers: @@ -2174,8 +2212,6 @@ data: {{- end }} {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}} securityContext: - {{- if ge .KubeVersion 122 }} - # Safe since 1.22: https://github.com/kubernetes/kubernetes/pull/103326 capabilities: drop: - ALL @@ -2185,18 +2221,6 @@ data: runAsUser: {{ .ProxyUID | default "1337" }} runAsGroup: {{ .ProxyGID | default "1337" }} runAsNonRoot: true - {{- else }} - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 0 - runAsGroup: 1337 - runAsNonRoot: false - allowPrivilegeEscalation: true - readOnlyRootFilesystem: true - {{- end }} ports: - containerPort: 15021 name: status-port @@ -2437,6 +2461,10 @@ data: --- values: |- { + "gateways": { + "seccompProfile": {}, + "securityContext": {} + }, "global": { "autoscalingv2API": true, "caAddress": "", @@ -2491,6 +2519,7 @@ data: "includeInboundPorts": "*", "includeOutboundPorts": "", "logLevel": "warning", + "outlierLogPath": "", "privileged": false, "readinessFailureThreshold": 4, "readinessInitialDelaySeconds": 0, @@ -2524,7 +2553,7 @@ data: "sts": { "servicePort": 0 }, - "tag": "1.22.1", + "tag": "1.23.2", "variant": "" }, "istio_cni": { @@ -2572,7 +2601,6 @@ metadata: name: istio-sidecar-injector webhooks: - admissionReviewVersions: - - v1beta1 - v1 clientConfig: service: @@ -2608,7 +2636,6 @@ webhooks: - pods sideEffects: None - admissionReviewVersions: - - v1beta1 - v1 clientConfig: service: @@ -2646,7 +2673,6 @@ webhooks: - pods sideEffects: None - admissionReviewVersions: - - v1beta1 - v1 clientConfig: service: @@ -2680,7 +2706,6 @@ webhooks: - pods sideEffects: None - admissionReviewVersions: - - v1beta1 - v1 clientConfig: service: @@ -2745,48 +2770,23 @@ spec: spec: containers: - args: - - --log_output_level=default:info,cni:info + - --log_output_level=info command: - install-cni env: - - name: CNI_NETWORK_CONFIG - valueFrom: - configMapKeyRef: - key: cni_network_config - name: istio-cni-config - - name: CNI_NET_DIR - value: /etc/cni/net.d - - name: CHAINED_CNI_PLUGIN - value: 'true' - - name: REPAIR_ENABLED - value: 'true' - name: REPAIR_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - - name: REPAIR_LABEL_PODS - value: 'false' - - name: REPAIR_DELETE_PODS - value: 'false' - - name: REPAIR_REPAIR_PODS - value: 'true' - name: REPAIR_RUN_AS_DAEMON value: 'true' - name: REPAIR_SIDECAR_ANNOTATION value: sidecar.istio.io/status - - name: REPAIR_INIT_CONTAINER_NAME - value: istio-validation - - name: REPAIR_BROKEN_POD_LABEL_KEY - value: cni.istio.io/uninitialized - - name: REPAIR_BROKEN_POD_LABEL_VALUE - value: 'true' - name: NODE_NAME valueFrom: fieldRef: apiVersion: v1 fieldPath: spec.nodeName - - name: LOG_LEVEL - value: debug - name: GOMEMLIMIT valueFrom: resourceFieldRef: @@ -2795,7 +2795,18 @@ spec: valueFrom: resourceFieldRef: resource: limits.cpu - image: docker.io/istio/install-cni:1.22.1 + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - configMapRef: + name: istio-cni-config + image: docker.io/istio/install-cni:1.23.2 name: install-cni readinessProbe: httpGet: @@ -2958,8 +2969,7 @@ spec: - name: ISTIO_META_WORKLOAD_NAME value: istio-ingressgateway - name: ISTIO_META_OWNER - value: - kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway + value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway - name: ISTIO_META_MESH_ID value: cluster.local - name: TRUST_DOMAIN @@ -2972,7 +2982,7 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - image: docker.io/istio/proxyv2:1.22.1 + image: docker.io/istio/proxyv2:1.23.2 name: istio-proxy ports: - containerPort: 15021 @@ -3148,6 +3158,8 @@ spec: fieldPath: spec.serviceAccountName - name: KUBECONFIG value: /var/run/secrets/remote/config + - name: CA_TRUSTED_NODE_ACCOUNTS + value: istio-system/ztunnel - name: PILOT_TRACE_SAMPLING value: '1' - name: PILOT_ENABLE_ANALYSIS @@ -3164,7 +3176,7 @@ spec: resource: limits.cpu - name: PLATFORM value: '' - image: docker.io/istio/pilot:1.22.1 + image: docker.io/istio/pilot:1.23.2 name: discovery ports: - containerPort: 8080 diff --git a/common/istio-cni-1-22/istio-install/base/kustomization.yaml b/common/istio-cni-1-23/istio-install/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/kustomization.yaml rename to common/istio-cni-1-23/istio-install/base/kustomization.yaml diff --git a/common/istio-cni-1-22/istio-install/base/patches/disable-debugging.yaml b/common/istio-cni-1-23/istio-install/base/patches/disable-debugging.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/patches/disable-debugging.yaml rename to common/istio-cni-1-23/istio-install/base/patches/disable-debugging.yaml diff --git a/common/istio-cni-1-22/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-cni-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/patches/istio-configmap-disable-tracing.yaml rename to common/istio-cni-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml diff --git a/common/istio-cni-1-22/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-cni-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml rename to common/istio-cni-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml diff --git a/common/istio-cni-1-22/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-cni-1-23/istio-install/base/patches/istiod-remove-pdb.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/patches/istiod-remove-pdb.yaml rename to common/istio-cni-1-23/istio-install/base/patches/istiod-remove-pdb.yaml diff --git a/common/istio-cni-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-cni-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/patches/seccomp-istio-ingressgateway.yaml rename to common/istio-cni-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml diff --git a/common/istio-cni-1-22/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-cni-1-23/istio-install/base/patches/seccomp-istiod.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/patches/seccomp-istiod.yaml rename to common/istio-cni-1-23/istio-install/base/patches/seccomp-istiod.yaml diff --git a/common/istio-cni-1-22/istio-install/base/patches/service.yaml b/common/istio-cni-1-23/istio-install/base/patches/service.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/base/patches/service.yaml rename to common/istio-cni-1-23/istio-install/base/patches/service.yaml diff --git a/common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml similarity index 100% rename from common/istio-cni-1-22/istio-install/overlays/oauth2-proxy/kustomization.yaml rename to common/istio-cni-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml diff --git a/common/istio-cni-1-22/istio-namespace/base/kustomization.yaml b/common/istio-cni-1-23/istio-namespace/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-22/istio-namespace/base/kustomization.yaml rename to common/istio-cni-1-23/istio-namespace/base/kustomization.yaml diff --git a/common/istio-cni-1-22/istio-namespace/base/namespace.yaml b/common/istio-cni-1-23/istio-namespace/base/namespace.yaml similarity index 100% rename from common/istio-cni-1-22/istio-namespace/base/namespace.yaml rename to common/istio-cni-1-23/istio-namespace/base/namespace.yaml diff --git a/common/istio-cni-1-22/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-cni-1-23/kubeflow-istio-resources/base/cluster-roles.yaml similarity index 100% rename from common/istio-cni-1-22/kubeflow-istio-resources/base/cluster-roles.yaml rename to common/istio-cni-1-23/kubeflow-istio-resources/base/cluster-roles.yaml diff --git a/common/istio-cni-1-22/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-cni-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml similarity index 100% rename from common/istio-cni-1-22/kubeflow-istio-resources/base/kf-istio-resources.yaml rename to common/istio-cni-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml diff --git a/common/istio-cni-1-22/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-cni-1-23/kubeflow-istio-resources/base/kustomization.yaml similarity index 100% rename from common/istio-cni-1-22/kubeflow-istio-resources/base/kustomization.yaml rename to common/istio-cni-1-23/kubeflow-istio-resources/base/kustomization.yaml diff --git a/common/istio-cni-1-22/profile-overlay.yaml b/common/istio-cni-1-23/profile-overlay.yaml similarity index 100% rename from common/istio-cni-1-22/profile-overlay.yaml rename to common/istio-cni-1-23/profile-overlay.yaml diff --git a/common/istio-cni-1-22/profile.yaml b/common/istio-cni-1-23/profile.yaml similarity index 97% rename from common/istio-cni-1-22/profile.yaml rename to common/istio-cni-1-23/profile.yaml index 7d6ef09cb6..077b0c86d2 100644 --- a/common/istio-cni-1-22/profile.yaml +++ b/common/istio-cni-1-23/profile.yaml @@ -14,7 +14,7 @@ spec: enabled: true hub: docker.io/istio profile: default - tag: 1.22.1 + tag: 1.23.2 values: defaultRevision: "" gateways: diff --git a/common/istio-cni-1-22/split-istio-packages b/common/istio-cni-1-23/split-istio-packages similarity index 100% rename from common/istio-cni-1-22/split-istio-packages rename to common/istio-cni-1-23/split-istio-packages diff --git a/hack/synchronize-istio-cni-manifests.sh b/hack/synchronize-istio-cni-manifests.sh index 1f8a22c3e5..293322012a 100755 --- a/hack/synchronize-istio-cni-manifests.sh +++ b/hack/synchronize-istio-cni-manifests.sh @@ -16,12 +16,12 @@ set -euxo pipefail IFS=$'\n\t' -COMMIT="1.22.1" # Must be a release -CURRENT_VERSION="1-21" -NEW_VERSION="1-22" +COMMIT="1.23.2" +CURRENT_VERSION="1-22" +NEW_VERSION="1-23" # Must be a release SRC_DIR=${SRC_DIR:=/tmp/istio-cni} -BRANCH=${BRANCH:=istio-${COMMIT?}} +BRANCH=${BRANCH:=istio-cni-${COMMIT?}} SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) MANIFESTS_DIR=$(dirname $SCRIPT_DIR) diff --git a/tests/gh-actions/install_istio-cni.sh b/tests/gh-actions/install_istio-cni.sh index 159ebae8fb..8077247168 100755 --- a/tests/gh-actions/install_istio-cni.sh +++ b/tests/gh-actions/install_istio-cni.sh @@ -1,7 +1,7 @@ #!/bin/bash set -e echo "Installing Istio-cni (with ExtAuthZ from oauth2-proxy) ..." -cd common/istio-cni-1-22 +cd common/istio-cni-1-23 kustomize build istio-crds/base | kubectl apply -f - kustomize build istio-namespace/base | kubectl apply -f - kustomize build istio-install/overlays/oauth2-proxy | kubectl apply -f - diff --git a/tests/gh-actions/install_knative-cni.sh b/tests/gh-actions/install_knative-cni.sh index e0d6415c68..e361e87d31 100755 --- a/tests/gh-actions/install_knative-cni.sh +++ b/tests/gh-actions/install_knative-cni.sh @@ -6,8 +6,8 @@ kustomize build common/knative/knative-serving/base | kubectl apply -f - set -e kustomize build common/knative/knative-serving/base | kubectl apply -f - -kustomize build common/istio-cni-1-22/cluster-local-gateway/base | kubectl apply -f - -kustomize build common/istio-cni-1-22/kubeflow-istio-resources/base | kubectl apply -f - +kustomize build common/istio-cni-1-23/cluster-local-gateway/base | kubectl apply -f - +kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f - kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=600s \ --field-selector=status.phase!=Succeeded