diff --git a/.github/workflows/kserve_cni_test.yaml b/.github/workflows/kserve_cni_test.yaml
index fb12597932..b717dbde0a 100644
--- a/.github/workflows/kserve_cni_test.yaml
+++ b/.github/workflows/kserve_cni_test.yaml
@@ -4,7 +4,7 @@ on:
paths:
- tests/gh-actions/install_KinD_create_KinD_cluster_install_kustomize.sh
- .github/workflows/kserve_cni_test.yaml
- - common/istio-cni-1-23/**
+ - common/istio-cni-1-24/**
- tests/gh-actions/install_cert_manager.sh
- common/cert-manager/**
- tests/gh-actions/install_knative-cni.sh
diff --git a/.github/workflows/notebook_controller_m2m_test.yaml b/.github/workflows/notebook_controller_m2m_test.yaml
index cb70027de1..5bc0616c97 100644
--- a/.github/workflows/notebook_controller_m2m_test.yaml
+++ b/.github/workflows/notebook_controller_m2m_test.yaml
@@ -34,7 +34,7 @@ jobs:
run: ./tests/gh-actions/install_oauth2-proxy.sh
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Multi Tenancy
run: ./tests/gh-actions/install_multi_tenancy.sh
diff --git a/.github/workflows/pipeline_run_from_notebook.yaml b/.github/workflows/pipeline_run_from_notebook.yaml
index 3f1aee3914..5971fd3acf 100644
--- a/.github/workflows/pipeline_run_from_notebook.yaml
+++ b/.github/workflows/pipeline_run_from_notebook.yaml
@@ -37,7 +37,7 @@ jobs:
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Pipelines
run: ./tests/gh-actions/install_pipelines.sh
diff --git a/.github/workflows/pipeline_swfs_test.yaml b/.github/workflows/pipeline_swfs_test.yaml
index 27b9b4e6e1..0c9a07c20d 100644
--- a/.github/workflows/pipeline_swfs_test.yaml
+++ b/.github/workflows/pipeline_swfs_test.yaml
@@ -45,7 +45,7 @@ jobs:
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
diff --git a/.github/workflows/pipeline_test.yaml b/.github/workflows/pipeline_test.yaml
index 792d5937e9..c446410f80 100644
--- a/.github/workflows/pipeline_test.yaml
+++ b/.github/workflows/pipeline_test.yaml
@@ -44,7 +44,7 @@ jobs:
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
diff --git a/.github/workflows/pss_test.yaml b/.github/workflows/pss_test.yaml
index 48998f2412..54771c1067 100644
--- a/.github/workflows/pss_test.yaml
+++ b/.github/workflows/pss_test.yaml
@@ -51,7 +51,7 @@ jobs:
run: kustomize build common/kubeflow-namespace/base | kubectl apply -f -
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
- name: Install KF Multi Tenancy
run: ./tests/gh-actions/install_multi_tenancy.sh
diff --git a/.github/workflows/training_operator_test.yaml b/.github/workflows/training_operator_test.yaml
index d90957c2bc..14d75a68a9 100644
--- a/.github/workflows/training_operator_test.yaml
+++ b/.github/workflows/training_operator_test.yaml
@@ -38,7 +38,7 @@ jobs:
run: ./tests/gh-actions/install_multi_tenancy.sh
- name: Install kubeflow-istio-resources
- run: kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+ run: kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
- name: Create KF Profile
run: kustomize build common/user-namespace/base | kubectl apply -f -
diff --git a/README.md b/README.md
index 0942dd7939..079624cee7 100644
--- a/README.md
+++ b/README.md
@@ -64,7 +64,7 @@ used from the different projects of Kubeflow:
| Component | Local Manifests Path | Upstream Revision |
| - | - | - |
-| Istio | common/istio-1-23 | [1.23.2](https://github.com/istio/istio/releases/tag/1.23.2) |
+| Istio | common/istio-1-24 | [1.24.2](https://github.com/istio/istio/releases/tag/1.24.2) |
| Knative | common/knative/knative-serving
common/knative/knative-eventing | [v1.16.0](https://github.com/knative/serving/releases/tag/knative-v1.16.0)
[v1.16.1](https://github.com/knative/eventing/releases/tag/knative-v1.16.1) |
| Cert Manager | common/cert-manager | [1.16.1](https://github.com/cert-manager/cert-manager/releases/tag/v1.16.1) |
@@ -211,9 +211,9 @@ Install Istio:
```sh
echo "Installing Istio configured with external authorization..."
-kustomize build common/istio-1-23/istio-crds/base | kubectl apply -f -
-kustomize build common/istio-1-23/istio-namespace/base | kubectl apply -f -
-kustomize build common/istio-1-23/istio-install/overlays/oauth2-proxy | kubectl apply -f -
+kustomize build common/istio-1-24/istio-crds/base | kubectl apply -f -
+kustomize build common/istio-1-24/istio-namespace/base | kubectl apply -f -
+kustomize build common/istio-1-24/istio-install/overlays/oauth2-proxy | kubectl apply -f -
echo "Waiting for all Istio Pods to become ready..."
kubectl wait --for=condition=Ready pods --all -n istio-system --timeout 300s
@@ -343,7 +343,7 @@ Install Knative Serving:
```sh
kustomize build common/knative/knative-serving/overlays/gateways | kubectl apply -f -
-kustomize build common/istio-1-23/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-1-24/cluster-local-gateway/base | kubectl apply -f -
```
Optionally, you can install Knative Eventing which can be used for inference request logging:
@@ -390,7 +390,7 @@ Create the Kubeflow Gateway, `kubeflow-gateway` and ClusterRole,
Install kubeflow istio resources:
```sh
-kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
```
#### Kubeflow Pipelines
diff --git a/common/istio-1-23/README.md b/common/istio-1-24/README.md
similarity index 100%
rename from common/istio-1-23/README.md
rename to common/istio-1-24/README.md
diff --git a/common/istio-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
similarity index 81%
rename from common/istio-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml
rename to common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
index 45441c6a4f..149e7623c2 100644
--- a/common/istio-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml
+++ b/common/istio-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
@@ -3,6 +3,12 @@ kind: ServiceAccount
metadata:
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -16,6 +22,12 @@ kind: Deployment
metadata:
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -42,7 +54,13 @@ spec:
sidecar.istio.io/inject: 'false'
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
chart: gateways
+ helm.sh/chart: istio-ingress-1.24.2
heritage: Tiller
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
@@ -109,7 +127,8 @@ spec:
- name: ISTIO_META_WORKLOAD_NAME
value: cluster-local-gateway
- name: ISTIO_META_OWNER
- value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
+ value:
+ kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: TRUST_DOMAIN
@@ -122,7 +141,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- image: docker.io/istio/proxyv2:1.23.2
+ image: docker.io/istio/proxyv2:1.24.2
name: istio-proxy
ports:
- containerPort: 15020
@@ -235,6 +254,12 @@ kind: PodDisruptionBudget
metadata:
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -253,6 +278,12 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
@@ -273,6 +304,12 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
@@ -292,6 +329,12 @@ kind: HorizontalPodAutoscaler
metadata:
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -320,6 +363,12 @@ metadata:
annotations:
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -331,11 +380,9 @@ spec:
ports:
- name: status-port
port: 15020
- protocol: TCP
targetPort: 15020
- name: http2
port: 80
- protocol: TCP
targetPort: 8080
selector:
app: cluster-local-gateway
diff --git a/common/istio-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
similarity index 100%
rename from common/istio-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
rename to common/istio-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
diff --git a/common/istio-1-23/cluster-local-gateway/base/gateway.yaml b/common/istio-1-24/cluster-local-gateway/base/gateway.yaml
similarity index 100%
rename from common/istio-1-23/cluster-local-gateway/base/gateway.yaml
rename to common/istio-1-24/cluster-local-gateway/base/gateway.yaml
diff --git a/common/istio-1-23/cluster-local-gateway/base/kustomization.yaml b/common/istio-1-24/cluster-local-gateway/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-23/cluster-local-gateway/base/kustomization.yaml
rename to common/istio-1-24/cluster-local-gateway/base/kustomization.yaml
diff --git a/common/istio-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml
similarity index 100%
rename from common/istio-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml
rename to common/istio-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml
diff --git a/common/istio-cni-1-23/istio-crds/base/crd.yaml b/common/istio-1-24/istio-crds/base/crd.yaml
similarity index 84%
rename from common/istio-cni-1-23/istio-crds/base/crd.yaml
rename to common/istio-1-24/istio-crds/base/crd.yaml
index 33de713fcc..f194ef7520 100644
--- a/common/istio-cni-1-23/istio-crds/base/crd.yaml
+++ b/common/istio-1-24/istio-crds/base/crd.yaml
@@ -4,11 +4,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: authorizationpolicies.security.istio.io
spec:
group: security.istio.io
@@ -256,9 +256,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -290,12 +291,85 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -535,9 +609,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -569,12 +644,85 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -590,10 +738,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: destinationrules.networking.istio.io
spec:
group: networking.istio.io
@@ -931,8 +1080,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -1277,9 +1452,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration
+ of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed
+ of traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of
- Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than
@@ -1771,8 +1971,32 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of traffic
+ increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -2111,8 +2335,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -2350,6 +2600,74 @@ spec:
- host
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -2679,8 +2997,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -3025,9 +3369,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration
+ of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed
+ of traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of
- Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than
@@ -3519,8 +3888,32 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of traffic
+ increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -3859,8 +4252,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -4098,6 +4517,74 @@ spec:
- host
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -4427,8 +4914,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -4773,9 +5286,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration
+ of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed
+ of traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of
- Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than
@@ -5267,8 +5805,32 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of traffic
+ increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -5607,8 +6169,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -5846,7 +6434,75 @@ spec:
- host
type: object
status:
- type: object
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
@@ -5861,10 +6517,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: envoyfilters.networking.istio.io
spec:
group: networking.istio.io
@@ -6156,9 +6813,11 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
workloadSelector:
description: Criteria used to select the specific set of pods/VMs
@@ -6166,13 +6825,89 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or workloadSelector can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6188,10 +6923,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: gateways.networking.istio.io
spec:
group: networking.istio.io
@@ -6361,6 +7097,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6522,6 +7326,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6683,6 +7555,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6698,11 +7638,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: peerauthentications.security.istio.io
spec:
group: security.istio.io
@@ -6802,6 +7742,74 @@ spec:
rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size()
> 0) || !has(self.portLevelMtls)
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6893,6 +7901,74 @@ spec:
rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size()
> 0) || !has(self.portLevelMtls)
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6908,10 +7984,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: proxyconfigs.networking.istio.io
spec:
group: networking.istio.io
@@ -6974,6 +8051,74 @@ spec:
type: object
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6989,11 +8134,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: requestauthentications.security.istio.io
spec:
group: security.istio.io
@@ -7175,9 +8320,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -7209,15 +8355,85 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
type: object
x-kubernetes-validations:
- - message: only one of targetRefs or workloadSelector can be set
+ - message: only one of targetRefs or selector can be set
rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -7391,9 +8607,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -7425,34 +8642,105 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
type: object
x-kubernetes-validations:
- - message: only one of targetRefs or workloadSelector can be set
+ - message: only one of targetRefs or selector can be set
rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: serviceentries.networking.istio.io
spec:
group: networking.istio.io
@@ -7501,7 +8789,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -7514,11 +8804,11 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
- rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
- \ true"
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') :
+ true"
labels:
additionalProperties:
type: string
@@ -7563,8 +8853,8 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
maxItems: 4096
type: array
exportTo:
@@ -7576,6 +8866,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -7592,14 +8887,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -7607,11 +8907,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -7634,17 +8944,106 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
+ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
+ != 'NONE'))"
+ - message: NONE mode cannot set endpoints
+ rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
+ : true"
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -7683,7 +9082,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -7696,11 +9097,11 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
- rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
- \ true"
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') :
+ true"
labels:
additionalProperties:
type: string
@@ -7745,8 +9146,8 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
maxItems: 4096
type: array
exportTo:
@@ -7758,6 +9159,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -7774,14 +9180,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -7789,11 +9200,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -7816,17 +9237,106 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
+ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
+ != 'NONE'))"
+ - message: NONE mode cannot set endpoints
+ rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
+ : true"
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -7865,7 +9375,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -7878,11 +9390,11 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
- rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
- \ true"
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') :
+ true"
labels:
additionalProperties:
type: string
@@ -7927,8 +9439,8 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
maxItems: 4096
type: array
exportTo:
@@ -7940,6 +9452,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -7956,14 +9473,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -7971,11 +9493,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -7998,17 +9530,106 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
+ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
+ != 'NONE'))"
+ - message: NONE mode cannot set endpoints
+ rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
+ : true"
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: true
@@ -8022,10 +9643,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: sidecars.networking.istio.io
spec:
group: networking.istio.io
@@ -8451,7 +10073,8 @@ spec:
type: object
type: array
outboundTrafficPolicy:
- description: Configuration for the outbound traffic policy.
+ description: Set the default behavior of the sidecar for handling
+ outbound traffic from the application.
properties:
egressProxy:
properties:
@@ -8489,13 +10112,86 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -8915,7 +10611,8 @@ spec:
type: object
type: array
outboundTrafficPolicy:
- description: Configuration for the outbound traffic policy.
+ description: Set the default behavior of the sidecar for handling
+ outbound traffic from the application.
properties:
egressProxy:
properties:
@@ -8953,13 +10650,86 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -9379,7 +11149,8 @@ spec:
type: object
type: array
outboundTrafficPolicy:
- description: Configuration for the outbound traffic policy.
+ description: Set the default behavior of the sidecar for handling
+ outbound traffic from the application.
properties:
egressProxy:
properties:
@@ -9417,39 +11188,112 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- helm.sh/resource-policy: keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: telemetry
- release: istio
- name: telemetries.telemetry.istio.io
-spec:
- group: telemetry.istio.io
- names:
- categories:
- - istio-io
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
+ name: telemetries.telemetry.istio.io
+spec:
+ group: telemetry.istio.io
+ names:
+ categories:
+ - istio-io
- telemetry-istio-io
kind: Telemetry
listKind: TelemetryList
@@ -9599,11 +11443,11 @@ spec:
type: object
x-kubernetes-validations:
- message: value must be set when operation is UPSERT
- rule: "((has(self.operation) ? self.operation : '')\
- \ == 'UPSERT') ? self.value != '' : true"
+ rule: "((has(self.operation) ? self.operation : '')
+ == 'UPSERT') ? self.value != '' : true"
- message: value must not be set when operation is REMOVE
- rule: "((has(self.operation) ? self.operation : '')\
- \ == 'REMOVE') ? !has(self.value) : true"
+ rule: "((has(self.operation) ? self.operation : '')
+ == 'REMOVE') ? !has(self.value) : true"
description: Optional.
type: object
type: object
@@ -9677,9 +11521,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -9711,9 +11556,11 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
tracing:
description: Optional.
@@ -9825,7 +11672,78 @@ spec:
type: object
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -9973,11 +11891,11 @@ spec:
type: object
x-kubernetes-validations:
- message: value must be set when operation is UPSERT
- rule: "((has(self.operation) ? self.operation : '')\
- \ == 'UPSERT') ? self.value != '' : true"
+ rule: "((has(self.operation) ? self.operation : '')
+ == 'UPSERT') ? self.value != '' : true"
- message: value must not be set when operation is REMOVE
- rule: "((has(self.operation) ? self.operation : '')\
- \ == 'REMOVE') ? !has(self.value) : true"
+ rule: "((has(self.operation) ? self.operation : '')
+ == 'REMOVE') ? !has(self.value) : true"
description: Optional.
type: object
type: object
@@ -10051,9 +11969,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -10085,9 +12004,11 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
tracing:
description: Optional.
@@ -10199,7 +12120,78 @@ spec:
type: object
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -10215,10 +12207,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: virtualservices.networking.istio.io
spec:
group: networking.istio.io
@@ -11195,6 +13188,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -12163,6 +14224,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -13131,6 +15260,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -13146,10 +15343,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: wasmplugins.extensions.istio.io
spec:
group: extensions.istio.io
@@ -13319,9 +15517,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -13353,9 +15552,11 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
type:
description: |-
@@ -13373,9 +15574,9 @@ spec:
type: string
x-kubernetes-validations:
- message: url must have schema one of [http, https, file, oci]
- rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',\
- \ 'oci', 'file']) : (isURL('http://' + self) && url('http://'\
- \ +self).getScheme() in ['', 'http', 'https', 'oci', 'file'])"
+ rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',
+ 'oci', 'file']) : (isURL('http://' + self) && url('http://' +self).getScheme()
+ in ['', 'http', 'https', 'oci', 'file'])"
verificationKey:
type: string
vmConfig:
@@ -13409,8 +15610,8 @@ spec:
type: object
x-kubernetes-validations:
- message: value may only be set when valueFrom is INLINE
- rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'\
- \ || !has(self.value)"
+ rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'
+ || !has(self.value)"
maxItems: 256
type: array
x-kubernetes-list-map-keys:
@@ -13420,7 +15621,78 @@ spec:
required:
- url
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
required:
@@ -13438,10 +15710,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: workloadentries.networking.istio.io
spec:
group: networking.istio.io
@@ -13485,8 +15758,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
- \ || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
+ || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -13533,15 +15806,81 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
- \ : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
+ : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: false
@@ -13575,8 +15914,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
- \ || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
+ || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -13623,15 +15962,81 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
- \ : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
+ : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: false
@@ -13665,8 +16070,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
- \ || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
+ || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -13713,15 +16118,81 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
- \ : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
+ : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: true
@@ -13733,10 +16204,11 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: workloadgroups.networking.istio.io
spec:
group: networking.istio.io
@@ -13775,10 +16247,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -13807,13 +16281,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -13828,6 +16306,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -13841,8 +16320,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -13850,15 +16335,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -13869,12 +16357,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -13888,8 +16380,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -13934,14 +16426,84 @@ spec:
type: object
x-kubernetes-validations:
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
required:
- template
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -13970,10 +16532,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -14002,13 +16566,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -14023,6 +16591,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -14036,8 +16605,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -14045,15 +16620,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -14064,12 +16642,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -14083,8 +16665,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -14129,14 +16711,84 @@ spec:
type: object
x-kubernetes-validations:
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
required:
- template
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -14165,10 +16817,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -14197,13 +16851,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -14218,6 +16876,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -14231,8 +16890,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -14240,15 +16905,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -14259,12 +16927,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -14278,8 +16950,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -14324,14 +16996,84 @@ spec:
type: object
x-kubernetes-validations:
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
required:
- template
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: true
diff --git a/common/istio-1-23/istio-crds/base/kustomization.yaml b/common/istio-1-24/istio-crds/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-23/istio-crds/base/kustomization.yaml
rename to common/istio-1-24/istio-crds/base/kustomization.yaml
diff --git a/common/istio-1-23/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-1-24/istio-install/base/deny_all_authorizationpolicy.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/base/deny_all_authorizationpolicy.yaml
rename to common/istio-1-24/istio-install/base/deny_all_authorizationpolicy.yaml
diff --git a/common/istio-1-23/istio-install/base/gateway.yaml b/common/istio-1-24/istio-install/base/gateway.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/base/gateway.yaml
rename to common/istio-1-24/istio-install/base/gateway.yaml
diff --git a/common/istio-1-23/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-1-24/istio-install/base/gateway_authorizationpolicy.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/base/gateway_authorizationpolicy.yaml
rename to common/istio-1-24/istio-install/base/gateway_authorizationpolicy.yaml
diff --git a/common/istio-1-23/istio-install/base/install.yaml b/common/istio-1-24/istio-install/base/install.yaml
similarity index 88%
rename from common/istio-1-23/istio-install/base/install.yaml
rename to common/istio-1-24/istio-install/base/install.yaml
index 59d77f1575..414a98dc4c 100644
--- a/common/istio-1-23/istio-install/base/install.yaml
+++ b/common/istio-1-24/istio-install/base/install.yaml
@@ -1,21 +1,14 @@
apiVersion: v1
kind: ServiceAccount
-metadata:
- labels:
- app: istio-ingressgateway
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway-service-account
- namespace: istio-system
----
-apiVersion: v1
-kind: ServiceAccount
metadata:
labels:
app: istio-reader
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-reader
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
release: istio
name: istio-reader-service-account
namespace: istio-system
@@ -25,6 +18,12 @@ kind: ServiceAccount
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod
namespace: istio-system
@@ -34,6 +33,12 @@ kind: ClusterRole
metadata:
labels:
app: istio-reader
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-reader
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istio-reader-clusterrole-istio-system
rules:
@@ -142,6 +147,12 @@ kind: ClusterRole
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod-clusterrole-istio-system
rules:
@@ -194,6 +205,7 @@ rules:
- networking.istio.io
resources:
- workloadentries/status
+ - serviceentries/status
verbs:
- get
- watch
@@ -203,15 +215,29 @@ rules:
- create
- delete
- apiGroups:
- - networking.istio.io
+ - security.istio.io
resources:
- - serviceentries/status
+ - authorizationpolicies/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
+- apiGroups:
+ - ''
+ resources:
+ - services/status
verbs:
- get
- watch
- list
- update
- patch
+ - create
+ - delete
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -278,7 +304,6 @@ rules:
verbs:
- create
- apiGroups:
- - networking.x-k8s.io
- gateway.networking.k8s.io
resources:
- '*'
@@ -287,10 +312,17 @@ rules:
- watch
- list
- apiGroups:
- - networking.x-k8s.io
- gateway.networking.k8s.io
resources:
- - '*'
+ - backendtlspolicies/status
+ - gatewayclasses/status
+ - gateways/status
+ - grpcroutes/status
+ - httproutes/status
+ - referencegrants/status
+ - tcproutes/status
+ - tlsroutes/status
+ - udproutes/status
verbs:
- update
- patch
@@ -335,6 +367,12 @@ kind: ClusterRole
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod-gateway-controller-istio-system
rules:
@@ -380,6 +418,12 @@ kind: ClusterRoleBinding
metadata:
labels:
app: istio-reader
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-reader
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istio-reader-clusterrole-istio-system
roleRef:
@@ -396,6 +440,12 @@ kind: ClusterRoleBinding
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod-clusterrole-istio-system
roleRef:
@@ -412,6 +462,12 @@ kind: ClusterRoleBinding
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod-gateway-controller-istio-system
roleRef:
@@ -428,6 +484,12 @@ kind: ValidatingWebhookConfiguration
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
istio: istiod
istio.io/rev: default
release: istio
@@ -482,6 +544,12 @@ data:
kind: ConfigMap
metadata:
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -529,7 +597,7 @@ data:
{{- end }}
{{- end }}
{{- end }}
- {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }}
+ {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }}
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
@@ -550,8 +618,8 @@ data:
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{- end }}
{{- end }}
- {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }}
- {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}}
+ {{- if .Values.pilot.cni.enabled }}
+ {{- if eq .Values.pilot.cni.provider "multus" }}
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
{{- end }}
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
@@ -575,7 +643,7 @@ data:
(not $nativeSidecar) }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
- {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}}
+ {{ if .Values.pilot.cni.enabled -}}
- name: istio-validation
{{ else -}}
- name: istio-init
@@ -627,9 +695,11 @@ data:
{{ if .Values.global.logAsJson -}}
- "--log_as_json"
{{ end -}}
- {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}}
+ {{ if .Values.pilot.cni.enabled -}}
- "--run-validation"
- "--skip-rule-apply"
+ {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+ - "--force-apply"
{{ end -}}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{- if .ProxyConfig.ProxyMetadata }}
@@ -645,14 +715,14 @@ data:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
privileged: {{ .Values.global.proxy.privileged }}
capabilities:
- {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }}
+ {{- if not .Values.pilot.cni.enabled }}
add:
- NET_ADMIN
- NET_RAW
{{- end }}
drop:
- ALL
- {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }}
+ {{- if not .Values.pilot.cni.enabled }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
@@ -664,34 +734,6 @@ data:
runAsNonRoot: true
{{- end }}
{{ end -}}
- {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- - name: enable-core-dump
- args:
- - -c
- - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
- command:
- - /bin/sh
- {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- resources:
- {{ template "resources" . }}
- securityContext:
- allowPrivilegeEscalation: true
- capabilities:
- add:
- - SYS_ADMIN
- drop:
- - ALL
- privileged: true
- readOnlyRootFilesystem: false
- runAsGroup: 0
- runAsNonRoot: false
- runAsUser: 0
- {{ end }}
{{ if not $nativeSidecar }}
containers:
{{ end }}
@@ -887,7 +929,7 @@ data:
drop:
- ALL
privileged: true
- readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ readOnlyRootFilesystem: true
runAsGroup: {{ .ProxyGID | default "1337" }}
runAsNonRoot: false
runAsUser: 0
@@ -906,7 +948,7 @@ data:
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
- readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ readOnlyRootFilesystem: true
runAsGroup: {{ .ProxyGID | default "1337" }}
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
runAsNonRoot: false
@@ -935,10 +977,6 @@ data:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
- - mountPath: /var/run/secrets/istio/kubernetes
- name: kube-ca-cert
- {{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
@@ -1014,11 +1052,6 @@ data:
configMap:
name: istio-ca-root-cert
{{- end }}
- {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
- - name: kube-ca-cert
- configMap:
- name: kube-root-ca.crt
- {{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
@@ -1689,7 +1722,6 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
) | nindent 4 }}
{{- if ge .KubeVersion 128 }}
# Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
@@ -1712,7 +1744,6 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
"gateway.istio.io/managed" "istio.io-mesh-controller"
) | nindent 4 }}
ownerReferences:
@@ -1746,15 +1777,33 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
"gateway.istio.io/managed" "istio.io-mesh-controller"
) | nindent 8}}
spec:
+ {{- if .Values.global.waypoint.affinity }}
+ affinity:
+ {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.waypoint.topologySpreadConstraints }}
+ topologySpreadConstraints:
+ {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.waypoint.nodeSelector }}
+ nodeSelector:
+ {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.waypoint.tolerations }}
+ tolerations:
+ {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+ {{- end }}
terminationGracePeriodSeconds: 2
serviceAccountName: {{.ServiceAccount | quote}}
containers:
- name: istio-proxy
ports:
+ - containerPort: 15020
+ name: metrics
+ protocol: TCP
- containerPort: 15021
name: status-port
protocol: TCP
@@ -1861,13 +1910,10 @@ data:
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
+ {{- if .Values.global.waypoint.resources }}
resources:
- limits:
- cpu: "2"
- memory: 1Gi
- requests:
- cpu: 100m
- memory: 128Mi
+ {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+ {{- end }}
startupProbe:
failureThreshold: 30
httpGet:
@@ -1890,8 +1936,10 @@ data:
timeoutSeconds: 1
securityContext:
privileged: false
+ {{- if not (eq .Values.global.platform "openshift") }}
runAsGroup: 1337
runAsUser: 1337
+ {{- end }}
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
@@ -1903,8 +1951,8 @@ data:
{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
{{- end }}
volumeMounts:
- - name: workload-socket
- mountPath: /var/run/secrets/workload-spiffe-uds
+ - mountPath: /var/run/secrets/workload-spiffe-uds
+ name: workload-socket
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
@@ -1958,13 +2006,19 @@ data:
kind: Service
metadata:
annotations:
- {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ {{ toJsonMap
+ (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+ (omit .InfrastructureAnnotations
+ "kubectl.kubernetes.io/last-applied-configuration"
+ "gateway.istio.io/name-override"
+ "gateway.istio.io/service-account"
+ "gateway.istio.io/controller-version"
+ ) | nindent 4 }}
labels:
{{- toJsonMap
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
) | nindent 4 }}
name: {{.DeploymentName | quote}}
namespace: {{.Namespace | quote}}
@@ -2002,7 +2056,6 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
) | nindent 4 }}
{{- if ge .KubeVersion 128 }}
# Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
@@ -2025,7 +2078,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-gateway-controller"
) | nindent 4 }}
ownerReferences:
- apiVersion: gateway.networking.k8s.io/v1beta1
@@ -2057,7 +2110,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-gateway-controller"
) | nindent 8 }}
spec:
securityContext:
@@ -2096,6 +2149,9 @@ data:
runAsGroup: {{ .ProxyGID | default "1337" }}
runAsNonRoot: true
ports:
+ - containerPort: 15020
+ name: metrics
+ protocol: TCP
- containerPort: 15021
name: status-port
protocol: TCP
@@ -2309,7 +2365,6 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
) | nindent 4 }}
name: {{.DeploymentName | quote}}
namespace: {{.Namespace | quote}}
@@ -2319,6 +2374,7 @@ data:
name: {{.Name}}
uid: {{.UID}}
spec:
+ ipFamilyPolicy: PreferDualStack
ports:
{{- range $key, $val := .Ports }}
- name: {{ $val.Name | quote }}
@@ -2340,7 +2396,6 @@ data:
"securityContext": {}
},
"global": {
- "autoscalingv2API": true,
"caAddress": "",
"caName": "",
"certSigners": [],
@@ -2354,7 +2409,6 @@ data:
"cpu": "10m"
}
},
- "enabled": true,
"externalIstiod": false,
"hub": "docker.io/istio",
"imagePullPolicy": "",
@@ -2374,7 +2428,6 @@ data:
"clusterName": "",
"enabled": false
},
- "namespace": "istio-system",
"network": "",
"omitSidecarInjectorConfigMap": false,
"operatorManageWebhooks": false,
@@ -2384,7 +2437,6 @@ data:
"autoInject": "enabled",
"clusterDomain": "cluster.local",
"componentLogLevel": "misc:error",
- "enableCoreDump": false,
"excludeIPRanges": "",
"excludeInboundPorts": "",
"excludeOutboundPorts": "",
@@ -2416,6 +2468,7 @@ data:
"tracer": "none"
},
"proxy_init": {
+ "forceApplyIptables": false,
"image": "proxyv2"
},
"remotePilotAddress": "",
@@ -2427,13 +2480,24 @@ data:
"sts": {
"servicePort": 0
},
- "tag": "1.23.2",
- "variant": ""
- },
- "istio_cni": {
- "chained": true,
- "enabled": false,
- "provider": "default"
+ "tag": "1.24.2",
+ "variant": "",
+ "waypoint": {
+ "affinity": {},
+ "nodeSelector": {},
+ "resources": {
+ "limits": {
+ "cpu": "2",
+ "memory": "1Gi"
+ },
+ "requests": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ },
+ "tolerations": [],
+ "topologySpreadConstraints": []
+ }
},
"pilot": {
"cni": {
@@ -2456,6 +2520,12 @@ data:
kind: ConfigMap
metadata:
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -2468,6 +2538,12 @@ kind: MutatingWebhookConfiguration
metadata:
labels:
app: sidecar-injector
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -2617,228 +2693,15 @@ webhooks:
---
apiVersion: apps/v1
kind: Deployment
-metadata:
- labels:
- app: istio-ingressgateway
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway
- namespace: istio-system
-spec:
- selector:
- matchLabels:
- app: istio-ingressgateway
- istio: ingressgateway
- strategy:
- rollingUpdate:
- maxSurge: 100%
- maxUnavailable: 25%
- template:
- metadata:
- annotations:
- istio.io/rev: default
- prometheus.io/path: /stats/prometheus
- prometheus.io/port: '15020'
- prometheus.io/scrape: 'true'
- sidecar.istio.io/inject: 'false'
- labels:
- app: istio-ingressgateway
- chart: gateways
- heritage: Tiller
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- service.istio.io/canonical-name: istio-ingressgateway
- service.istio.io/canonical-revision: latest
- sidecar.istio.io/inject: 'false'
- spec:
- affinity:
- nodeAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- requiredDuringSchedulingIgnoredDuringExecution:
- containers:
- - args:
- - proxy
- - router
- - --domain
- - $(POD_NAMESPACE).svc.cluster.local
- - --proxyLogLevel=warning
- - --proxyComponentLogLevel=misc:error
- - --log_output_level=default:info
- env:
- - name: PILOT_CERT_PROVIDER
- value: istiod
- - name: CA_ADDR
- value: istiod.istio-system.svc:15012
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- - name: POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.podIP
- - name: HOST_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.hostIP
- - name: ISTIO_CPU_LIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.cpu
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ISTIO_META_WORKLOAD_NAME
- value: istio-ingressgateway
- - name: ISTIO_META_OWNER
- value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
- - name: ISTIO_META_MESH_ID
- value: cluster.local
- - name: TRUST_DOMAIN
- value: cluster.local
- - name: ISTIO_META_UNPRIVILEGED_POD
- value: 'true'
- - name: ISTIO_META_CLUSTER_ID
- value: Kubernetes
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- image: docker.io/istio/proxyv2:1.23.2
- name: istio-proxy
- ports:
- - containerPort: 15021
- protocol: TCP
- - containerPort: 8080
- protocol: TCP
- - containerPort: 8443
- protocol: TCP
- - containerPort: 15090
- name: http-envoy-prom
- protocol: TCP
- readinessProbe:
- failureThreshold: 30
- httpGet:
- path: /healthz/ready
- port: 15021
- scheme: HTTP
- initialDelaySeconds: 1
- periodSeconds: 2
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- limits:
- cpu: 2000m
- memory: 1024Mi
- requests:
- cpu: 100m
- memory: 128Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- volumeMounts:
- - mountPath: /var/run/secrets/workload-spiffe-uds
- name: workload-socket
- - mountPath: /var/run/secrets/credential-uds
- name: credential-socket
- - mountPath: /var/run/secrets/workload-spiffe-credentials
- name: workload-certs
- - mountPath: /etc/istio/proxy
- name: istio-envoy
- - mountPath: /etc/istio/config
- name: config-volume
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
- - mountPath: /var/run/secrets/tokens
- name: istio-token
- readOnly: true
- - mountPath: /var/lib/istio/data
- name: istio-data
- - mountPath: /etc/istio/pod
- name: podinfo
- - mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-certs
- readOnly: true
- - mountPath: /etc/istio/ingressgateway-ca-certs
- name: ingressgateway-ca-certs
- readOnly: true
- securityContext:
- runAsGroup: 1337
- runAsNonRoot: true
- runAsUser: 1337
- serviceAccountName: istio-ingressgateway-service-account
- volumes:
- - emptyDir: {}
- name: workload-socket
- - emptyDir: {}
- name: credential-socket
- - emptyDir: {}
- name: workload-certs
- - configMap:
- name: istio-ca-root-cert
- name: istiod-ca-cert
- - downwardAPI:
- items:
- - fieldRef:
- fieldPath: metadata.labels
- path: labels
- - fieldRef:
- fieldPath: metadata.annotations
- path: annotations
- name: podinfo
- - emptyDir: {}
- name: istio-envoy
- - emptyDir: {}
- name: istio-data
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- audience: istio-ca
- expirationSeconds: 43200
- path: istio-token
- - configMap:
- name: istio
- optional: true
- name: config-volume
- - name: ingressgateway-certs
- secret:
- optional: true
- secretName: istio-ingressgateway-certs
- - name: ingressgateway-ca-certs
- secret:
- optional: true
- secretName: istio-ingressgateway-ca-certs
----
-apiVersion: apps/v1
-kind: Deployment
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
@@ -2862,6 +2725,12 @@ spec:
sidecar.istio.io/inject: 'false'
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/dataplane-mode: none
@@ -2915,17 +2784,27 @@ spec:
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
+ divisor: '1'
resource: limits.cpu
- name: PLATFORM
value: ''
- image: docker.io/istio/pilot:1.23.2
+ image: docker.io/istio/pilot:1.24.2
name: discovery
ports:
- containerPort: 8080
+ name: http-debug
protocol: TCP
- containerPort: 15010
+ name: grpc-xds
+ protocol: TCP
+ - containerPort: 15012
+ name: tls-xds
protocol: TCP
- containerPort: 15017
+ name: https-webhooks
+ protocol: TCP
+ - containerPort: 15014
+ name: http-monitoring
protocol: TCP
readinessProbe:
httpGet:
@@ -2998,28 +2877,15 @@ spec:
---
apiVersion: policy/v1
kind: PodDisruptionBudget
-metadata:
- labels:
- app: istio-ingressgateway
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway
- namespace: istio-system
-spec:
- minAvailable: 1
- selector:
- matchLabels:
- app: istio-ingressgateway
- istio: ingressgateway
----
-apiVersion: policy/v1
-kind: PodDisruptionBudget
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
@@ -3036,29 +2902,15 @@ spec:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
-metadata:
- labels:
- install.operator.istio.io/owning-resource: unknown
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway-sds
- namespace: istio-system
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - watch
- - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod
namespace: istio-system
@@ -3098,27 +2950,15 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
-metadata:
- labels:
- install.operator.istio.io/owning-resource: unknown
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway-sds
- namespace: istio-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: istio-ingressgateway-sds
-subjects:
-- kind: ServiceAccount
- name: istio-ingressgateway-service-account
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod
namespace: istio-system
@@ -3133,36 +2973,15 @@ subjects:
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
-metadata:
- labels:
- app: istio-ingressgateway
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway
- namespace: istio-system
-spec:
- maxReplicas: 5
- metrics:
- - resource:
- name: cpu
- target:
- averageUtilization: 80
- type: Utilization
- type: Resource
- minReplicas: 1
- scaleTargetRef:
- apiVersion: apps/v1
- kind: Deployment
- name: istio-ingressgateway
----
-apiVersion: autoscaling/v2
-kind: HorizontalPodAutoscaler
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -3186,41 +3005,15 @@ spec:
---
apiVersion: v1
kind: Service
-metadata:
- annotations:
- labels:
- app: istio-ingressgateway
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway
- namespace: istio-system
-spec:
- ports:
- - name: status-port
- port: 15021
- protocol: TCP
- targetPort: 15021
- - name: http2
- port: 80
- protocol: TCP
- targetPort: 8080
- - name: https
- port: 443
- protocol: TCP
- targetPort: 8443
- selector:
- app: istio-ingressgateway
- istio: ingressgateway
- type: LoadBalancer
----
-apiVersion: v1
-kind: Service
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
diff --git a/common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml b/common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml
new file mode 100644
index 0000000000..45a37d7f8f
--- /dev/null
+++ b/common/istio-1-24/istio-install/base/istio-ingressgateway-deployment.yaml
@@ -0,0 +1,218 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ strategy:
+ rollingUpdate:
+ maxSurge: 100%
+ maxUnavailable: 25%
+ template:
+ metadata:
+ annotations:
+ istio.io/rev: default
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "15020"
+ prometheus.io/scrape: "true"
+ sidecar.istio.io/inject: "false"
+ labels:
+ app: istio-ingressgateway
+ chart: gateways
+ heritage: Tiller
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ service.istio.io/canonical-name: istio-ingressgateway
+ service.istio.io/canonical-revision: latest
+ sidecar.istio.io/inject: "false"
+ spec:
+ affinity:
+ nodeAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution: null
+ requiredDuringSchedulingIgnoredDuringExecution: null
+ containers:
+ - args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.cluster.local
+ - --proxyLogLevel=warning
+ - --proxyComponentLogLevel=misc:error
+ - --log_output_level=default:info
+ env:
+ - name: PILOT_CERT_PROVIDER
+ value: istiod
+ - name: CA_ADDR
+ value: istiod.istio-system.svc:15012
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: istio-ingressgateway
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
+ - name: ISTIO_META_MESH_ID
+ value: cluster.local
+ - name: TRUST_DOMAIN
+ value: cluster.local
+ - name: ISTIO_META_UNPRIVILEGED_POD
+ value: "true"
+ - name: ISTIO_META_CLUSTER_ID
+ value: Kubernetes
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ image: docker.io/istio/proxyv2:1.24.2
+ name: istio-proxy
+ ports:
+ - containerPort: 15021
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
+ - containerPort: 8443
+ protocol: TCP
+ - containerPort: 15090
+ name: http-envoy-prom
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /var/run/secrets/workload-spiffe-uds
+ name: workload-socket
+ - mountPath: /var/run/secrets/credential-uds
+ name: credential-socket
+ - mountPath: /var/run/secrets/workload-spiffe-credentials
+ name: workload-certs
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /etc/istio/config
+ name: config-volume
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ readOnly: true
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - mountPath: /etc/istio/pod
+ name: podinfo
+ - mountPath: /etc/istio/ingressgateway-certs
+ name: ingressgateway-certs
+ readOnly: true
+ - mountPath: /etc/istio/ingressgateway-ca-certs
+ name: ingressgateway-ca-certs
+ readOnly: true
+ securityContext:
+ runAsGroup: 1337
+ runAsNonRoot: true
+ runAsUser: 1337
+ serviceAccountName: istio-ingressgateway-service-account
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ - emptyDir: {}
+ name: workload-certs
+ - configMap:
+ name: istio-ca-root-cert
+ name: istiod-ca-cert
+ - downwardAPI:
+ items:
+ - fieldRef:
+ fieldPath: metadata.labels
+ path: labels
+ - fieldRef:
+ fieldPath: metadata.annotations
+ path: annotations
+ name: podinfo
+ - emptyDir: {}
+ name: istio-envoy
+ - emptyDir: {}
+ name: istio-data
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: istio-ca
+ expirationSeconds: 43200
+ path: istio-token
+ - configMap:
+ name: istio
+ optional: true
+ name: config-volume
+ - name: ingressgateway-certs
+ secret:
+ optional: true
+ secretName: istio-ingressgateway-certs
+ - name: ingressgateway-ca-certs
+ secret:
+ optional: true
+ secretName: istio-ingressgateway-ca-certs
diff --git a/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml b/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml
new file mode 100644
index 0000000000..78c0d98040
--- /dev/null
+++ b/common/istio-1-24/istio-install/base/istio-ingressgateway-service.yaml
@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Service
+metadata:
+ annotations: null
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ ports:
+ - name: status-port
+ port: 15021
+ protocol: TCP
+ targetPort: 15021
+ - name: http2
+ port: 80
+ protocol: TCP
+ targetPort: 8080
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ type: LoadBalancer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway-service-account
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway-sds
+ namespace: istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istio-ingressgateway-sds
+subjects:
+- kind: ServiceAccount
+ name: istio-ingressgateway-service-account
diff --git a/common/istio-1-23/istio-install/base/kustomization.yaml b/common/istio-1-24/istio-install/base/kustomization.yaml
similarity index 69%
rename from common/istio-1-23/istio-install/base/kustomization.yaml
rename to common/istio-1-24/istio-install/base/kustomization.yaml
index 37d6f0b36e..71e491be0f 100644
--- a/common/istio-1-23/istio-install/base/kustomization.yaml
+++ b/common/istio-1-24/istio-install/base/kustomization.yaml
@@ -8,12 +8,14 @@ resources:
- gateway_authorizationpolicy.yaml
- deny_all_authorizationpolicy.yaml
- gateway.yaml
+- istio-ingressgateway-service.yaml
+- istio-ingressgateway-deployment.yaml
patches:
- path: patches/service.yaml
- path: patches/istio-configmap-disable-tracing.yaml
- path: patches/disable-debugging.yaml
-- path: patches/istio-ingressgateway-remove-pdb.yaml
+# - path: patches/istio-ingressgateway-remove-pdb.yaml
- path: patches/istiod-remove-pdb.yaml
-- path: patches/seccomp-istio-ingressgateway.yaml
+# - path: patches/seccomp-istio-ingressgateway.yaml
- path: patches/seccomp-istiod.yaml
diff --git a/common/istio-1-23/istio-install/base/patches/disable-debugging.yaml b/common/istio-1-24/istio-install/base/patches/disable-debugging.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/base/patches/disable-debugging.yaml
rename to common/istio-1-24/istio-install/base/patches/disable-debugging.yaml
diff --git a/common/istio-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml
rename to common/istio-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml
diff --git a/common/istio-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
rename to common/istio-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
diff --git a/common/istio-1-23/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-1-24/istio-install/base/patches/istiod-remove-pdb.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/base/patches/istiod-remove-pdb.yaml
rename to common/istio-1-24/istio-install/base/patches/istiod-remove-pdb.yaml
diff --git a/common/istio-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
rename to common/istio-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
diff --git a/common/istio-1-23/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-1-24/istio-install/base/patches/seccomp-istiod.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/base/patches/seccomp-istiod.yaml
rename to common/istio-1-24/istio-install/base/patches/seccomp-istiod.yaml
diff --git a/common/istio-1-23/istio-install/base/patches/service.yaml b/common/istio-1-24/istio-install/base/patches/service.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/base/patches/service.yaml
rename to common/istio-1-24/istio-install/base/patches/service.yaml
diff --git a/common/istio-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml
similarity index 100%
rename from common/istio-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml
rename to common/istio-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml
diff --git a/common/istio-1-23/istio-namespace/base/kustomization.yaml b/common/istio-1-24/istio-namespace/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-23/istio-namespace/base/kustomization.yaml
rename to common/istio-1-24/istio-namespace/base/kustomization.yaml
diff --git a/common/istio-1-23/istio-namespace/base/namespace.yaml b/common/istio-1-24/istio-namespace/base/namespace.yaml
similarity index 100%
rename from common/istio-1-23/istio-namespace/base/namespace.yaml
rename to common/istio-1-24/istio-namespace/base/namespace.yaml
diff --git a/common/istio-1-23/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-1-24/kubeflow-istio-resources/base/cluster-roles.yaml
similarity index 100%
rename from common/istio-1-23/kubeflow-istio-resources/base/cluster-roles.yaml
rename to common/istio-1-24/kubeflow-istio-resources/base/cluster-roles.yaml
diff --git a/common/istio-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml
similarity index 100%
rename from common/istio-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml
rename to common/istio-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml
diff --git a/common/istio-1-23/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-1-24/kubeflow-istio-resources/base/kustomization.yaml
similarity index 100%
rename from common/istio-1-23/kubeflow-istio-resources/base/kustomization.yaml
rename to common/istio-1-24/kubeflow-istio-resources/base/kustomization.yaml
diff --git a/common/istio-1-23/profile-overlay.yaml b/common/istio-1-24/profile-overlay.yaml
similarity index 100%
rename from common/istio-1-23/profile-overlay.yaml
rename to common/istio-1-24/profile-overlay.yaml
diff --git a/common/istio-1-23/profile.yaml b/common/istio-1-24/profile.yaml
similarity index 97%
rename from common/istio-1-23/profile.yaml
rename to common/istio-1-24/profile.yaml
index 077b0c86d2..838edaf5fb 100644
--- a/common/istio-1-23/profile.yaml
+++ b/common/istio-1-24/profile.yaml
@@ -14,7 +14,7 @@ spec:
enabled: true
hub: docker.io/istio
profile: default
- tag: 1.23.2
+ tag: 1.24.2
values:
defaultRevision: ""
gateways:
diff --git a/common/istio-1-23/split-istio-packages b/common/istio-1-24/split-istio-packages
similarity index 100%
rename from common/istio-1-23/split-istio-packages
rename to common/istio-1-24/split-istio-packages
diff --git a/common/istio-cni-1-23/README.md b/common/istio-cni-1-24/README.md
similarity index 100%
rename from common/istio-cni-1-23/README.md
rename to common/istio-cni-1-24/README.md
diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
similarity index 81%
rename from common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml
rename to common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
index 45441c6a4f..149e7623c2 100644
--- a/common/istio-cni-1-23/cluster-local-gateway/base/cluster-local-gateway.yaml
+++ b/common/istio-cni-1-24/cluster-local-gateway/base/cluster-local-gateway.yaml
@@ -3,6 +3,12 @@ kind: ServiceAccount
metadata:
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -16,6 +22,12 @@ kind: Deployment
metadata:
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -42,7 +54,13 @@ spec:
sidecar.istio.io/inject: 'false'
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
chart: gateways
+ helm.sh/chart: istio-ingress-1.24.2
heritage: Tiller
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
@@ -109,7 +127,8 @@ spec:
- name: ISTIO_META_WORKLOAD_NAME
value: cluster-local-gateway
- name: ISTIO_META_OWNER
- value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
+ value:
+ kubernetes://apis/apps/v1/namespaces/istio-system/deployments/cluster-local-gateway
- name: ISTIO_META_MESH_ID
value: cluster.local
- name: TRUST_DOMAIN
@@ -122,7 +141,7 @@ spec:
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- image: docker.io/istio/proxyv2:1.23.2
+ image: docker.io/istio/proxyv2:1.24.2
name: istio-proxy
ports:
- containerPort: 15020
@@ -235,6 +254,12 @@ kind: PodDisruptionBudget
metadata:
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -253,6 +278,12 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
@@ -273,6 +304,12 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: IngressGateways
@@ -292,6 +329,12 @@ kind: HorizontalPodAutoscaler
metadata:
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -320,6 +363,12 @@ metadata:
annotations:
labels:
app: cluster-local-gateway
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-ingressgateway
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istio-ingress-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: cluster-local-gateway
istio.io/rev: default
@@ -331,11 +380,9 @@ spec:
ports:
- name: status-port
port: 15020
- protocol: TCP
targetPort: 15020
- name: http2
port: 80
- protocol: TCP
targetPort: 8080
selector:
app: cluster-local-gateway
diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
similarity index 100%
rename from common/istio-cni-1-23/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
rename to common/istio-cni-1-24/cluster-local-gateway/base/gateway-authorizationpolicy.yaml
diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/gateway.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/gateway.yaml
similarity index 100%
rename from common/istio-cni-1-23/cluster-local-gateway/base/gateway.yaml
rename to common/istio-cni-1-24/cluster-local-gateway/base/gateway.yaml
diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/kustomization.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-23/cluster-local-gateway/base/kustomization.yaml
rename to common/istio-cni-1-24/cluster-local-gateway/base/kustomization.yaml
diff --git a/common/istio-cni-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml b/common/istio-cni-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml
similarity index 100%
rename from common/istio-cni-1-23/cluster-local-gateway/base/patches/remove-pdb.yaml
rename to common/istio-cni-1-24/cluster-local-gateway/base/patches/remove-pdb.yaml
diff --git a/common/istio-1-23/istio-crds/base/crd.yaml b/common/istio-cni-1-24/istio-crds/base/crd.yaml
similarity index 84%
rename from common/istio-1-23/istio-crds/base/crd.yaml
rename to common/istio-cni-1-24/istio-crds/base/crd.yaml
index 33de713fcc..f194ef7520 100644
--- a/common/istio-1-23/istio-crds/base/crd.yaml
+++ b/common/istio-cni-1-24/istio-crds/base/crd.yaml
@@ -4,11 +4,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: authorizationpolicies.security.istio.io
spec:
group: security.istio.io
@@ -256,9 +256,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -290,12 +291,85 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -535,9 +609,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -569,12 +644,85 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -590,10 +738,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: destinationrules.networking.istio.io
spec:
group: networking.istio.io
@@ -931,8 +1080,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -1277,9 +1452,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration
+ of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed
+ of traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of
- Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than
@@ -1771,8 +1971,32 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of traffic
+ increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -2111,8 +2335,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -2350,6 +2600,74 @@ spec:
- host
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -2679,8 +2997,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -3025,9 +3369,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration
+ of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed
+ of traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of
- Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than
@@ -3519,8 +3888,32 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of traffic
+ increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -3859,8 +4252,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -4098,6 +4517,74 @@ spec:
- host
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -4427,8 +4914,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -4773,9 +5286,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration
+ of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed
+ of traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater
+ than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of
- Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than
@@ -5267,8 +5805,32 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of traffic
+ increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -5607,8 +6169,34 @@ spec:
- ROUND_ROBIN
- LEAST_REQUEST
type: string
+ warmup:
+ description: Represents the warmup configuration of
+ Service.
+ properties:
+ aggression:
+ description: This parameter controls the speed of
+ traffic increase over the warmup duration.
+ format: double
+ minimum: 1
+ nullable: true
+ type: number
+ duration:
+ type: string
+ x-kubernetes-validations:
+ - message: must be a valid duration greater than
+ 1ms
+ rule: duration(self) >= duration('1ms')
+ minimumPercent:
+ format: double
+ maximum: 100
+ minimum: 0
+ nullable: true
+ type: number
+ required:
+ - duration
+ type: object
warmupDurationSecs:
- description: Represents the warmup duration of Service.
+ description: 'Deprecated: use `warmup` instead.'
type: string
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
@@ -5846,7 +6434,75 @@ spec:
- host
type: object
status:
- type: object
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
@@ -5861,10 +6517,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: envoyfilters.networking.istio.io
spec:
group: networking.istio.io
@@ -6156,9 +6813,11 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
workloadSelector:
description: Criteria used to select the specific set of pods/VMs
@@ -6166,13 +6825,89 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or workloadSelector can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6188,10 +6923,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: gateways.networking.istio.io
spec:
group: networking.istio.io
@@ -6361,6 +7097,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6522,6 +7326,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6683,6 +7555,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6698,11 +7638,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: peerauthentications.security.istio.io
spec:
group: security.istio.io
@@ -6802,6 +7742,74 @@ spec:
rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size()
> 0) || !has(self.portLevelMtls)
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6893,6 +7901,74 @@ spec:
rule: (has(self.selector) && has(self.selector.matchLabels) && self.selector.matchLabels.size()
> 0) || !has(self.portLevelMtls)
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6908,10 +7984,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: proxyconfigs.networking.istio.io
spec:
group: networking.istio.io
@@ -6974,6 +8051,74 @@ spec:
type: object
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -6989,11 +8134,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: security
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: requestauthentications.security.istio.io
spec:
group: security.istio.io
@@ -7175,9 +8320,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -7209,15 +8355,85 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
type: object
x-kubernetes-validations:
- - message: only one of targetRefs or workloadSelector can be set
+ - message: only one of targetRefs or selector can be set
rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -7391,9 +8607,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -7425,34 +8642,105 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
type: object
x-kubernetes-validations:
- - message: only one of targetRefs or workloadSelector can be set
+ - message: only one of targetRefs or selector can be set
rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: serviceentries.networking.istio.io
spec:
group: networking.istio.io
@@ -7501,7 +8789,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -7514,11 +8804,11 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
- rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
- \ true"
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') :
+ true"
labels:
additionalProperties:
type: string
@@ -7563,8 +8853,8 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
maxItems: 4096
type: array
exportTo:
@@ -7576,6 +8866,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -7592,14 +8887,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -7607,11 +8907,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -7634,17 +8944,106 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
+ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
+ != 'NONE'))"
+ - message: NONE mode cannot set endpoints
+ rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
+ : true"
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -7683,7 +9082,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -7696,11 +9097,11 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
- rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
- \ true"
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') :
+ true"
labels:
additionalProperties:
type: string
@@ -7745,8 +9146,8 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
maxItems: 4096
type: array
exportTo:
@@ -7758,6 +9159,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -7774,14 +9180,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -7789,11 +9200,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -7816,17 +9237,106 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
+ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
+ != 'NONE'))"
+ - message: NONE mode cannot set endpoints
+ rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
+ : true"
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -7865,7 +9375,9 @@ spec:
addresses:
description: The virtual IP addresses associated with the service.
items:
+ maxLength: 64
type: string
+ maxItems: 256
type: array
endpoints:
description: One or more endpoints associated with the service.
@@ -7878,11 +9390,11 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
- rule: "self.startsWith('unix://') ? !self.endsWith('/') :\
- \ true"
+ rule: "self.startsWith('unix://') ? !self.endsWith('/') :
+ true"
labels:
additionalProperties:
type: string
@@ -7927,8 +9439,8 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
maxItems: 4096
type: array
exportTo:
@@ -7940,6 +9452,11 @@ spec:
description: The hosts associated with the ServiceEntry.
items:
type: string
+ x-kubernetes-validations:
+ - message: hostname cannot be wildcard
+ rule: self != '*'
+ maxItems: 256
+ minItems: 1
type: array
location:
description: |-
@@ -7956,14 +9473,19 @@ spec:
properties:
name:
description: Label assigned to the port.
+ maxLength: 256
type: string
number:
description: A valid non-negative integer port number.
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
protocol:
description: The protocol exposed on the port.
+ maxLength: 256
type: string
targetPort:
description: The port number on the endpoint where the traffic
@@ -7971,11 +9493,21 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- number
- name
type: object
+ maxItems: 256
type: array
+ x-kubernetes-list-map-keys:
+ - name
+ x-kubernetes-list-type: map
+ x-kubernetes-validations:
+ - message: port number cannot be duplicated
+ rule: self.all(l1, self.exists_one(l2, l1.number == l2.number))
resolution:
description: |-
Service resolution mode for the hosts.
@@ -7998,17 +9530,106 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
required:
- hosts
type: object
+ x-kubernetes-validations:
+ - message: only one of WorkloadSelector or Endpoints can be set
+ rule: (has(self.workloadSelector)?1:0)+(has(self.endpoints)?1:0)<=1
+ - message: CIDR addresses are allowed only for NONE/STATIC resolution
+ types
+ rule: "!(has(self.addresses) && self.addresses.exists(k, k.contains('/'))
+ && (has(self.resolution) && self.resolution != 'STATIC' && self.resolution
+ != 'NONE'))"
+ - message: NONE mode cannot set endpoints
+ rule: "(!has(self.resolution) || self.resolution == 'NONE') ? !has(self.endpoints)
+ : true"
+ - message: DNS_ROUND_ROBIN mode cannot have multiple endpoints
+ rule: "(has(self.resolution) && self.resolution == 'DNS_ROUND_ROBIN')
+ ? (!has(self.endpoints) || size(self.endpoints) == 1) : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: true
@@ -8022,10 +9643,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: sidecars.networking.istio.io
spec:
group: networking.istio.io
@@ -8451,7 +10073,8 @@ spec:
type: object
type: array
outboundTrafficPolicy:
- description: Configuration for the outbound traffic policy.
+ description: Set the default behavior of the sidecar for handling
+ outbound traffic from the application.
properties:
egressProxy:
properties:
@@ -8489,13 +10112,86 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -8915,7 +10611,8 @@ spec:
type: object
type: array
outboundTrafficPolicy:
- description: Configuration for the outbound traffic policy.
+ description: Set the default behavior of the sidecar for handling
+ outbound traffic from the application.
properties:
egressProxy:
properties:
@@ -8953,13 +10650,86 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -9379,7 +11149,8 @@ spec:
type: object
type: array
outboundTrafficPolicy:
- description: Configuration for the outbound traffic policy.
+ description: Set the default behavior of the sidecar for handling
+ outbound traffic from the application.
properties:
egressProxy:
properties:
@@ -9417,39 +11188,112 @@ spec:
properties:
labels:
additionalProperties:
+ maxLength: 63
type: string
+ x-kubernetes-validations:
+ - message: wildcard is not supported in selector
+ rule: "!self.contains('*')"
description: One or more labels that indicate a specific set of
pods/VMs on which the configuration should be applied.
+ maxProperties: 256
type: object
type: object
type: object
status:
- type: object
- x-kubernetes-preserve-unknown-fields: true
- type: object
- served: true
- storage: true
- subresources:
- status: {}
-
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- helm.sh/resource-policy: keep
- labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- istio: telemetry
- release: istio
- name: telemetries.telemetry.istio.io
-spec:
- group: telemetry.istio.io
- names:
- categories:
- - istio-io
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
+ type: object
+ x-kubernetes-preserve-unknown-fields: true
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ annotations:
+ helm.sh/resource-policy: keep
+ labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
+ name: telemetries.telemetry.istio.io
+spec:
+ group: telemetry.istio.io
+ names:
+ categories:
+ - istio-io
- telemetry-istio-io
kind: Telemetry
listKind: TelemetryList
@@ -9599,11 +11443,11 @@ spec:
type: object
x-kubernetes-validations:
- message: value must be set when operation is UPSERT
- rule: "((has(self.operation) ? self.operation : '')\
- \ == 'UPSERT') ? self.value != '' : true"
+ rule: "((has(self.operation) ? self.operation : '')
+ == 'UPSERT') ? self.value != '' : true"
- message: value must not be set when operation is REMOVE
- rule: "((has(self.operation) ? self.operation : '')\
- \ == 'REMOVE') ? !has(self.value) : true"
+ rule: "((has(self.operation) ? self.operation : '')
+ == 'REMOVE') ? !has(self.value) : true"
description: Optional.
type: object
type: object
@@ -9677,9 +11521,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -9711,9 +11556,11 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
tracing:
description: Optional.
@@ -9825,7 +11672,78 @@ spec:
type: object
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -9973,11 +11891,11 @@ spec:
type: object
x-kubernetes-validations:
- message: value must be set when operation is UPSERT
- rule: "((has(self.operation) ? self.operation : '')\
- \ == 'UPSERT') ? self.value != '' : true"
+ rule: "((has(self.operation) ? self.operation : '')
+ == 'UPSERT') ? self.value != '' : true"
- message: value must not be set when operation is REMOVE
- rule: "((has(self.operation) ? self.operation : '')\
- \ == 'REMOVE') ? !has(self.value) : true"
+ rule: "((has(self.operation) ? self.operation : '')
+ == 'REMOVE') ? !has(self.value) : true"
description: Optional.
type: object
type: object
@@ -10051,9 +11969,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -10085,9 +12004,11 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
tracing:
description: Optional.
@@ -10199,7 +12120,78 @@ spec:
type: object
type: array
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -10215,10 +12207,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: virtualservices.networking.istio.io
spec:
group: networking.istio.io
@@ -11195,6 +13188,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -12163,6 +14224,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -13131,6 +15260,74 @@ spec:
type: array
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
@@ -13146,10 +15343,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: wasmplugins.extensions.istio.io
spec:
group: extensions.istio.io
@@ -13319,9 +15517,10 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
targetRefs:
description: Optional.
items:
@@ -13353,9 +15552,11 @@ spec:
- name
type: object
x-kubernetes-validations:
- - message: Support kinds are core/Service and gateway.networking.k8s.io/Gateway
- rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],\
- \ ['gateway.networking.k8s.io','Gateway']]"
+ - message: Support kinds are core/Service, networking.istio.io/ServiceEntry,
+ gateway.networking.k8s.io/Gateway
+ rule: "[self.group, self.kind] in [['core','Service'], ['','Service'],
+ ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]"
+ maxItems: 16
type: array
type:
description: |-
@@ -13373,9 +15574,9 @@ spec:
type: string
x-kubernetes-validations:
- message: url must have schema one of [http, https, file, oci]
- rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',\
- \ 'oci', 'file']) : (isURL('http://' + self) && url('http://'\
- \ +self).getScheme() in ['', 'http', 'https', 'oci', 'file'])"
+ rule: "isURL(self) ? (url(self).getScheme() in ['', 'http', 'https',
+ 'oci', 'file']) : (isURL('http://' + self) && url('http://' +self).getScheme()
+ in ['', 'http', 'https', 'oci', 'file'])"
verificationKey:
type: string
vmConfig:
@@ -13409,8 +15610,8 @@ spec:
type: object
x-kubernetes-validations:
- message: value may only be set when valueFrom is INLINE
- rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'\
- \ || !has(self.value)"
+ rule: "(has(self.valueFrom) ? self.valueFrom : '') != 'HOST'
+ || !has(self.value)"
maxItems: 256
type: array
x-kubernetes-list-map-keys:
@@ -13420,7 +15621,78 @@ spec:
required:
- url
type: object
+ x-kubernetes-validations:
+ - message: only one of targetRefs or selector can be set
+ rule: (has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
required:
@@ -13438,10 +15710,11 @@ metadata:
annotations:
helm.sh/resource-policy: keep
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: workloadentries.networking.istio.io
spec:
group: networking.istio.io
@@ -13485,8 +15758,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
- \ || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
+ || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -13533,15 +15806,81 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
- \ : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
+ : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: false
@@ -13575,8 +15914,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
- \ || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
+ || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -13623,15 +15962,81 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
- \ : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
+ : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: false
@@ -13665,8 +16070,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'\
- \ || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) == '/'
+ || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -13713,15 +16118,81 @@ spec:
- message: Address is required
rule: has(self.address) || has(self.network)
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)\
- \ : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://')) ? !has(self.ports)
+ : true"
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- spec
- - spec
- - spec
type: object
served: true
storage: true
@@ -13733,10 +16204,11 @@ apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
labels:
- app: istio-pilot
- chart: istio
- heritage: Tiller
- release: istio
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
name: workloadgroups.networking.istio.io
spec:
group: networking.istio.io
@@ -13775,10 +16247,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -13807,13 +16281,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -13828,6 +16306,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -13841,8 +16320,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -13850,15 +16335,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -13869,12 +16357,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -13888,8 +16380,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -13934,14 +16426,84 @@ spec:
type: object
x-kubernetes-validations:
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
required:
- template
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -13970,10 +16532,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -14002,13 +16566,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -14023,6 +16591,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -14036,8 +16605,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -14045,15 +16620,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -14064,12 +16642,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -14083,8 +16665,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -14129,14 +16711,84 @@ spec:
type: object
x-kubernetes-validations:
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
required:
- template
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: false
@@ -14165,10 +16817,12 @@ spec:
annotations:
additionalProperties:
type: string
+ maxProperties: 256
type: object
labels:
additionalProperties:
type: string
+ maxProperties: 256
type: object
type: object
probe:
@@ -14197,13 +16851,17 @@ spec:
command:
description: Command to run.
items:
+ minLength: 1
type: string
type: array
+ required:
+ - command
type: object
failureThreshold:
description: Minimum consecutive failures for the probe to be
considered failed after having succeeded.
format: int32
+ minimum: 0
type: integer
httpGet:
description: '`httpGet` is performed to a given endpoint and the
@@ -14218,6 +16876,7 @@ spec:
items:
properties:
name:
+ pattern: ^[-_A-Za-z0-9]+$
type: string
value:
type: string
@@ -14231,8 +16890,14 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
scheme:
type: string
+ x-kubernetes-validations:
+ - message: scheme must be one of [HTTP, HTTPS]
+ rule: self in ['', 'HTTP', 'HTTPS']
required:
- port
type: object
@@ -14240,15 +16905,18 @@ spec:
description: Number of seconds after the container has started
before readiness probes are initiated.
format: int32
+ minimum: 0
type: integer
periodSeconds:
description: How often (in seconds) to perform the probe.
format: int32
+ minimum: 0
type: integer
successThreshold:
description: Minimum consecutive successes for the probe to be
considered successful after having failed.
format: int32
+ minimum: 0
type: integer
tcpSocket:
description: Health is determined by if the proxy is able to connect.
@@ -14259,12 +16927,16 @@ spec:
maximum: 4294967295
minimum: 0
type: integer
+ x-kubernetes-validations:
+ - message: port must be between 1-65535
+ rule: 0 < self && self <= 65535
required:
- port
type: object
timeoutSeconds:
description: Number of seconds after which the probe times out.
format: int32
+ minimum: 0
type: integer
type: object
template:
@@ -14278,8 +16950,8 @@ spec:
type: string
x-kubernetes-validations:
- message: UDS must be an absolute path or abstract socket
- rule: "self.startsWith('unix://') ? (self.substring(7,8) ==\
- \ '/' || self.substring(7,8) == '@') : true"
+ rule: "self.startsWith('unix://') ? (self.substring(7,8) ==
+ '/' || self.substring(7,8) == '@') : true"
- message: UDS may not be a dir
rule: "self.startsWith('unix://') ? !self.endsWith('/') : true"
labels:
@@ -14324,14 +16996,84 @@ spec:
type: object
x-kubernetes-validations:
- message: UDS may not include ports
- rule: "(has(self.address) && self.address.startsWith('unix://'))\
- \ ? !has(self.ports) : true"
+ rule: "(has(self.address) && self.address.startsWith('unix://'))
+ ? !has(self.ports) : true"
required:
- template
type: object
status:
+ properties:
+ conditions:
+ description: Current service state of the resource.
+ items:
+ properties:
+ lastProbeTime:
+ description: Last time we probed the condition.
+ format: date-time
+ type: string
+ lastTransitionTime:
+ description: Last time the condition transitioned from one status
+ to another.
+ format: date-time
+ type: string
+ message:
+ description: Human-readable message indicating details about
+ last transition.
+ type: string
+ reason:
+ description: Unique, one-word, CamelCase reason for the condition's
+ last transition.
+ type: string
+ status:
+ description: Status is the status of the condition.
+ type: string
+ type:
+ description: Type is the type of the condition.
+ type: string
+ type: object
+ type: array
+ observedGeneration:
+ anyOf:
+ - type: integer
+ - type: string
+ description: Resource Generation to which the Reconciled Condition
+ refers.
+ x-kubernetes-int-or-string: true
+ validationMessages:
+ description: Includes any errors or warnings detected by Istio's analyzers.
+ items:
+ properties:
+ documentationUrl:
+ description: A url pointing to the Istio documentation for this
+ specific error type.
+ type: string
+ level:
+ description: |-
+ Represents how severe a message is.
+
+ Valid Options: UNKNOWN, ERROR, WARNING, INFO
+ enum:
+ - UNKNOWN
+ - ERROR
+ - WARNING
+ - INFO
+ type: string
+ type:
+ properties:
+ code:
+ description: A 7 character code matching `^IST[0-9]{4}$`
+ intended to uniquely identify the message type.
+ type: string
+ name:
+ description: A human-readable name for the message type.
+ type: string
+ type: object
+ type: object
+ type: array
type: object
x-kubernetes-preserve-unknown-fields: true
+ required:
+ - spec
type: object
served: true
storage: true
diff --git a/common/istio-cni-1-23/istio-crds/base/kustomization.yaml b/common/istio-cni-1-24/istio-crds/base/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-crds/base/kustomization.yaml
rename to common/istio-cni-1-24/istio-crds/base/kustomization.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/deny_all_authorizationpolicy.yaml b/common/istio-cni-1-24/istio-install/base/deny_all_authorizationpolicy.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/base/deny_all_authorizationpolicy.yaml
rename to common/istio-cni-1-24/istio-install/base/deny_all_authorizationpolicy.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/gateway.yaml b/common/istio-cni-1-24/istio-install/base/gateway.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/base/gateway.yaml
rename to common/istio-cni-1-24/istio-install/base/gateway.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/gateway_authorizationpolicy.yaml b/common/istio-cni-1-24/istio-install/base/gateway_authorizationpolicy.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/base/gateway_authorizationpolicy.yaml
rename to common/istio-cni-1-24/istio-install/base/gateway_authorizationpolicy.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/install.yaml b/common/istio-cni-1-24/istio-install/base/install.yaml
similarity index 89%
rename from common/istio-cni-1-23/istio-install/base/install.yaml
rename to common/istio-cni-1-24/istio-install/base/install.yaml
index 7d8c7688c3..e9db53193d 100644
--- a/common/istio-cni-1-23/istio-install/base/install.yaml
+++ b/common/istio-cni-1-24/istio-install/base/install.yaml
@@ -3,6 +3,12 @@ kind: ServiceAccount
metadata:
labels:
app: istio-cni
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-cni
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: cni-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Cni
@@ -12,22 +18,15 @@ metadata:
---
apiVersion: v1
kind: ServiceAccount
-metadata:
- labels:
- app: istio-ingressgateway
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway-service-account
- namespace: istio-system
----
-apiVersion: v1
-kind: ServiceAccount
metadata:
labels:
app: istio-reader
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-reader
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: base-1.24.2
release: istio
name: istio-reader-service-account
namespace: istio-system
@@ -37,6 +36,12 @@ kind: ServiceAccount
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod
namespace: istio-system
@@ -46,6 +51,12 @@ kind: ClusterRole
metadata:
labels:
app: istio-cni
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-cni
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: cni-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Cni
@@ -68,6 +79,12 @@ kind: ClusterRole
metadata:
labels:
app: istio-cni
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-cni
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: cni-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Cni
@@ -95,6 +112,12 @@ kind: ClusterRole
metadata:
labels:
app: istio-reader
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-reader
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istio-reader-clusterrole-istio-system
rules:
@@ -203,6 +226,12 @@ kind: ClusterRole
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod-clusterrole-istio-system
rules:
@@ -255,6 +284,7 @@ rules:
- networking.istio.io
resources:
- workloadentries/status
+ - serviceentries/status
verbs:
- get
- watch
@@ -264,15 +294,29 @@ rules:
- create
- delete
- apiGroups:
- - networking.istio.io
+ - security.istio.io
resources:
- - serviceentries/status
+ - authorizationpolicies/status
verbs:
- get
- watch
- list
- update
- patch
+ - create
+ - delete
+- apiGroups:
+ - ''
+ resources:
+ - services/status
+ verbs:
+ - get
+ - watch
+ - list
+ - update
+ - patch
+ - create
+ - delete
- apiGroups:
- apiextensions.k8s.io
resources:
@@ -339,7 +383,6 @@ rules:
verbs:
- create
- apiGroups:
- - networking.x-k8s.io
- gateway.networking.k8s.io
resources:
- '*'
@@ -348,10 +391,17 @@ rules:
- watch
- list
- apiGroups:
- - networking.x-k8s.io
- gateway.networking.k8s.io
resources:
- - '*'
+ - backendtlspolicies/status
+ - gatewayclasses/status
+ - gateways/status
+ - grpcroutes/status
+ - httproutes/status
+ - referencegrants/status
+ - tcproutes/status
+ - tlsroutes/status
+ - udproutes/status
verbs:
- update
- patch
@@ -396,6 +446,12 @@ kind: ClusterRole
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod-gateway-controller-istio-system
rules:
@@ -441,6 +497,12 @@ kind: ClusterRoleBinding
metadata:
labels:
app: istio-cni
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-cni
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: cni-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Cni
@@ -459,6 +521,12 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-cni
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: cni-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
k8s-app: istio-cni-repair
@@ -479,6 +547,12 @@ kind: ClusterRoleBinding
metadata:
labels:
app: istio-reader
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-reader
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istio-reader-clusterrole-istio-system
roleRef:
@@ -495,6 +569,12 @@ kind: ClusterRoleBinding
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod-clusterrole-istio-system
roleRef:
@@ -511,6 +591,12 @@ kind: ClusterRoleBinding
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod-gateway-controller-istio-system
roleRef:
@@ -527,6 +613,12 @@ kind: ValidatingWebhookConfiguration
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
istio: istiod
istio.io/rev: default
release: istio
@@ -581,6 +673,12 @@ data:
kind: ConfigMap
metadata:
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -594,8 +692,7 @@ data:
AMBIENT_ENABLED: 'false'
AMBIENT_IPV6: 'true'
CHAINED_CNI_PLUGIN: 'true'
- CNI_NET_DIR: /etc/cni/net.d
- CURRENT_AGENT_VERSION: 1.23.2
+ CURRENT_AGENT_VERSION: 1.24.2
EXCLUDED_NAMESPACES: kube-system
REPAIR_BROKEN_POD_LABEL_KEY: cni.istio.io/uninitialized
REPAIR_BROKEN_POD_LABEL_VALUE: 'true'
@@ -608,6 +705,12 @@ kind: ConfigMap
metadata:
labels:
app: istio-cni
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-cni
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: cni-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Cni
@@ -655,7 +758,7 @@ data:
{{- end }}
{{- end }}
{{- end }}
- {{ $nativeSidecar := (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true") }}
+ {{ $nativeSidecar := (or (and (not (isset .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`)) (eq (env "ENABLE_NATIVE_SIDECARS" "false") "true")) (eq (index .ObjectMeta.Annotations `sidecar.istio.io/nativeSidecar`) "true")) }}
{{- $containers := list }}
{{- range $index, $container := .Spec.Containers }}{{ if not (eq $container.Name "istio-proxy") }}{{ $containers = append $containers $container.Name }}{{end}}{{- end}}
metadata:
@@ -676,8 +779,8 @@ data:
kubectl.kubernetes.io/default-container: "{{ index $containers 0 }}",
{{- end }}
{{- end }}
- {{- if or .Values.pilot.cni.enabled .Values.istio_cni.enabled }}
- {{- if or (eq .Values.pilot.cni.provider "multus") (eq .Values.istio_cni.provider "multus") (not .Values.istio_cni.chained)}}
+ {{- if .Values.pilot.cni.enabled }}
+ {{- if eq .Values.pilot.cni.provider "multus" }}
k8s.v1.cni.cncf.io/networks: '{{ appendMultusNetwork (index .ObjectMeta.Annotations `k8s.v1.cni.cncf.io/networks`) `default/istio-cni` }}',
{{- end }}
sidecar.istio.io/interceptionMode: "{{ annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode }}",
@@ -701,7 +804,7 @@ data:
(not $nativeSidecar) }}
initContainers:
{{ if ne (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `NONE` }}
- {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}}
+ {{ if .Values.pilot.cni.enabled -}}
- name: istio-validation
{{ else -}}
- name: istio-init
@@ -753,9 +856,11 @@ data:
{{ if .Values.global.logAsJson -}}
- "--log_as_json"
{{ end -}}
- {{ if or .Values.pilot.cni.enabled .Values.istio_cni.enabled -}}
+ {{ if .Values.pilot.cni.enabled -}}
- "--run-validation"
- "--skip-rule-apply"
+ {{ else if .Values.global.proxy_init.forceApplyIptables -}}
+ - "--force-apply"
{{ end -}}
{{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
{{- if .ProxyConfig.ProxyMetadata }}
@@ -771,14 +876,14 @@ data:
allowPrivilegeEscalation: {{ .Values.global.proxy.privileged }}
privileged: {{ .Values.global.proxy.privileged }}
capabilities:
- {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }}
+ {{- if not .Values.pilot.cni.enabled }}
add:
- NET_ADMIN
- NET_RAW
{{- end }}
drop:
- ALL
- {{- if not (or .Values.pilot.cni.enabled .Values.istio_cni.enabled) }}
+ {{- if not .Values.pilot.cni.enabled }}
readOnlyRootFilesystem: false
runAsGroup: 0
runAsNonRoot: false
@@ -790,34 +895,6 @@ data:
runAsNonRoot: true
{{- end }}
{{ end -}}
- {{- if eq (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
- - name: enable-core-dump
- args:
- - -c
- - sysctl -w kernel.core_pattern=/var/lib/istio/data/core.proxy && ulimit -c unlimited
- command:
- - /bin/sh
- {{- if contains "/" (annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image) }}
- image: "{{ annotation .ObjectMeta `sidecar.istio.io/proxyImage` .Values.global.proxy_init.image }}"
- {{- else }}
- image: "{{ .ProxyImage }}"
- {{- end }}
- {{with .Values.global.imagePullPolicy }}imagePullPolicy: "{{.}}"{{end}}
- resources:
- {{ template "resources" . }}
- securityContext:
- allowPrivilegeEscalation: true
- capabilities:
- add:
- - SYS_ADMIN
- drop:
- - ALL
- privileged: true
- readOnlyRootFilesystem: false
- runAsGroup: 0
- runAsNonRoot: false
- runAsUser: 0
- {{ end }}
{{ if not $nativeSidecar }}
containers:
{{ end }}
@@ -1013,7 +1090,7 @@ data:
drop:
- ALL
privileged: true
- readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ readOnlyRootFilesystem: true
runAsGroup: {{ .ProxyGID | default "1337" }}
runAsNonRoot: false
runAsUser: 0
@@ -1032,7 +1109,7 @@ data:
drop:
- ALL
privileged: {{ .Values.global.proxy.privileged }}
- readOnlyRootFilesystem: {{ ne (annotation .ObjectMeta `sidecar.istio.io/enableCoreDump` .Values.global.proxy.enableCoreDump) "true" }}
+ readOnlyRootFilesystem: true
runAsGroup: {{ .ProxyGID | default "1337" }}
{{ if or (eq (annotation .ObjectMeta `sidecar.istio.io/interceptionMode` .ProxyConfig.InterceptionMode) `TPROXY`) (eq (annotation .ObjectMeta `sidecar.istio.io/capNetBindService` .Values.global.proxy.capNetBindService) `true`) -}}
runAsNonRoot: false
@@ -1061,10 +1138,6 @@ data:
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
{{- end }}
- {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
- - mountPath: /var/run/secrets/istio/kubernetes
- name: kube-ca-cert
- {{- end }}
- mountPath: /var/lib/istio/data
name: istio-data
{{ if (isset .ObjectMeta.Annotations `sidecar.istio.io/bootstrapOverride`) }}
@@ -1140,11 +1213,6 @@ data:
configMap:
name: istio-ca-root-cert
{{- end }}
- {{- if eq .Values.global.pilotCertProvider "kubernetes" }}
- - name: kube-ca-cert
- configMap:
- name: kube-root-ca.crt
- {{- end }}
{{- if .Values.global.mountMtlsCerts }}
# Use the key and cert mounted to /etc/certs/ for the in-cluster mTLS communications.
- name: istio-certs
@@ -1815,7 +1883,6 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
) | nindent 4 }}
{{- if ge .KubeVersion 128 }}
# Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
@@ -1838,7 +1905,6 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
"gateway.istio.io/managed" "istio.io-mesh-controller"
) | nindent 4 }}
ownerReferences:
@@ -1872,15 +1938,33 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
"gateway.istio.io/managed" "istio.io-mesh-controller"
) | nindent 8}}
spec:
+ {{- if .Values.global.waypoint.affinity }}
+ affinity:
+ {{- toYaml .Values.global.waypoint.affinity | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.waypoint.topologySpreadConstraints }}
+ topologySpreadConstraints:
+ {{- toYaml .Values.global.waypoint.topologySpreadConstraints | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.waypoint.nodeSelector }}
+ nodeSelector:
+ {{- toYaml .Values.global.waypoint.nodeSelector | nindent 8 }}
+ {{- end }}
+ {{- if .Values.global.waypoint.tolerations }}
+ tolerations:
+ {{- toYaml .Values.global.waypoint.tolerations | nindent 8 }}
+ {{- end }}
terminationGracePeriodSeconds: 2
serviceAccountName: {{.ServiceAccount | quote}}
containers:
- name: istio-proxy
ports:
+ - containerPort: 15020
+ name: metrics
+ protocol: TCP
- containerPort: 15021
name: status-port
protocol: TCP
@@ -1987,13 +2071,10 @@ data:
- name: ISTIO_META_MESH_ID
value: "{{ (valueOrDefault .MeshConfig.TrustDomain .Values.global.trustDomain) }}"
{{- end }}
+ {{- if .Values.global.waypoint.resources }}
resources:
- limits:
- cpu: "2"
- memory: 1Gi
- requests:
- cpu: 100m
- memory: 128Mi
+ {{- toYaml .Values.global.waypoint.resources | nindent 10 }}
+ {{- end }}
startupProbe:
failureThreshold: 30
httpGet:
@@ -2016,8 +2097,10 @@ data:
timeoutSeconds: 1
securityContext:
privileged: false
+ {{- if not (eq .Values.global.platform "openshift") }}
runAsGroup: 1337
runAsUser: 1337
+ {{- end }}
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
@@ -2029,8 +2112,8 @@ data:
{{- toYaml .Values.gateways.seccompProfile | nindent 12 }}
{{- end }}
volumeMounts:
- - name: workload-socket
- mountPath: /var/run/secrets/workload-spiffe-uds
+ - mountPath: /var/run/secrets/workload-spiffe-uds
+ name: workload-socket
- mountPath: /var/run/secrets/istio
name: istiod-ca-cert
- mountPath: /var/lib/istio/data
@@ -2084,13 +2167,19 @@ data:
kind: Service
metadata:
annotations:
- {{ toJsonMap (omit .InfrastructureAnnotations "kubectl.kubernetes.io/last-applied-configuration" "gateway.istio.io/name-override" "gateway.istio.io/service-account" "gateway.istio.io/controller-version") | nindent 4 }}
+ {{ toJsonMap
+ (strdict "networking.istio.io/traffic-distribution" "PreferClose")
+ (omit .InfrastructureAnnotations
+ "kubectl.kubernetes.io/last-applied-configuration"
+ "gateway.istio.io/name-override"
+ "gateway.istio.io/service-account"
+ "gateway.istio.io/controller-version"
+ ) | nindent 4 }}
labels:
{{- toJsonMap
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
) | nindent 4 }}
name: {{.DeploymentName | quote}}
namespace: {{.Namespace | quote}}
@@ -2128,7 +2217,6 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
) | nindent 4 }}
{{- if ge .KubeVersion 128 }}
# Safe since 1.28: https://github.com/kubernetes/kubernetes/pull/117412
@@ -2151,7 +2239,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-gateway-controller"
) | nindent 4 }}
ownerReferences:
- apiVersion: gateway.networking.k8s.io/v1beta1
@@ -2183,7 +2271,7 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
+ "gateway.istio.io/managed" "istio.io-gateway-controller"
) | nindent 8 }}
spec:
securityContext:
@@ -2222,6 +2310,9 @@ data:
runAsGroup: {{ .ProxyGID | default "1337" }}
runAsNonRoot: true
ports:
+ - containerPort: 15020
+ name: metrics
+ protocol: TCP
- containerPort: 15021
name: status-port
protocol: TCP
@@ -2435,7 +2526,6 @@ data:
.InfrastructureLabels
(strdict
"gateway.networking.k8s.io/gateway-name" .Name
- "istio.io/gateway-name" .Name
) | nindent 4 }}
name: {{.DeploymentName | quote}}
namespace: {{.Namespace | quote}}
@@ -2445,6 +2535,7 @@ data:
name: {{.Name}}
uid: {{.UID}}
spec:
+ ipFamilyPolicy: PreferDualStack
ports:
{{- range $key, $val := .Ports }}
- name: {{ $val.Name | quote }}
@@ -2466,7 +2557,6 @@ data:
"securityContext": {}
},
"global": {
- "autoscalingv2API": true,
"caAddress": "",
"caName": "",
"certSigners": [],
@@ -2480,7 +2570,6 @@ data:
"cpu": "10m"
}
},
- "enabled": true,
"externalIstiod": false,
"hub": "docker.io/istio",
"imagePullPolicy": "",
@@ -2500,7 +2589,6 @@ data:
"clusterName": "",
"enabled": false
},
- "namespace": "istio-system",
"network": "",
"omitSidecarInjectorConfigMap": false,
"operatorManageWebhooks": false,
@@ -2510,7 +2598,6 @@ data:
"autoInject": "enabled",
"clusterDomain": "cluster.local",
"componentLogLevel": "misc:error",
- "enableCoreDump": false,
"excludeIPRanges": "",
"excludeInboundPorts": "",
"excludeOutboundPorts": "",
@@ -2542,6 +2629,7 @@ data:
"tracer": "none"
},
"proxy_init": {
+ "forceApplyIptables": false,
"image": "proxyv2"
},
"remotePilotAddress": "",
@@ -2553,17 +2641,28 @@ data:
"sts": {
"servicePort": 0
},
- "tag": "1.23.2",
- "variant": ""
- },
- "istio_cni": {
- "chained": true,
- "enabled": true,
- "provider": "default"
+ "tag": "1.24.2",
+ "variant": "",
+ "waypoint": {
+ "affinity": {},
+ "nodeSelector": {},
+ "resources": {
+ "limits": {
+ "cpu": "2",
+ "memory": "1Gi"
+ },
+ "requests": {
+ "cpu": "100m",
+ "memory": "128Mi"
+ }
+ },
+ "tolerations": [],
+ "topologySpreadConstraints": []
+ }
},
"pilot": {
"cni": {
- "enabled": false,
+ "enabled": true,
"provider": "default"
}
},
@@ -2582,6 +2681,12 @@ data:
kind: ConfigMap
metadata:
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -2594,6 +2699,12 @@ kind: MutatingWebhookConfiguration
metadata:
labels:
app: sidecar-injector
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -2745,6 +2856,12 @@ apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-cni
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: cni-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
k8s-app: istio-cni-node
@@ -2759,11 +2876,18 @@ spec:
template:
metadata:
annotations:
+ container.apparmor.security.beta.kubernetes.io/install-cni: unconfined
prometheus.io/path: /metrics
prometheus.io/port: '15014'
prometheus.io/scrape: 'true'
sidecar.istio.io/inject: 'false'
labels:
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istio-cni
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: cni-1.24.2
istio.io/dataplane-mode: none
k8s-app: istio-cni-node
sidecar.istio.io/inject: 'false'
@@ -2806,8 +2930,12 @@ spec:
envFrom:
- configMapRef:
name: istio-cni-config
- image: docker.io/istio/install-cni:1.23.2
+ image: docker.io/istio/install-cni:1.24.2
name: install-cni
+ ports:
+ - containerPort: 15014
+ name: metrics
+ protocol: TCP
readinessProbe:
httpGet:
path: /readyz
@@ -2821,10 +2949,12 @@ spec:
add:
- NET_ADMIN
- NET_RAW
+ - SYS_PTRACE
- SYS_ADMIN
+ - DAC_OVERRIDE
drop:
- ALL
- privileged: true
+ privileged: false
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
@@ -2875,228 +3005,15 @@ spec:
---
apiVersion: apps/v1
kind: Deployment
-metadata:
- labels:
- app: istio-ingressgateway
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway
- namespace: istio-system
-spec:
- selector:
- matchLabels:
- app: istio-ingressgateway
- istio: ingressgateway
- strategy:
- rollingUpdate:
- maxSurge: 100%
- maxUnavailable: 25%
- template:
- metadata:
- annotations:
- istio.io/rev: default
- prometheus.io/path: /stats/prometheus
- prometheus.io/port: '15020'
- prometheus.io/scrape: 'true'
- sidecar.istio.io/inject: 'false'
- labels:
- app: istio-ingressgateway
- chart: gateways
- heritage: Tiller
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- service.istio.io/canonical-name: istio-ingressgateway
- service.istio.io/canonical-revision: latest
- sidecar.istio.io/inject: 'false'
- spec:
- affinity:
- nodeAffinity:
- preferredDuringSchedulingIgnoredDuringExecution:
- requiredDuringSchedulingIgnoredDuringExecution:
- containers:
- - args:
- - proxy
- - router
- - --domain
- - $(POD_NAMESPACE).svc.cluster.local
- - --proxyLogLevel=warning
- - --proxyComponentLogLevel=misc:error
- - --log_output_level=default:info
- env:
- - name: PILOT_CERT_PROVIDER
- value: istiod
- - name: CA_ADDR
- value: istiod.istio-system.svc:15012
- - name: NODE_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: spec.nodeName
- - name: POD_NAME
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.name
- - name: POD_NAMESPACE
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: metadata.namespace
- - name: INSTANCE_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.podIP
- - name: HOST_IP
- valueFrom:
- fieldRef:
- apiVersion: v1
- fieldPath: status.hostIP
- - name: ISTIO_CPU_LIMIT
- valueFrom:
- resourceFieldRef:
- resource: limits.cpu
- - name: SERVICE_ACCOUNT
- valueFrom:
- fieldRef:
- fieldPath: spec.serviceAccountName
- - name: ISTIO_META_WORKLOAD_NAME
- value: istio-ingressgateway
- - name: ISTIO_META_OWNER
- value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
- - name: ISTIO_META_MESH_ID
- value: cluster.local
- - name: TRUST_DOMAIN
- value: cluster.local
- - name: ISTIO_META_UNPRIVILEGED_POD
- value: 'true'
- - name: ISTIO_META_CLUSTER_ID
- value: Kubernetes
- - name: ISTIO_META_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- image: docker.io/istio/proxyv2:1.23.2
- name: istio-proxy
- ports:
- - containerPort: 15021
- protocol: TCP
- - containerPort: 8080
- protocol: TCP
- - containerPort: 8443
- protocol: TCP
- - containerPort: 15090
- name: http-envoy-prom
- protocol: TCP
- readinessProbe:
- failureThreshold: 30
- httpGet:
- path: /healthz/ready
- port: 15021
- scheme: HTTP
- initialDelaySeconds: 1
- periodSeconds: 2
- successThreshold: 1
- timeoutSeconds: 1
- resources:
- limits:
- cpu: 2000m
- memory: 1024Mi
- requests:
- cpu: 100m
- memory: 128Mi
- securityContext:
- allowPrivilegeEscalation: false
- capabilities:
- drop:
- - ALL
- privileged: false
- readOnlyRootFilesystem: true
- volumeMounts:
- - mountPath: /var/run/secrets/workload-spiffe-uds
- name: workload-socket
- - mountPath: /var/run/secrets/credential-uds
- name: credential-socket
- - mountPath: /var/run/secrets/workload-spiffe-credentials
- name: workload-certs
- - mountPath: /etc/istio/proxy
- name: istio-envoy
- - mountPath: /etc/istio/config
- name: config-volume
- - mountPath: /var/run/secrets/istio
- name: istiod-ca-cert
- - mountPath: /var/run/secrets/tokens
- name: istio-token
- readOnly: true
- - mountPath: /var/lib/istio/data
- name: istio-data
- - mountPath: /etc/istio/pod
- name: podinfo
- - mountPath: /etc/istio/ingressgateway-certs
- name: ingressgateway-certs
- readOnly: true
- - mountPath: /etc/istio/ingressgateway-ca-certs
- name: ingressgateway-ca-certs
- readOnly: true
- securityContext:
- runAsGroup: 1337
- runAsNonRoot: true
- runAsUser: 1337
- serviceAccountName: istio-ingressgateway-service-account
- volumes:
- - emptyDir: {}
- name: workload-socket
- - emptyDir: {}
- name: credential-socket
- - emptyDir: {}
- name: workload-certs
- - configMap:
- name: istio-ca-root-cert
- name: istiod-ca-cert
- - downwardAPI:
- items:
- - fieldRef:
- fieldPath: metadata.labels
- path: labels
- - fieldRef:
- fieldPath: metadata.annotations
- path: annotations
- name: podinfo
- - emptyDir: {}
- name: istio-envoy
- - emptyDir: {}
- name: istio-data
- - name: istio-token
- projected:
- sources:
- - serviceAccountToken:
- audience: istio-ca
- expirationSeconds: 43200
- path: istio-token
- - configMap:
- name: istio
- optional: true
- name: config-volume
- - name: ingressgateway-certs
- secret:
- optional: true
- secretName: istio-ingressgateway-certs
- - name: ingressgateway-ca-certs
- secret:
- optional: true
- secretName: istio-ingressgateway-ca-certs
----
-apiVersion: apps/v1
-kind: Deployment
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
@@ -3120,6 +3037,12 @@ spec:
sidecar.istio.io/inject: 'false'
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/dataplane-mode: none
@@ -3173,17 +3096,27 @@ spec:
- name: GOMAXPROCS
valueFrom:
resourceFieldRef:
+ divisor: '1'
resource: limits.cpu
- name: PLATFORM
value: ''
- image: docker.io/istio/pilot:1.23.2
+ image: docker.io/istio/pilot:1.24.2
name: discovery
ports:
- containerPort: 8080
+ name: http-debug
protocol: TCP
- containerPort: 15010
+ name: grpc-xds
+ protocol: TCP
+ - containerPort: 15012
+ name: tls-xds
protocol: TCP
- containerPort: 15017
+ name: https-webhooks
+ protocol: TCP
+ - containerPort: 15014
+ name: http-monitoring
protocol: TCP
readinessProbe:
httpGet:
@@ -3256,28 +3189,15 @@ spec:
---
apiVersion: policy/v1
kind: PodDisruptionBudget
-metadata:
- labels:
- app: istio-ingressgateway
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway
- namespace: istio-system
-spec:
- minAvailable: 1
- selector:
- matchLabels:
- app: istio-ingressgateway
- istio: ingressgateway
----
-apiVersion: policy/v1
-kind: PodDisruptionBudget
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
@@ -3294,29 +3214,15 @@ spec:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
-metadata:
- labels:
- install.operator.istio.io/owning-resource: unknown
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway-sds
- namespace: istio-system
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - watch
- - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod
namespace: istio-system
@@ -3356,27 +3262,15 @@ rules:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
-metadata:
- labels:
- install.operator.istio.io/owning-resource: unknown
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway-sds
- namespace: istio-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: istio-ingressgateway-sds
-subjects:
-- kind: ServiceAccount
- name: istio-ingressgateway-service-account
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
release: istio
name: istiod
namespace: istio-system
@@ -3391,36 +3285,15 @@ subjects:
---
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
-metadata:
- labels:
- app: istio-ingressgateway
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway
- namespace: istio-system
-spec:
- maxReplicas: 5
- metrics:
- - resource:
- name: cpu
- target:
- averageUtilization: 80
- type: Utilization
- type: Resource
- minReplicas: 1
- scaleTargetRef:
- apiVersion: apps/v1
- kind: Deployment
- name: istio-ingressgateway
----
-apiVersion: autoscaling/v2
-kind: HorizontalPodAutoscaler
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio.io/rev: default
operator.istio.io/component: Pilot
@@ -3444,41 +3317,15 @@ spec:
---
apiVersion: v1
kind: Service
-metadata:
- annotations:
- labels:
- app: istio-ingressgateway
- install.operator.istio.io/owning-resource: unknown
- istio: ingressgateway
- istio.io/rev: default
- operator.istio.io/component: IngressGateways
- release: istio
- name: istio-ingressgateway
- namespace: istio-system
-spec:
- ports:
- - name: status-port
- port: 15021
- protocol: TCP
- targetPort: 15021
- - name: http2
- port: 80
- protocol: TCP
- targetPort: 8080
- - name: https
- port: 443
- protocol: TCP
- targetPort: 8443
- selector:
- app: istio-ingressgateway
- istio: ingressgateway
- type: LoadBalancer
----
-apiVersion: v1
-kind: Service
metadata:
labels:
app: istiod
+ app.kubernetes.io/instance: istio
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: istiod
+ app.kubernetes.io/part-of: istio
+ app.kubernetes.io/version: 1.24.2
+ helm.sh/chart: istiod-1.24.2
install.operator.istio.io/owning-resource: unknown
istio: pilot
istio.io/rev: default
diff --git a/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml
new file mode 100644
index 0000000000..45a37d7f8f
--- /dev/null
+++ b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-deployment.yaml
@@ -0,0 +1,218 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ strategy:
+ rollingUpdate:
+ maxSurge: 100%
+ maxUnavailable: 25%
+ template:
+ metadata:
+ annotations:
+ istio.io/rev: default
+ prometheus.io/path: /stats/prometheus
+ prometheus.io/port: "15020"
+ prometheus.io/scrape: "true"
+ sidecar.istio.io/inject: "false"
+ labels:
+ app: istio-ingressgateway
+ chart: gateways
+ heritage: Tiller
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ service.istio.io/canonical-name: istio-ingressgateway
+ service.istio.io/canonical-revision: latest
+ sidecar.istio.io/inject: "false"
+ spec:
+ affinity:
+ nodeAffinity:
+ preferredDuringSchedulingIgnoredDuringExecution: null
+ requiredDuringSchedulingIgnoredDuringExecution: null
+ containers:
+ - args:
+ - proxy
+ - router
+ - --domain
+ - $(POD_NAMESPACE).svc.cluster.local
+ - --proxyLogLevel=warning
+ - --proxyComponentLogLevel=misc:error
+ - --log_output_level=default:info
+ env:
+ - name: PILOT_CERT_PROVIDER
+ value: istiod
+ - name: CA_ADDR
+ value: istiod.istio-system.svc:15012
+ - name: NODE_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: spec.nodeName
+ - name: POD_NAME
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.name
+ - name: POD_NAMESPACE
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: metadata.namespace
+ - name: INSTANCE_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.podIP
+ - name: HOST_IP
+ valueFrom:
+ fieldRef:
+ apiVersion: v1
+ fieldPath: status.hostIP
+ - name: ISTIO_CPU_LIMIT
+ valueFrom:
+ resourceFieldRef:
+ resource: limits.cpu
+ - name: SERVICE_ACCOUNT
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
+ - name: ISTIO_META_WORKLOAD_NAME
+ value: istio-ingressgateway
+ - name: ISTIO_META_OWNER
+ value: kubernetes://apis/apps/v1/namespaces/istio-system/deployments/istio-ingressgateway
+ - name: ISTIO_META_MESH_ID
+ value: cluster.local
+ - name: TRUST_DOMAIN
+ value: cluster.local
+ - name: ISTIO_META_UNPRIVILEGED_POD
+ value: "true"
+ - name: ISTIO_META_CLUSTER_ID
+ value: Kubernetes
+ - name: ISTIO_META_NODE_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.nodeName
+ image: docker.io/istio/proxyv2:1.24.2
+ name: istio-proxy
+ ports:
+ - containerPort: 15021
+ protocol: TCP
+ - containerPort: 8080
+ protocol: TCP
+ - containerPort: 8443
+ protocol: TCP
+ - containerPort: 15090
+ name: http-envoy-prom
+ protocol: TCP
+ readinessProbe:
+ failureThreshold: 30
+ httpGet:
+ path: /healthz/ready
+ port: 15021
+ scheme: HTTP
+ initialDelaySeconds: 1
+ periodSeconds: 2
+ successThreshold: 1
+ timeoutSeconds: 1
+ resources:
+ limits:
+ cpu: 2000m
+ memory: 1024Mi
+ requests:
+ cpu: 100m
+ memory: 128Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ privileged: false
+ readOnlyRootFilesystem: true
+ volumeMounts:
+ - mountPath: /var/run/secrets/workload-spiffe-uds
+ name: workload-socket
+ - mountPath: /var/run/secrets/credential-uds
+ name: credential-socket
+ - mountPath: /var/run/secrets/workload-spiffe-credentials
+ name: workload-certs
+ - mountPath: /etc/istio/proxy
+ name: istio-envoy
+ - mountPath: /etc/istio/config
+ name: config-volume
+ - mountPath: /var/run/secrets/istio
+ name: istiod-ca-cert
+ - mountPath: /var/run/secrets/tokens
+ name: istio-token
+ readOnly: true
+ - mountPath: /var/lib/istio/data
+ name: istio-data
+ - mountPath: /etc/istio/pod
+ name: podinfo
+ - mountPath: /etc/istio/ingressgateway-certs
+ name: ingressgateway-certs
+ readOnly: true
+ - mountPath: /etc/istio/ingressgateway-ca-certs
+ name: ingressgateway-ca-certs
+ readOnly: true
+ securityContext:
+ runAsGroup: 1337
+ runAsNonRoot: true
+ runAsUser: 1337
+ serviceAccountName: istio-ingressgateway-service-account
+ volumes:
+ - emptyDir: {}
+ name: workload-socket
+ - emptyDir: {}
+ name: credential-socket
+ - emptyDir: {}
+ name: workload-certs
+ - configMap:
+ name: istio-ca-root-cert
+ name: istiod-ca-cert
+ - downwardAPI:
+ items:
+ - fieldRef:
+ fieldPath: metadata.labels
+ path: labels
+ - fieldRef:
+ fieldPath: metadata.annotations
+ path: annotations
+ name: podinfo
+ - emptyDir: {}
+ name: istio-envoy
+ - emptyDir: {}
+ name: istio-data
+ - name: istio-token
+ projected:
+ sources:
+ - serviceAccountToken:
+ audience: istio-ca
+ expirationSeconds: 43200
+ path: istio-token
+ - configMap:
+ name: istio
+ optional: true
+ name: config-volume
+ - name: ingressgateway-certs
+ secret:
+ optional: true
+ secretName: istio-ingressgateway-certs
+ - name: ingressgateway-ca-certs
+ secret:
+ optional: true
+ secretName: istio-ingressgateway-ca-certs
diff --git a/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml
new file mode 100644
index 0000000000..78c0d98040
--- /dev/null
+++ b/common/istio-cni-1-24/istio-install/base/istio-ingressgateway-service.yaml
@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Service
+metadata:
+ annotations: null
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway
+ namespace: istio-system
+spec:
+ ports:
+ - name: status-port
+ port: 15021
+ protocol: TCP
+ targetPort: 15021
+ - name: http2
+ port: 80
+ protocol: TCP
+ targetPort: 8080
+ - name: https
+ port: 443
+ protocol: TCP
+ targetPort: 8443
+ selector:
+ app: istio-ingressgateway
+ istio: ingressgateway
+ type: LoadBalancer
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ app: istio-ingressgateway
+ install.operator.istio.io/owning-resource: unknown
+ istio: ingressgateway
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway-service-account
+ namespace: istio-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ labels:
+ install.operator.istio.io/owning-resource: unknown
+ istio.io/rev: default
+ operator.istio.io/component: IngressGateways
+ release: istio
+ name: istio-ingressgateway-sds
+ namespace: istio-system
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: istio-ingressgateway-sds
+subjects:
+- kind: ServiceAccount
+ name: istio-ingressgateway-service-account
diff --git a/common/istio-cni-1-23/istio-install/base/kustomization.yaml b/common/istio-cni-1-24/istio-install/base/kustomization.yaml
similarity index 67%
rename from common/istio-cni-1-23/istio-install/base/kustomization.yaml
rename to common/istio-cni-1-24/istio-install/base/kustomization.yaml
index bb174d2dfa..e905273b22 100644
--- a/common/istio-cni-1-23/istio-install/base/kustomization.yaml
+++ b/common/istio-cni-1-24/istio-install/base/kustomization.yaml
@@ -6,12 +6,14 @@ resources:
- gateway_authorizationpolicy.yaml
- deny_all_authorizationpolicy.yaml
- gateway.yaml
+- istio-ingressgateway-service.yaml
+- istio-ingressgateway-deployment.yaml
patches:
- path: patches/service.yaml
- path: patches/istio-configmap-disable-tracing.yaml
- path: patches/disable-debugging.yaml
-- path: patches/istio-ingressgateway-remove-pdb.yaml
+# - path: patches/istio-ingressgateway-remove-pdb.yaml
- path: patches/istiod-remove-pdb.yaml
-- path: patches/seccomp-istio-ingressgateway.yaml
+# - path: patches/seccomp-istio-ingressgateway.yaml
- path: patches/seccomp-istiod.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/patches/disable-debugging.yaml b/common/istio-cni-1-24/istio-install/base/patches/disable-debugging.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/base/patches/disable-debugging.yaml
rename to common/istio-cni-1-24/istio-install/base/patches/disable-debugging.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml b/common/istio-cni-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/base/patches/istio-configmap-disable-tracing.yaml
rename to common/istio-cni-1-24/istio-install/base/patches/istio-configmap-disable-tracing.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml b/common/istio-cni-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
rename to common/istio-cni-1-24/istio-install/base/patches/istio-ingressgateway-remove-pdb.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/patches/istiod-remove-pdb.yaml b/common/istio-cni-1-24/istio-install/base/patches/istiod-remove-pdb.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/base/patches/istiod-remove-pdb.yaml
rename to common/istio-cni-1-24/istio-install/base/patches/istiod-remove-pdb.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml b/common/istio-cni-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
rename to common/istio-cni-1-24/istio-install/base/patches/seccomp-istio-ingressgateway.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/patches/seccomp-istiod.yaml b/common/istio-cni-1-24/istio-install/base/patches/seccomp-istiod.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/base/patches/seccomp-istiod.yaml
rename to common/istio-cni-1-24/istio-install/base/patches/seccomp-istiod.yaml
diff --git a/common/istio-cni-1-23/istio-install/base/patches/service.yaml b/common/istio-cni-1-24/istio-install/base/patches/service.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/base/patches/service.yaml
rename to common/istio-cni-1-24/istio-install/base/patches/service.yaml
diff --git a/common/istio-cni-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml b/common/istio-cni-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-install/overlays/oauth2-proxy/kustomization.yaml
rename to common/istio-cni-1-24/istio-install/overlays/oauth2-proxy/kustomization.yaml
diff --git a/common/istio-cni-1-23/istio-namespace/base/kustomization.yaml b/common/istio-cni-1-24/istio-namespace/base/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-namespace/base/kustomization.yaml
rename to common/istio-cni-1-24/istio-namespace/base/kustomization.yaml
diff --git a/common/istio-cni-1-23/istio-namespace/base/namespace.yaml b/common/istio-cni-1-24/istio-namespace/base/namespace.yaml
similarity index 100%
rename from common/istio-cni-1-23/istio-namespace/base/namespace.yaml
rename to common/istio-cni-1-24/istio-namespace/base/namespace.yaml
diff --git a/common/istio-cni-1-23/kubeflow-istio-resources/base/cluster-roles.yaml b/common/istio-cni-1-24/kubeflow-istio-resources/base/cluster-roles.yaml
similarity index 100%
rename from common/istio-cni-1-23/kubeflow-istio-resources/base/cluster-roles.yaml
rename to common/istio-cni-1-24/kubeflow-istio-resources/base/cluster-roles.yaml
diff --git a/common/istio-cni-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml b/common/istio-cni-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml
similarity index 100%
rename from common/istio-cni-1-23/kubeflow-istio-resources/base/kf-istio-resources.yaml
rename to common/istio-cni-1-24/kubeflow-istio-resources/base/kf-istio-resources.yaml
diff --git a/common/istio-cni-1-23/kubeflow-istio-resources/base/kustomization.yaml b/common/istio-cni-1-24/kubeflow-istio-resources/base/kustomization.yaml
similarity index 100%
rename from common/istio-cni-1-23/kubeflow-istio-resources/base/kustomization.yaml
rename to common/istio-cni-1-24/kubeflow-istio-resources/base/kustomization.yaml
diff --git a/common/istio-cni-1-23/profile-overlay.yaml b/common/istio-cni-1-24/profile-overlay.yaml
similarity index 100%
rename from common/istio-cni-1-23/profile-overlay.yaml
rename to common/istio-cni-1-24/profile-overlay.yaml
diff --git a/common/istio-cni-1-23/profile.yaml b/common/istio-cni-1-24/profile.yaml
similarity index 97%
rename from common/istio-cni-1-23/profile.yaml
rename to common/istio-cni-1-24/profile.yaml
index 077b0c86d2..838edaf5fb 100644
--- a/common/istio-cni-1-23/profile.yaml
+++ b/common/istio-cni-1-24/profile.yaml
@@ -14,7 +14,7 @@ spec:
enabled: true
hub: docker.io/istio
profile: default
- tag: 1.23.2
+ tag: 1.24.2
values:
defaultRevision: ""
gateways:
diff --git a/common/istio-cni-1-23/split-istio-packages b/common/istio-cni-1-24/split-istio-packages
similarity index 100%
rename from common/istio-cni-1-23/split-istio-packages
rename to common/istio-cni-1-24/split-istio-packages
diff --git a/common/oauth2-proxy/components/README.md b/common/oauth2-proxy/components/README.md
index 8332d6d5ec..841aa5beba 100644
--- a/common/oauth2-proxy/components/README.md
+++ b/common/oauth2-proxy/components/README.md
@@ -154,9 +154,9 @@ make the following changes to the `example/kustomization.yaml` file:
* use `oauth2-proxy` overlay for istio-install
```
# from
- - ../common/istio-1-23/istio-install/base
+ - ../common/istio-1-24/istio-install/base
# to
- - ../common/istio-1-23/istio-install/overlays/oauth2-proxy
+ - ../common/istio-1-24/istio-install/overlays/oauth2-proxy
```
* change `OIDC Authservice` to `oauth2-proxy for OIDC` and use overlay for m2m
bearer tokens with self-signed in-cluster issuer
@@ -189,12 +189,12 @@ index c1a85789..4a50440c 100644
+++ b/example/kustomization.yaml
@@ -38,11 +38,11 @@ resources:
# Istio
- - ../common/istio-1-23/istio-crds/base
- - ../common/istio-1-23/istio-namespace/base
--- ../common/istio-1-23/istio-install/base
+ - ../common/istio-1-24/istio-crds/base
+ - ../common/istio-1-24/istio-namespace/base
+-- ../common/istio-1-24/istio-install/base
-# OIDC Authservice
-- ../common//oidc-authservice/base
-+- ../common/istio-1-23/istio-install/overlays/oauth2-proxy
++- ../common/istio-1-24/istio-install/overlays/oauth2-proxy
+# oauth2-proxy for OIDC
+- ../common/oauth2-proxy/overlays/m2m-dex-and-kind
# Dex
diff --git a/contrib/kserve/README.md b/contrib/kserve/README.md
index d0ae01118b..3afe5f6841 100644
--- a/contrib/kserve/README.md
+++ b/contrib/kserve/README.md
@@ -61,15 +61,15 @@ For upgrading see [UPGRADE.md](UPGRADE.md)
```
5. Install Istio
```sh
- kubectl apply -k ../../common/istio-1-23/istio-crds/base
- kubectl apply -k ../../common/istio-1-23/istio-namespace/base
- kubectl apply -k ../../common/istio-1-23/istio-install/base
+ kubectl apply -k ../../common/istio-1-24/istio-crds/base
+ kubectl apply -k ../../common/istio-1-24/istio-namespace/base
+ kubectl apply -k ../../common/istio-1-24/istio-install/base
```
6. Install knative
```sh
kubectl apply -k ../../common/knative/knative-serving/overlays/gateways
- kubectl apply -k ../../common/istio-1-23/cluster-local-gateway/base
- kubectl apply -k ../../common/istio-1-23/kubeflow-istio-resources/base
+ kubectl apply -k ../../common/istio-1-24/cluster-local-gateway/base
+ kubectl apply -k ../../common/istio-1-24/kubeflow-istio-resources/base
```
7. Install kserve
```sh
diff --git a/example/kustomization.yaml b/example/kustomization.yaml
index f2bd43d920..a2d369fd80 100644
--- a/example/kustomization.yaml
+++ b/example/kustomization.yaml
@@ -37,9 +37,9 @@ resources:
- ../common/cert-manager/base
- ../common/cert-manager/kubeflow-issuer/base
# Istio
-- ../common/istio-1-23/istio-crds/base
-- ../common/istio-1-23/istio-namespace/base
-- ../common/istio-1-23/istio-install/overlays/oauth2-proxy
+- ../common/istio-1-24/istio-crds/base
+- ../common/istio-1-24/istio-namespace/base
+- ../common/istio-1-24/istio-install/overlays/oauth2-proxy
# oauth2-proxy
# NOTE: only uncomment ONE of the following overlays, depending on your cluster type
- ../common/oauth2-proxy/overlays/m2m-dex-only # for all clusters
@@ -52,7 +52,7 @@ resources:
- ../common/knative/knative-serving/overlays/gateways
# Uncomment the following line if `knative-eventing` is required
# - ../common/knative/knative-eventing/base
-- ../common/istio-1-23/cluster-local-gateway/base
+- ../common/istio-1-24/cluster-local-gateway/base
# Kubeflow namespace
- ../common/kubeflow-namespace/base
# NetworkPolicies
@@ -60,7 +60,7 @@ resources:
# Kubeflow Roles
- ../common/kubeflow-roles/base
# Kubeflow Istio Resources
-- ../common/istio-1-23/kubeflow-istio-resources/base
+- ../common/istio-1-24/kubeflow-istio-resources/base
# Kubeflow Pipelines
diff --git a/hack/trivy_scan.py b/hack/trivy_scan.py
index b93334156e..eaf4bcfaf4 100755
--- a/hack/trivy_scan.py
+++ b/hack/trivy_scan.py
@@ -34,7 +34,7 @@
"automl": "../apps/katib/upstream/installs",
"pipelines": "../apps/pipeline/upstream/env ../apps/kfp-tekton/upstream/env",
"training": "../apps/training-operator/upstream/overlays",
- "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-23/istio-crds/base ../common/istio-1-23/istio-namespace/base ../common/istio-1-23/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-23/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-23/kubeflow-istio-resources/base",
+ "manifests": "../common/cert-manager/cert-manager/base ../common/cert-manager/kubeflow-issuer/base ../common/istio-1-24/istio-crds/base ../common/istio-1-24/istio-namespace/base ../common/istio-1-24/istio-install/overlays/oauth2-proxy ../common/oauth2-proxy/overlays/m2m-self-signed ../common/dex/overlays/oauth2-proxy ../common/knative/knative-serving/overlays/gateways ../common/knative/knative-eventing/base ../common/istio-1-24/cluster-local-gateway/base ../common/kubeflow-namespace/base ../common/kubeflow-roles/base ../common/istio-1-24/kubeflow-istio-resources/base",
"workbenches": "../apps/pvcviewer-controller/upstream/base ../apps/admission-webhook/upstream/overlays ../apps/centraldashboard/overlays ../apps/jupyter/jupyter-web-app/upstream/overlays ../apps/volumes-web-app/upstream/overlays ../apps/tensorboard/tensorboards-web-app/upstream/overlays ../apps/profiles/upstream/overlays ../apps/jupyter/notebook-controller/upstream/overlays ../apps/tensorboard/tensorboard-controller/upstream/overlays",
"serving": "../contrib/kserve - ../contrib/kserve/models-web-app/overlays/kubeflow",
"model-registry": "../apps/model-registry/upstream",
diff --git a/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml b/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml
index 3d34b0f0ab..c4c59cf063 100644
--- a/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml
+++ b/tests/gh-actions/deploy-dex-login-environment/kustomization.yaml
@@ -34,14 +34,14 @@ sortOptions:
resources:
# Istio
-- ../../../common/istio-1-23/istio-crds/base
-- ../../../common/istio-1-23/istio-namespace/base
-- ../../../common/istio-1-23/istio-install/overlays/oauth2-proxy
+- ../../../common/istio-1-24/istio-crds/base
+- ../../../common/istio-1-24/istio-namespace/base
+- ../../../common/istio-1-24/istio-install/overlays/oauth2-proxy
# oauth2-proxy
- ../../../common/oauth2-proxy/overlays/m2m-dex-and-kind
# Dex
- ../../../common/dex/overlays/oauth2-proxy
-- ../../../common/istio-1-23/cluster-local-gateway/base
+- ../../../common/istio-1-24/cluster-local-gateway/base
# Kubeflow namespace
- ../../../common/kubeflow-namespace/base
# NetworkPolicies
@@ -49,7 +49,7 @@ resources:
# Kubeflow Roles
- ../../../common/kubeflow-roles/base
# Kubeflow Istio Resources
-- ../../../common/istio-1-23/kubeflow-istio-resources/base
+- ../../../common/istio-1-24/kubeflow-istio-resources/base
# Central Dashboard
- ../../../apps/centraldashboard/overlays/oauth2-proxy
# Profiles + KFAM
diff --git a/tests/gh-actions/install_istio-cni.sh b/tests/gh-actions/install_istio-cni.sh
index 8077247168..2b34d2b07d 100755
--- a/tests/gh-actions/install_istio-cni.sh
+++ b/tests/gh-actions/install_istio-cni.sh
@@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo "Installing Istio-cni (with ExtAuthZ from oauth2-proxy) ..."
-cd common/istio-cni-1-23
+cd common/istio-cni-1-24
kustomize build istio-crds/base | kubectl apply -f -
kustomize build istio-namespace/base | kubectl apply -f -
kustomize build istio-install/overlays/oauth2-proxy | kubectl apply -f -
diff --git a/tests/gh-actions/install_istio.sh b/tests/gh-actions/install_istio.sh
index 5d8e66d427..89e3de6b4c 100755
--- a/tests/gh-actions/install_istio.sh
+++ b/tests/gh-actions/install_istio.sh
@@ -1,7 +1,7 @@
#!/bin/bash
set -e
echo "Installing Istio (with ExtAuthZ from oauth2-proxy) ..."
-cd common/istio-1-23
+cd common/istio-1-24
kustomize build istio-crds/base | kubectl apply -f -
kustomize build istio-namespace/base | kubectl apply -f -
kustomize build istio-install/overlays/oauth2-proxy | kubectl apply -f -
diff --git a/tests/gh-actions/install_knative-cni.sh b/tests/gh-actions/install_knative-cni.sh
index c3d6a71324..b1ff428994 100755
--- a/tests/gh-actions/install_knative-cni.sh
+++ b/tests/gh-actions/install_knative-cni.sh
@@ -15,8 +15,8 @@ for i in {1..5}; do
done
set -e
-kustomize build common/istio-cni-1-23/cluster-local-gateway/base | kubectl apply -f -
-kustomize build common/istio-cni-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-cni-1-24/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-cni-1-24/kubeflow-istio-resources/base | kubectl apply -f -
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s \
--field-selector=status.phase!=Succeeded
diff --git a/tests/gh-actions/install_knative.sh b/tests/gh-actions/install_knative.sh
index 1d84031d5e..8bbed320ff 100755
--- a/tests/gh-actions/install_knative.sh
+++ b/tests/gh-actions/install_knative.sh
@@ -15,8 +15,8 @@ for i in {1..5}; do
done
set -e
-kustomize build common/istio-1-23/cluster-local-gateway/base | kubectl apply -f -
-kustomize build common/istio-1-23/kubeflow-istio-resources/base | kubectl apply -f -
+kustomize build common/istio-1-24/cluster-local-gateway/base | kubectl apply -f -
+kustomize build common/istio-1-24/kubeflow-istio-resources/base | kubectl apply -f -
kubectl wait --for=condition=Ready pods --all --all-namespaces --timeout=300s \
--field-selector=status.phase!=Succeeded