From c92ba6e30d77827f5192e5a8ddff6002036e4d58 Mon Sep 17 00:00:00 2001 From: "kumahq[bot]" <110050114+kumahq[bot]@users.noreply.github.com> Date: Sat, 13 Jun 2026 13:04:42 +0000 Subject: [PATCH] chore(deps): update docs from repo source Signed-off-by: kumahq[bot] <110050114+kumahq[bot]@users.noreply.github.com> --- app/_data/products/mesh.yml | 10 +- .../mesh/2.14.x/raw/crds/access-audit.yaml | 25 + .../2.14.x/raw/crds/access-role-binding.yaml | 25 + .../mesh/2.14.x/raw/crds/access-role.yaml | 25 + .../raw/crds/kuma.io_circuitbreakers.yaml | 50 + .../raw/crds/kuma.io_containerpatches.yaml | 114 ++ .../raw/crds/kuma.io_dataplaneinsights.yaml | 50 + .../2.14.x/raw/crds/kuma.io_dataplanes.yaml | 72 ++ .../raw/crds/kuma.io_externalservices.yaml | 50 + .../raw/crds/kuma.io_faultinjections.yaml | 50 + .../2.14.x/raw/crds/kuma.io_healthchecks.yaml | 50 + .../raw/crds/kuma.io_hostnamegenerators.yaml | 93 ++ .../raw/crds/kuma.io_meshaccesslogs.yaml | 919 ++++++++++++++ .../raw/crds/kuma.io_meshcircuitbreakers.yaml | 1024 +++++++++++++++ .../mesh/2.14.x/raw/crds/kuma.io_meshes.yaml | 52 + .../crds/kuma.io_meshexternalservices.yaml | 350 ++++++ .../raw/crds/kuma.io_meshfaultinjections.yaml | 563 +++++++++ .../raw/crds/kuma.io_meshgatewayconfigs.yaml | 227 ++++ .../crds/kuma.io_meshgatewayinstances.yaml | 356 ++++++ .../raw/crds/kuma.io_meshgatewayroutes.yaml | 50 + .../2.14.x/raw/crds/kuma.io_meshgateways.yaml | 52 + .../crds/kuma.io_meshglobalratelimits.yaml | 603 +++++++++ .../raw/crds/kuma.io_meshhealthchecks.yaml | 397 ++++++ .../raw/crds/kuma.io_meshhttproutes.yaml | 687 ++++++++++ .../raw/crds/kuma.io_meshidentities.yaml | 285 +++++ .../2.14.x/raw/crds/kuma.io_meshinsights.yaml | 50 + .../kuma.io_meshloadbalancingstrategies.yaml | 670 ++++++++++ .../2.14.x/raw/crds/kuma.io_meshmetrics.yaml | 361 ++++++ .../crds/kuma.io_meshmultizoneservices.yaml | 241 ++++ .../2.14.x/raw/crds/kuma.io_meshopas.yaml | 208 ++++ .../kuma.io_meshopentelemetrybackends.yaml | 176 +++ .../raw/crds/kuma.io_meshpassthroughs.yaml | 178 +++ .../raw/crds/kuma.io_meshproxypatches.yaml | 556 +++++++++ .../raw/crds/kuma.io_meshratelimits.yaml | 681 ++++++++++ .../2.14.x/raw/crds/kuma.io_meshretries.yaml | 517 ++++++++ .../2.14.x/raw/crds/kuma.io_meshservices.yaml | 234 ++++ .../raw/crds/kuma.io_meshtcproutes.yaml | 294 +++++ .../2.14.x/raw/crds/kuma.io_meshtimeouts.yaml | 479 +++++++ .../2.14.x/raw/crds/kuma.io_meshtlses.yaml | 306 +++++ .../2.14.x/raw/crds/kuma.io_meshtraces.yaml | 356 ++++++ .../crds/kuma.io_meshtrafficpermissions.yaml | 364 ++++++ .../2.14.x/raw/crds/kuma.io_meshtrusts.yaml | 111 ++ .../raw/crds/kuma.io_meshzoneaddresses.yaml | 64 + .../raw/crds/kuma.io_proxytemplates.yaml | 50 + .../2.14.x/raw/crds/kuma.io_ratelimits.yaml | 50 + .../mesh/2.14.x/raw/crds/kuma.io_retries.yaml | 50 + .../raw/crds/kuma.io_serviceinsights.yaml | 50 + .../2.14.x/raw/crds/kuma.io_timeouts.yaml | 50 + .../2.14.x/raw/crds/kuma.io_trafficlogs.yaml | 50 + .../raw/crds/kuma.io_trafficpermissions.yaml | 50 + .../raw/crds/kuma.io_trafficroutes.yaml | 50 + .../raw/crds/kuma.io_traffictraces.yaml | 50 + .../raw/crds/kuma.io_virtualoutbounds.yaml | 50 + .../2.14.x/raw/crds/kuma.io_workloads.yaml | 81 ++ .../2.14.x/raw/crds/kuma.io_zoneegresses.yaml | 58 + .../raw/crds/kuma.io_zoneegressinsights.yaml | 50 + .../raw/crds/kuma.io_zoneingresses.yaml | 58 + .../raw/crds/kuma.io_zoneingressinsights.yaml | 51 + .../2.14.x/raw/crds/kuma.io_zoneinsights.yaml | 50 + .../mesh/2.14.x/raw/crds/kuma.io_zones.yaml | 52 + .../mesh/2.14.x/raw/crds/opa-policy.yaml | 25 + .../values.federated-zone-cp.yaml | 166 +++ .../helm-values-prod/values.global-cp.yaml | 73 ++ .../values.single-zone-cp.yaml | 117 ++ app/assets/mesh/2.14.x/raw/helm-values.yaml | 149 +++ app/assets/mesh/2.14.x/raw/kuma-cp.yaml | 1100 +++++++++++++++++ .../mesh/2.14.x/raw/protos/OPAPolicy.json | 132 ++ app/assets/mesh/2.14.x/raw/rbac.yaml | 409 ++++++ .../dev/raw/crds/kuma.io_meshaccesslogs.yaml | 30 +- .../dev/raw/crds/kuma.io_meshmetrics.yaml | 10 +- .../mesh/dev/raw/crds/kuma.io_meshtraces.yaml | 10 +- app/assets/mesh/dev/raw/kuma-cp.yaml | 4 +- app/assets/mesh/raw/CHANGELOG.md | 263 ++++ app/assets/mesh/raw/UPGRADE.md | 8 +- 74 files changed, 15375 insertions(+), 46 deletions(-) create mode 100644 app/assets/mesh/2.14.x/raw/crds/access-audit.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/access-role-binding.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/access-role.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_circuitbreakers.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_containerpatches.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_dataplaneinsights.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_dataplanes.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_externalservices.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_faultinjections.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_healthchecks.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_hostnamegenerators.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshaccesslogs.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshcircuitbreakers.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshes.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshexternalservices.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshfaultinjections.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayconfigs.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayinstances.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayroutes.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgateways.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshglobalratelimits.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshhealthchecks.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshhttproutes.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshidentities.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshinsights.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshloadbalancingstrategies.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshmetrics.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshmultizoneservices.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshopas.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshopentelemetrybackends.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshpassthroughs.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshproxypatches.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshratelimits.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshretries.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshservices.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtcproutes.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtimeouts.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtlses.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtraces.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtrafficpermissions.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtrusts.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_meshzoneaddresses.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_proxytemplates.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_ratelimits.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_retries.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_serviceinsights.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_timeouts.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficlogs.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficpermissions.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficroutes.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_traffictraces.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_virtualoutbounds.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_workloads.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneegresses.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneegressinsights.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneingresses.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneingressinsights.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneinsights.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/kuma.io_zones.yaml create mode 100644 app/assets/mesh/2.14.x/raw/crds/opa-policy.yaml create mode 100644 app/assets/mesh/2.14.x/raw/helm-values-prod/values.federated-zone-cp.yaml create mode 100644 app/assets/mesh/2.14.x/raw/helm-values-prod/values.global-cp.yaml create mode 100644 app/assets/mesh/2.14.x/raw/helm-values-prod/values.single-zone-cp.yaml create mode 100644 app/assets/mesh/2.14.x/raw/helm-values.yaml create mode 100644 app/assets/mesh/2.14.x/raw/kuma-cp.yaml create mode 100644 app/assets/mesh/2.14.x/raw/protos/OPAPolicy.json create mode 100644 app/assets/mesh/2.14.x/raw/rbac.yaml diff --git a/app/_data/products/mesh.yml b/app/_data/products/mesh.yml index e92af27aa9..6f3b1daaa1 100644 --- a/app/_data/products/mesh.yml +++ b/app/_data/products/mesh.yml @@ -59,8 +59,9 @@ releases: - version: 2.11.15 release: "2.11" releaseDate: "2025-06-10" - eol: "2026-06-10" + eol: "2026-12-10" branch: release-2.11 + extensionMonths: 6 - version: 2.12.12 release: "2.12" releaseDate: "2025-09-09" @@ -68,12 +69,15 @@ releases: branch: release-2.12 - version: 2.13.8 release: "2.13" - latest: true releaseDate: "2025-12-22" eol: "2027-12-22" branch: release-2.13 lts: true - - version: preview + - version: 2.14.0 release: "2.14" + latest: true + branch: release-2.14 + - version: preview + release: "2.15" branch: master label: dev diff --git a/app/assets/mesh/2.14.x/raw/crds/access-audit.yaml b/app/assets/mesh/2.14.x/raw/crds/access-audit.yaml new file mode 100644 index 0000000000..d1d5bb322f --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/access-audit.yaml @@ -0,0 +1,25 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: accessaudits.kuma.io +spec: + group: kuma.io + names: + kind: AccessAudit + plural: accessaudits + scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + description: AccessAudit is the Schema for the accessaudit API + properties: + mesh: + type: string + spec: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object diff --git a/app/assets/mesh/2.14.x/raw/crds/access-role-binding.yaml b/app/assets/mesh/2.14.x/raw/crds/access-role-binding.yaml new file mode 100644 index 0000000000..d8367b8586 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/access-role-binding.yaml @@ -0,0 +1,25 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: accessrolebindings.kuma.io +spec: + group: kuma.io + names: + kind: AccessRoleBinding + plural: accessrolebindings + scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + description: AccessRoleBinding is the Schema for the accessrolebinding API + properties: + mesh: + type: string + spec: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object diff --git a/app/assets/mesh/2.14.x/raw/crds/access-role.yaml b/app/assets/mesh/2.14.x/raw/crds/access-role.yaml new file mode 100644 index 0000000000..e1904f4488 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/access-role.yaml @@ -0,0 +1,25 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: accessroles.kuma.io +spec: + group: kuma.io + names: + kind: AccessRole + plural: accessroles + scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + description: AccessRole is the Schema for the accessrole API + properties: + mesh: + type: string + spec: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_circuitbreakers.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_circuitbreakers.yaml new file mode 100644 index 0000000000..409ac10807 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_circuitbreakers.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: circuitbreakers.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: CircuitBreaker + listKind: CircuitBreakerList + plural: circuitbreakers + singular: circuitbreaker + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma CircuitBreaker resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_containerpatches.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_containerpatches.yaml new file mode 100644 index 0000000000..c6a1c2cf85 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_containerpatches.yaml @@ -0,0 +1,114 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: containerpatches.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ContainerPatch + listKind: ContainerPatchList + plural: containerpatches + singular: containerpatch + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: ContainerPatch stores a list of patches to apply to init and + sidecar containers. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + type: string + metadata: + type: object + spec: + description: ContainerPatchSpec specifies the options available for a + ContainerPatch + properties: + initPatch: + description: InitPatch specifies jsonpatch to apply to an init container. + items: + description: JsonPatchBlock is one json patch operation block. + properties: + from: + description: From is a jsonpatch from string, used by move and + copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: |- + Value must be a string representing a valid json object used + by replace and add operations. String has to be escaped with " to be valid a json object. + type: string + required: + - op + - path + type: object + type: array + sidecarPatch: + description: SidecarPatch specifies jsonpatch to apply to a sidecar + container. + items: + description: JsonPatchBlock is one json patch operation block. + properties: + from: + description: From is a jsonpatch from string, used by move and + copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: |- + Value must be a string representing a valid json object used + by replace and add operations. String has to be escaped with " to be valid a json object. + type: string + required: + - op + - path + type: object + type: array + type: object + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_dataplaneinsights.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_dataplaneinsights.yaml new file mode 100644 index 0000000000..c79b74702f --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_dataplaneinsights.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: dataplaneinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: DataplaneInsight + listKind: DataplaneInsightList + plural: dataplaneinsights + singular: dataplaneinsight + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + status: + description: Status is the status the Kuma resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_dataplanes.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_dataplanes.yaml new file mode 100644 index 0000000000..39cced0b9c --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_dataplanes.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: dataplanes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Dataplane + listKind: DataplaneList + plural: dataplanes + shortNames: + - dp + singular: dataplane + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Service tag of the first inbound + jsonPath: .spec.networking.inbound[0].tags['kuma\.io/service'] + name: kuma.io/service + type: string + - description: Service tag of the second inbound + jsonPath: .spec.networking.inbound[1].tags['kuma\.io/service'] + name: kuma.io/service + type: string + - description: Service tag of the third inbound + jsonPath: .spec.networking.inbound[2].tags['kuma\.io/service'] + name: kuma.io/service + priority: 1 + type: string + - description: Service tag of the fourth inbound + jsonPath: .spec.networking.inbound[3].tags['kuma\.io/service'] + name: kuma.io/service + priority: 1 + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Dataplane resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_externalservices.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_externalservices.yaml new file mode 100644 index 0000000000..65a334f9ba --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_externalservices.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: externalservices.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ExternalService + listKind: ExternalServiceList + plural: externalservices + singular: externalservice + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ExternalService resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_faultinjections.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_faultinjections.yaml new file mode 100644 index 0000000000..1a9707bb91 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_faultinjections.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: faultinjections.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: FaultInjection + listKind: FaultInjectionList + plural: faultinjections + singular: faultinjection + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma FaultInjection resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_healthchecks.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_healthchecks.yaml new file mode 100644 index 0000000000..6f63718ac3 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_healthchecks.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: healthchecks.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: HealthCheck + listKind: HealthCheckList + plural: healthchecks + singular: healthcheck + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma HealthCheck resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_hostnamegenerators.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_hostnamegenerators.yaml new file mode 100644 index 0000000000..df95dc836f --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_hostnamegenerators.yaml @@ -0,0 +1,93 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: hostnamegenerators.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: HostnameGenerator + listKind: HostnameGeneratorList + plural: hostnamegenerators + shortNames: + - hg + singular: hostnamegenerator + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: HostnameGenerator automatically generates DNS hostnames for services + in the mesh based on customizable templates. It provides a consistent naming + scheme for service discovery by creating predictable hostnames from service + labels and metadata, supporting both MeshService, MeshExternalService, and + MeshMultiZoneService resources. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma HostnameGenerator resource. + properties: + extension: + description: Extension struct for a plugin configuration + properties: + config: + description: Config freeform configuration for the extension. + x-kubernetes-preserve-unknown-fields: true + type: + description: Type of the extension. + type: string + required: + - type + type: object + selector: + properties: + meshExternalService: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + meshMultiZoneService: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + meshService: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + template: + type: string + required: + - template + type: object + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshaccesslogs.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshaccesslogs.yaml new file mode 100644 index 0000000000..20b18162d8 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshaccesslogs.yaml @@ -0,0 +1,919 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshaccesslogs.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshAccessLog + listKind: MeshAccessLogList + plural: meshaccesslogs + shortNames: + - mal + singular: meshaccesslog + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshAccessLog configures access logging for traffic between services + in the mesh. It allows you to capture and export request/response logs to + various backends (file, TCP, or OpenTelemetry) for monitoring, debugging, + and auditing purposes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshAccessLog resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + backends: + items: + properties: + file: + description: FileBackend defines configuration for + file based access logs + properties: + format: + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + properties: + json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + omitEmptyValues: + default: false + type: boolean + plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' + type: string + type: + enum: + - Plain + - Json + type: string + required: + - type + type: object + path: + description: Path to a file that logs will be + written to + example: /tmp/access.log + minLength: 1 + type: string + required: + - path + type: object + openTelemetry: + description: Defines an OpenTelemetry logging backend. + properties: + attributes: + description: |- + Attributes defines custom OpenTelemetry attributes. Keys must be static + OpenTelemetry attribute names. Values can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + - key: mesh + value: '%KUMA_MESH%' + items: + properties: + key: + description: Key is the OpenTelemetry attribute + name. + pattern: ^[a-z]([a-z0-9]|[._][a-z0-9])*$ + type: string + value: + description: Value can contain Kuma placeholders. + type: string + required: + - key + - value + type: object + type: array + backendRef: + description: |- + BackendRef is a reference to a MeshOpenTelemetryBackend resource that + defines the collector endpoint. Mutually exclusive with Endpoint. + properties: + kind: + description: Kind of the backend resource. + enum: + - MeshOpenTelemetryBackend + type: string + labels: + additionalProperties: + type: string + description: |- + Labels to match the referenced resource. When multiple resources match, + the oldest by creation time wins. + type: object + required: + - kind + type: object + body: + description: |- + Body is a raw string or an OTLP any value as described at + https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body + It can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + kvlistValue: + values: + - key: mesh + value: + stringValue: '%KUMA_MESH%' + x-kubernetes-preserve-unknown-fields: true + endpoint: + default: "" + description: |- + Endpoint of OpenTelemetry collector. An empty port defaults to 4317. + + Deprecated: use BackendRef instead. + example: otel-collector:4317 + type: string + type: object + tcp: + description: TCPBackend defines a TCP logging backend. + properties: + address: + description: Address of the TCP logging backend + example: 127.0.0.1:5000 + minLength: 1 + type: string + format: + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + properties: + json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + omitEmptyValues: + default: false + type: boolean + plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' + type: string + type: + enum: + - Plain + - Json + type: string + required: + - type + type: object + required: + - address + type: object + type: + enum: + - Tcp + - File + - OpenTelemetry + type: string + required: + - type + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - default + - targetRef + type: object + type: array + rules: + description: Rules defines inbound access log configurations. + items: + properties: + default: + description: Default contains configuration of the inbound access + logging + properties: + backends: + items: + properties: + file: + description: FileBackend defines configuration for + file based access logs + properties: + format: + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + properties: + json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + omitEmptyValues: + default: false + type: boolean + plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' + type: string + type: + enum: + - Plain + - Json + type: string + required: + - type + type: object + path: + description: Path to a file that logs will be + written to + example: /tmp/access.log + minLength: 1 + type: string + required: + - path + type: object + openTelemetry: + description: Defines an OpenTelemetry logging backend. + properties: + attributes: + description: |- + Attributes defines custom OpenTelemetry attributes. Keys must be static + OpenTelemetry attribute names. Values can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + - key: mesh + value: '%KUMA_MESH%' + items: + properties: + key: + description: Key is the OpenTelemetry attribute + name. + pattern: ^[a-z]([a-z0-9]|[._][a-z0-9])*$ + type: string + value: + description: Value can contain Kuma placeholders. + type: string + required: + - key + - value + type: object + type: array + backendRef: + description: |- + BackendRef is a reference to a MeshOpenTelemetryBackend resource that + defines the collector endpoint. Mutually exclusive with Endpoint. + properties: + kind: + description: Kind of the backend resource. + enum: + - MeshOpenTelemetryBackend + type: string + labels: + additionalProperties: + type: string + description: |- + Labels to match the referenced resource. When multiple resources match, + the oldest by creation time wins. + type: object + required: + - kind + type: object + body: + description: |- + Body is a raw string or an OTLP any value as described at + https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body + It can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + kvlistValue: + values: + - key: mesh + value: + stringValue: '%KUMA_MESH%' + x-kubernetes-preserve-unknown-fields: true + endpoint: + default: "" + description: |- + Endpoint of OpenTelemetry collector. An empty port defaults to 4317. + + Deprecated: use BackendRef instead. + example: otel-collector:4317 + type: string + type: object + tcp: + description: TCPBackend defines a TCP logging backend. + properties: + address: + description: Address of the TCP logging backend + example: 127.0.0.1:5000 + minLength: 1 + type: string + format: + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + properties: + json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + omitEmptyValues: + default: false + type: boolean + plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' + type: string + type: + enum: + - Plain + - Json + type: string + required: + - type + type: object + required: + - address + type: object + type: + enum: + - Tcp + - File + - OpenTelemetry + type: string + required: + - type + type: object + type: array + type: object + matches: + description: |- + Matches defines a list of conditions (by SpiffeID or SNI) that select the + traffic this rule applies to. Rules fire independently: a connection that + satisfies multiple rules is logged to every matching rule's backends. + items: + properties: + sni: + description: SNI defines a matcher configuration for matching + by SNI value carried on the TLS connection + properties: + type: + description: Type defines how to match traffic by + SNI. Only `Exact` is supported. + enum: + - Exact + type: string + value: + description: Value is the SNI carried on the TLS connection + that needs to match for the configuration to be + applied + type: string + required: + - type + - value + type: object + spiffeID: + description: SpiffeID defines a matcher configuration + for SpiffeID matching + properties: + type: + description: Type defines how to match incoming traffic + by SpiffeID. `Exact` or `Prefix` are allowed. + enum: + - Exact + - Prefix + type: string + value: + description: Value is SpiffeID of a client that needs + to match for the configuration to be applied + type: string + required: + - type + - value + type: object + type: object + type: array + required: + - default + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: To list makes a match between the consumed services and + corresponding configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + backends: + items: + properties: + file: + description: FileBackend defines configuration for + file based access logs + properties: + format: + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + properties: + json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + omitEmptyValues: + default: false + type: boolean + plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' + type: string + type: + enum: + - Plain + - Json + type: string + required: + - type + type: object + path: + description: Path to a file that logs will be + written to + example: /tmp/access.log + minLength: 1 + type: string + required: + - path + type: object + openTelemetry: + description: Defines an OpenTelemetry logging backend. + properties: + attributes: + description: |- + Attributes defines custom OpenTelemetry attributes. Keys must be static + OpenTelemetry attribute names. Values can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + - key: mesh + value: '%KUMA_MESH%' + items: + properties: + key: + description: Key is the OpenTelemetry attribute + name. + pattern: ^[a-z]([a-z0-9]|[._][a-z0-9])*$ + type: string + value: + description: Value can contain Kuma placeholders. + type: string + required: + - key + - value + type: object + type: array + backendRef: + description: |- + BackendRef is a reference to a MeshOpenTelemetryBackend resource that + defines the collector endpoint. Mutually exclusive with Endpoint. + properties: + kind: + description: Kind of the backend resource. + enum: + - MeshOpenTelemetryBackend + type: string + labels: + additionalProperties: + type: string + description: |- + Labels to match the referenced resource. When multiple resources match, + the oldest by creation time wins. + type: object + required: + - kind + type: object + body: + description: |- + Body is a raw string or an OTLP any value as described at + https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body + It can contain placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + example: + kvlistValue: + values: + - key: mesh + value: + stringValue: '%KUMA_MESH%' + x-kubernetes-preserve-unknown-fields: true + endpoint: + default: "" + description: |- + Endpoint of OpenTelemetry collector. An empty port defaults to 4317. + + Deprecated: use BackendRef instead. + example: otel-collector:4317 + type: string + type: object + tcp: + description: TCPBackend defines a TCP logging backend. + properties: + address: + description: Address of the TCP logging backend + example: 127.0.0.1:5000 + minLength: 1 + type: string + format: + description: |- + Format of access logs. Placeholders available on + https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators + properties: + json: + example: + - key: start_time + value: '%START_TIME%' + - key: bytes_received + value: '%BYTES_RECEIVED%' + items: + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + omitEmptyValues: + default: false + type: boolean + plain: + example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%' + type: string + type: + enum: + - Plain + - Json + type: string + required: + - type + type: object + required: + - address + type: object + type: + enum: + - Tcp + - File + - OpenTelemetry + type: string + required: + - type + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - default + - targetRef + type: object + type: array + type: object + status: + description: Status is the current status of the Kuma MeshAccessLog resource. + properties: + conditions: + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshcircuitbreakers.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshcircuitbreakers.yaml new file mode 100644 index 0000000000..9e2203918c --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshcircuitbreakers.yaml @@ -0,0 +1,1024 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshcircuitbreakers.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshCircuitBreaker + listKind: MeshCircuitBreakerList + plural: meshcircuitbreakers + shortNames: + - mcb + singular: meshcircuitbreaker + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshCircuitBreaker protects services from cascading failures + by limiting connections and detecting unhealthy instances. It provides connection + limits to prevent overload and outlier detection to temporarily remove failing + endpoints from the load balancing pool. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshCircuitBreaker + resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations + referenced in 'targetRef' + properties: + connectionLimits: + description: |- + ConnectionLimits contains configuration of each circuit breaking limit, + which when exceeded makes the circuit breaker to become open (no traffic + is allowed like no current is allowed in the circuits when physical + circuit breaker ir open) + properties: + maxConnectionPools: + description: |- + The maximum number of connection pools per cluster that are concurrently + supported at once. Set this for clusters which create a large number of + connection pools. + format: int32 + type: integer + maxConnections: + description: |- + The maximum number of connections allowed to be made to the upstream + cluster. + format: int32 + type: integer + maxPendingRequests: + description: |- + The maximum number of pending requests that are allowed to the upstream + cluster. This limit is applied as a connection limit for non-HTTP + traffic. + format: int32 + type: integer + maxRequests: + description: |- + The maximum number of parallel requests that are allowed to be made + to the upstream cluster. This limit does not apply to non-HTTP traffic. + format: int32 + type: integer + maxRetries: + description: |- + The maximum number of parallel retries that will be allowed to + the upstream cluster. + format: int32 + type: integer + type: object + outlierDetection: + description: |- + OutlierDetection contains the configuration of the process of dynamically + determining whether some number of hosts in an upstream cluster are + performing unlike the others and removing them from the healthy load + balancing set. Performance might be along different axes such as + consecutive failures, temporal success rate, temporal latency, etc. + Outlier detection is a form of passive health checking. + properties: + baseEjectionTime: + description: |- + The base time that a host is ejected for. The real time is equal to + the base time multiplied by the number of times the host has been + ejected. + type: string + detectors: + description: Contains configuration for supported outlier + detectors + properties: + failurePercentage: + description: |- + Failure Percentage based outlier detection functions similarly to success + rate detection, in that it relies on success rate data from each host in + a cluster. However, rather than compare those values to the mean success + rate of the cluster as a whole, they are compared to a flat + user-configured threshold. This threshold is configured via the + outlierDetection.failurePercentageThreshold field. + The other configuration fields for failure percentage based detection are + similar to the fields for success rate detection. As with success rate + detection, detection will not be performed for a host if its request + volume over the aggregation interval is less than the + outlierDetection.detectors.failurePercentage.requestVolume value. + Detection also will not be performed for a cluster if the number of hosts + with the minimum required request volume in an interval is less than the + outlierDetection.detectors.failurePercentage.minimumHosts value. + properties: + minimumHosts: + description: |- + The minimum number of hosts in a cluster in order to perform failure + percentage-based ejection. If the total number of hosts in the cluster is + less than this value, failure percentage-based ejection will not be + performed. + format: int32 + type: integer + requestVolume: + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration above) to perform failure + percentage-based ejection for this host. If the volume is lower than this + setting, failure percentage-based ejection will not be performed for this + host. + format: int32 + type: integer + threshold: + description: |- + The failure percentage to use when determining failure percentage-based + outlier detection. If the failure percentage of a given host is greater + than or equal to this value, it will be ejected. + format: int32 + type: integer + type: object + gatewayFailures: + description: |- + In the default mode (outlierDetection.splitExternalLocalOriginErrors is + false) this detection type takes into account a subset of 5xx errors, + called "gateway errors" (502, 503 or 504 status code) and local origin + failures, such as timeout, TCP reset etc. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account a subset of 5xx errors, called + "gateway errors" (502, 503 or 504 status code) and is supported only by + the http router. + properties: + consecutive: + description: |- + The number of consecutive gateway failures (502, 503, 504 status codes) + before a consecutive gateway failure ejection occurs. + format: int32 + type: integer + type: object + localOriginFailures: + description: |- + This detection type is enabled only when + outlierDetection.splitExternalLocalOriginErrors is true and takes into + account only locally originated errors (timeout, reset, etc). + If Envoy repeatedly cannot connect to an upstream host or communication + with the upstream host is repeatedly interrupted, it will be ejected. + Various locally originated problems are detected: timeout, TCP reset, + ICMP errors, etc. This detection type is supported by http router and + tcp proxy. + properties: + consecutive: + description: |- + The number of consecutive locally originated failures before ejection + occurs. Parameter takes effect only when splitExternalAndLocalErrors + is set to true. + format: int32 + type: integer + type: object + successRate: + description: |- + Success Rate based outlier detection aggregates success rate data from + every host in a cluster. Then at given intervals ejects hosts based on + statistical outlier detection. Success Rate outlier detection will not be + calculated for a host if its request volume over the aggregation interval + is less than the outlierDetection.detectors.successRate.requestVolume + value. + Moreover, detection will not be performed for a cluster if the number of + hosts with the minimum required request volume in an interval is less + than the outlierDetection.detectors.successRate.minimumHosts value. + In the default configuration mode + (outlierDetection.splitExternalLocalOriginErrors is false) this detection + type takes into account all types of errors: locally and externally + originated. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true), + locally originated errors and externally originated (transaction) errors + are counted and treated separately. + properties: + minimumHosts: + description: |- + The number of hosts in a cluster that must have enough request volume to + detect success rate outliers. If the number of hosts is less than this + setting, outlier detection via success rate statistics is not performed + for any host in the cluster. + format: int32 + type: integer + requestVolume: + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration configured in + outlierDetection section) to include this host in success rate based + outlier detection. If the volume is lower than this setting, outlier + detection via success rate statistics is not performed for that host. + format: int32 + type: integer + standardDeviationFactor: + anyOf: + - type: integer + - type: string + description: |- + This factor is used to determine the ejection threshold for success rate + outlier ejection. The ejection threshold is the difference between + the mean success rate, and the product of this factor and the standard + deviation of the mean success rate: mean - (standard_deviation * + success_rate_standard_deviation_factor). + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + type: object + totalFailures: + description: |- + In the default mode (outlierDetection.splitExternalAndLocalErrors is + false) this detection type takes into account all generated errors: + locally originated and externally originated (transaction) errors. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account only externally originated + (transaction) errors, ignoring locally originated errors. + If an upstream host is an HTTP-server, only 5xx types of error are taken + into account (see Consecutive Gateway Failure for exceptions). + Properly formatted responses, even when they carry an operational error + (like index not found, access denied) are not taken into account. + properties: + consecutive: + description: |- + The number of consecutive server-side error responses (for HTTP traffic, + 5xx responses; for TCP traffic, connection failures; for Redis, failure + to respond PONG; etc.) before a consecutive total failure ejection + occurs. + format: int32 + type: integer + type: object + type: object + disabled: + description: When set to true, outlierDetection configuration + won't take any effect + type: boolean + healthyPanicThreshold: + anyOf: + - type: integer + - type: string + description: |- + Allows to configure panic threshold for Envoy cluster. If not specified, + the default is 50%. To disable panic mode, set to 0%. + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + interval: + description: |- + The time interval between ejection analysis sweeps. This can result in + both new ejections and hosts being returned to service. + type: string + maxEjectionPercent: + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier + detection. Defaults to 10% but will eject at least one host regardless of + the value. + format: int32 + type: integer + splitExternalAndLocalErrors: + description: |- + Determines whether to distinguish local origin failures from external + errors. If set to true the following configuration parameters are taken + into account: detectors.localOriginFailures.consecutive + type: boolean + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + rules: + description: |- + Rules defines inbound circuit breaker configurations. Currently limited to + selecting all inbound traffic, as L7 matching is not yet implemented. + items: + properties: + default: + description: Default contains configuration of the inbound circuit + breaker + properties: + connectionLimits: + description: |- + ConnectionLimits contains configuration of each circuit breaking limit, + which when exceeded makes the circuit breaker to become open (no traffic + is allowed like no current is allowed in the circuits when physical + circuit breaker ir open) + properties: + maxConnectionPools: + description: |- + The maximum number of connection pools per cluster that are concurrently + supported at once. Set this for clusters which create a large number of + connection pools. + format: int32 + type: integer + maxConnections: + description: |- + The maximum number of connections allowed to be made to the upstream + cluster. + format: int32 + type: integer + maxPendingRequests: + description: |- + The maximum number of pending requests that are allowed to the upstream + cluster. This limit is applied as a connection limit for non-HTTP + traffic. + format: int32 + type: integer + maxRequests: + description: |- + The maximum number of parallel requests that are allowed to be made + to the upstream cluster. This limit does not apply to non-HTTP traffic. + format: int32 + type: integer + maxRetries: + description: |- + The maximum number of parallel retries that will be allowed to + the upstream cluster. + format: int32 + type: integer + type: object + outlierDetection: + description: |- + OutlierDetection contains the configuration of the process of dynamically + determining whether some number of hosts in an upstream cluster are + performing unlike the others and removing them from the healthy load + balancing set. Performance might be along different axes such as + consecutive failures, temporal success rate, temporal latency, etc. + Outlier detection is a form of passive health checking. + properties: + baseEjectionTime: + description: |- + The base time that a host is ejected for. The real time is equal to + the base time multiplied by the number of times the host has been + ejected. + type: string + detectors: + description: Contains configuration for supported outlier + detectors + properties: + failurePercentage: + description: |- + Failure Percentage based outlier detection functions similarly to success + rate detection, in that it relies on success rate data from each host in + a cluster. However, rather than compare those values to the mean success + rate of the cluster as a whole, they are compared to a flat + user-configured threshold. This threshold is configured via the + outlierDetection.failurePercentageThreshold field. + The other configuration fields for failure percentage based detection are + similar to the fields for success rate detection. As with success rate + detection, detection will not be performed for a host if its request + volume over the aggregation interval is less than the + outlierDetection.detectors.failurePercentage.requestVolume value. + Detection also will not be performed for a cluster if the number of hosts + with the minimum required request volume in an interval is less than the + outlierDetection.detectors.failurePercentage.minimumHosts value. + properties: + minimumHosts: + description: |- + The minimum number of hosts in a cluster in order to perform failure + percentage-based ejection. If the total number of hosts in the cluster is + less than this value, failure percentage-based ejection will not be + performed. + format: int32 + type: integer + requestVolume: + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration above) to perform failure + percentage-based ejection for this host. If the volume is lower than this + setting, failure percentage-based ejection will not be performed for this + host. + format: int32 + type: integer + threshold: + description: |- + The failure percentage to use when determining failure percentage-based + outlier detection. If the failure percentage of a given host is greater + than or equal to this value, it will be ejected. + format: int32 + type: integer + type: object + gatewayFailures: + description: |- + In the default mode (outlierDetection.splitExternalLocalOriginErrors is + false) this detection type takes into account a subset of 5xx errors, + called "gateway errors" (502, 503 or 504 status code) and local origin + failures, such as timeout, TCP reset etc. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account a subset of 5xx errors, called + "gateway errors" (502, 503 or 504 status code) and is supported only by + the http router. + properties: + consecutive: + description: |- + The number of consecutive gateway failures (502, 503, 504 status codes) + before a consecutive gateway failure ejection occurs. + format: int32 + type: integer + type: object + localOriginFailures: + description: |- + This detection type is enabled only when + outlierDetection.splitExternalLocalOriginErrors is true and takes into + account only locally originated errors (timeout, reset, etc). + If Envoy repeatedly cannot connect to an upstream host or communication + with the upstream host is repeatedly interrupted, it will be ejected. + Various locally originated problems are detected: timeout, TCP reset, + ICMP errors, etc. This detection type is supported by http router and + tcp proxy. + properties: + consecutive: + description: |- + The number of consecutive locally originated failures before ejection + occurs. Parameter takes effect only when splitExternalAndLocalErrors + is set to true. + format: int32 + type: integer + type: object + successRate: + description: |- + Success Rate based outlier detection aggregates success rate data from + every host in a cluster. Then at given intervals ejects hosts based on + statistical outlier detection. Success Rate outlier detection will not be + calculated for a host if its request volume over the aggregation interval + is less than the outlierDetection.detectors.successRate.requestVolume + value. + Moreover, detection will not be performed for a cluster if the number of + hosts with the minimum required request volume in an interval is less + than the outlierDetection.detectors.successRate.minimumHosts value. + In the default configuration mode + (outlierDetection.splitExternalLocalOriginErrors is false) this detection + type takes into account all types of errors: locally and externally + originated. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true), + locally originated errors and externally originated (transaction) errors + are counted and treated separately. + properties: + minimumHosts: + description: |- + The number of hosts in a cluster that must have enough request volume to + detect success rate outliers. If the number of hosts is less than this + setting, outlier detection via success rate statistics is not performed + for any host in the cluster. + format: int32 + type: integer + requestVolume: + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration configured in + outlierDetection section) to include this host in success rate based + outlier detection. If the volume is lower than this setting, outlier + detection via success rate statistics is not performed for that host. + format: int32 + type: integer + standardDeviationFactor: + anyOf: + - type: integer + - type: string + description: |- + This factor is used to determine the ejection threshold for success rate + outlier ejection. The ejection threshold is the difference between + the mean success rate, and the product of this factor and the standard + deviation of the mean success rate: mean - (standard_deviation * + success_rate_standard_deviation_factor). + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + type: object + totalFailures: + description: |- + In the default mode (outlierDetection.splitExternalAndLocalErrors is + false) this detection type takes into account all generated errors: + locally originated and externally originated (transaction) errors. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account only externally originated + (transaction) errors, ignoring locally originated errors. + If an upstream host is an HTTP-server, only 5xx types of error are taken + into account (see Consecutive Gateway Failure for exceptions). + Properly formatted responses, even when they carry an operational error + (like index not found, access denied) are not taken into account. + properties: + consecutive: + description: |- + The number of consecutive server-side error responses (for HTTP traffic, + 5xx responses; for TCP traffic, connection failures; for Redis, failure + to respond PONG; etc.) before a consecutive total failure ejection + occurs. + format: int32 + type: integer + type: object + type: object + disabled: + description: When set to true, outlierDetection configuration + won't take any effect + type: boolean + healthyPanicThreshold: + anyOf: + - type: integer + - type: string + description: |- + Allows to configure panic threshold for Envoy cluster. If not specified, + the default is 50%. To disable panic mode, set to 0%. + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + interval: + description: |- + The time interval between ejection analysis sweeps. This can result in + both new ejections and hosts being returned to service. + type: string + maxEjectionPercent: + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier + detection. Defaults to 10% but will eject at least one host regardless of + the value. + format: int32 + type: integer + splitExternalAndLocalErrors: + description: |- + Determines whether to distinguish local origin failures from external + errors. If set to true the following configuration parameters are taken + into account: detectors.localOriginFailures.consecutive + type: boolean + type: object + type: object + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: |- + To list makes a match between the consumed services and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations + referenced in 'targetRef' + properties: + connectionLimits: + description: |- + ConnectionLimits contains configuration of each circuit breaking limit, + which when exceeded makes the circuit breaker to become open (no traffic + is allowed like no current is allowed in the circuits when physical + circuit breaker ir open) + properties: + maxConnectionPools: + description: |- + The maximum number of connection pools per cluster that are concurrently + supported at once. Set this for clusters which create a large number of + connection pools. + format: int32 + type: integer + maxConnections: + description: |- + The maximum number of connections allowed to be made to the upstream + cluster. + format: int32 + type: integer + maxPendingRequests: + description: |- + The maximum number of pending requests that are allowed to the upstream + cluster. This limit is applied as a connection limit for non-HTTP + traffic. + format: int32 + type: integer + maxRequests: + description: |- + The maximum number of parallel requests that are allowed to be made + to the upstream cluster. This limit does not apply to non-HTTP traffic. + format: int32 + type: integer + maxRetries: + description: |- + The maximum number of parallel retries that will be allowed to + the upstream cluster. + format: int32 + type: integer + type: object + outlierDetection: + description: |- + OutlierDetection contains the configuration of the process of dynamically + determining whether some number of hosts in an upstream cluster are + performing unlike the others and removing them from the healthy load + balancing set. Performance might be along different axes such as + consecutive failures, temporal success rate, temporal latency, etc. + Outlier detection is a form of passive health checking. + properties: + baseEjectionTime: + description: |- + The base time that a host is ejected for. The real time is equal to + the base time multiplied by the number of times the host has been + ejected. + type: string + detectors: + description: Contains configuration for supported outlier + detectors + properties: + failurePercentage: + description: |- + Failure Percentage based outlier detection functions similarly to success + rate detection, in that it relies on success rate data from each host in + a cluster. However, rather than compare those values to the mean success + rate of the cluster as a whole, they are compared to a flat + user-configured threshold. This threshold is configured via the + outlierDetection.failurePercentageThreshold field. + The other configuration fields for failure percentage based detection are + similar to the fields for success rate detection. As with success rate + detection, detection will not be performed for a host if its request + volume over the aggregation interval is less than the + outlierDetection.detectors.failurePercentage.requestVolume value. + Detection also will not be performed for a cluster if the number of hosts + with the minimum required request volume in an interval is less than the + outlierDetection.detectors.failurePercentage.minimumHosts value. + properties: + minimumHosts: + description: |- + The minimum number of hosts in a cluster in order to perform failure + percentage-based ejection. If the total number of hosts in the cluster is + less than this value, failure percentage-based ejection will not be + performed. + format: int32 + type: integer + requestVolume: + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration above) to perform failure + percentage-based ejection for this host. If the volume is lower than this + setting, failure percentage-based ejection will not be performed for this + host. + format: int32 + type: integer + threshold: + description: |- + The failure percentage to use when determining failure percentage-based + outlier detection. If the failure percentage of a given host is greater + than or equal to this value, it will be ejected. + format: int32 + type: integer + type: object + gatewayFailures: + description: |- + In the default mode (outlierDetection.splitExternalLocalOriginErrors is + false) this detection type takes into account a subset of 5xx errors, + called "gateway errors" (502, 503 or 504 status code) and local origin + failures, such as timeout, TCP reset etc. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account a subset of 5xx errors, called + "gateway errors" (502, 503 or 504 status code) and is supported only by + the http router. + properties: + consecutive: + description: |- + The number of consecutive gateway failures (502, 503, 504 status codes) + before a consecutive gateway failure ejection occurs. + format: int32 + type: integer + type: object + localOriginFailures: + description: |- + This detection type is enabled only when + outlierDetection.splitExternalLocalOriginErrors is true and takes into + account only locally originated errors (timeout, reset, etc). + If Envoy repeatedly cannot connect to an upstream host or communication + with the upstream host is repeatedly interrupted, it will be ejected. + Various locally originated problems are detected: timeout, TCP reset, + ICMP errors, etc. This detection type is supported by http router and + tcp proxy. + properties: + consecutive: + description: |- + The number of consecutive locally originated failures before ejection + occurs. Parameter takes effect only when splitExternalAndLocalErrors + is set to true. + format: int32 + type: integer + type: object + successRate: + description: |- + Success Rate based outlier detection aggregates success rate data from + every host in a cluster. Then at given intervals ejects hosts based on + statistical outlier detection. Success Rate outlier detection will not be + calculated for a host if its request volume over the aggregation interval + is less than the outlierDetection.detectors.successRate.requestVolume + value. + Moreover, detection will not be performed for a cluster if the number of + hosts with the minimum required request volume in an interval is less + than the outlierDetection.detectors.successRate.minimumHosts value. + In the default configuration mode + (outlierDetection.splitExternalLocalOriginErrors is false) this detection + type takes into account all types of errors: locally and externally + originated. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true), + locally originated errors and externally originated (transaction) errors + are counted and treated separately. + properties: + minimumHosts: + description: |- + The number of hosts in a cluster that must have enough request volume to + detect success rate outliers. If the number of hosts is less than this + setting, outlier detection via success rate statistics is not performed + for any host in the cluster. + format: int32 + type: integer + requestVolume: + description: |- + The minimum number of total requests that must be collected in one + interval (as defined by the interval duration configured in + outlierDetection section) to include this host in success rate based + outlier detection. If the volume is lower than this setting, outlier + detection via success rate statistics is not performed for that host. + format: int32 + type: integer + standardDeviationFactor: + anyOf: + - type: integer + - type: string + description: |- + This factor is used to determine the ejection threshold for success rate + outlier ejection. The ejection threshold is the difference between + the mean success rate, and the product of this factor and the standard + deviation of the mean success rate: mean - (standard_deviation * + success_rate_standard_deviation_factor). + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + type: object + totalFailures: + description: |- + In the default mode (outlierDetection.splitExternalAndLocalErrors is + false) this detection type takes into account all generated errors: + locally originated and externally originated (transaction) errors. + In split mode (outlierDetection.splitExternalLocalOriginErrors is true) + this detection type takes into account only externally originated + (transaction) errors, ignoring locally originated errors. + If an upstream host is an HTTP-server, only 5xx types of error are taken + into account (see Consecutive Gateway Failure for exceptions). + Properly formatted responses, even when they carry an operational error + (like index not found, access denied) are not taken into account. + properties: + consecutive: + description: |- + The number of consecutive server-side error responses (for HTTP traffic, + 5xx responses; for TCP traffic, connection failures; for Redis, failure + to respond PONG; etc.) before a consecutive total failure ejection + occurs. + format: int32 + type: integer + type: object + type: object + disabled: + description: When set to true, outlierDetection configuration + won't take any effect + type: boolean + healthyPanicThreshold: + anyOf: + - type: integer + - type: string + description: |- + Allows to configure panic threshold for Envoy cluster. If not specified, + the default is 50%. To disable panic mode, set to 0%. + Either int or decimal represented as string. + x-kubernetes-int-or-string: true + interval: + description: |- + The time interval between ejection analysis sweeps. This can result in + both new ejections and hosts being returned to service. + type: string + maxEjectionPercent: + description: |- + The maximum % of an upstream cluster that can be ejected due to outlier + detection. Defaults to 10% but will eject at least one host regardless of + the value. + format: int32 + type: integer + splitExternalAndLocalErrors: + description: |- + Determines whether to distinguish local origin failures from external + errors. If set to true the following configuration parameters are taken + into account: detectors.localOriginFailures.consecutive + type: boolean + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshes.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshes.yaml new file mode 100644 index 0000000000..0e1e98b3bd --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshes.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Mesh + listKind: MeshList + plural: meshes + shortNames: + - m + singular: mesh + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Mesh resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshexternalservices.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshexternalservices.yaml new file mode 100644 index 0000000000..cddf533de8 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshexternalservices.yaml @@ -0,0 +1,350 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshexternalservices.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshExternalService + listKind: MeshExternalServiceList + plural: meshexternalservices + shortNames: + - extsvc + singular: meshexternalservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.addresses[0].hostname + name: Hostname + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshExternalService represents external services (outside the + mesh) that mesh services can communicate with securely. It enables mesh + services to reach external APIs, databases, or third-party services by defining + endpoints, ports, protocols, and optional TLS configuration for secure outbound + connections with hostname-based routing support. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshExternalService + resource. + properties: + endpoints: + description: Endpoints defines a list of destinations to send traffic + to. + items: + properties: + address: + description: Address defines an address to which a user want + to send a request. Is possible to provide `domain`, `ip`. + example: example.com + minLength: 1 + type: string + port: + description: Port of the endpoint + format: int32 + maximum: 65535 + minimum: 1 + type: integer + priority: + description: |- + Priority maps to Envoy's priority levels to enable endpoint failover. + Lower values have higher priority (0 is the default/primary). + When the primary endpoints become unhealthy, traffic fails over to the next priority level. + format: int32 + maximum: 128 + minimum: 0 + type: integer + required: + - address + - port + type: object + type: array + extension: + description: Extension struct for a plugin configuration, in the presence + of an extension `endpoints` and `tls` are not required anymore - + it's up to the extension to validate them independently. + properties: + config: + description: Config freeform configuration for the extension. + x-kubernetes-preserve-unknown-fields: true + type: + description: Type of the extension. + type: string + required: + - type + type: object + match: + description: Match defines traffic that should be routed through the + sidecar. + properties: + port: + description: Port defines a port to which a user does request. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: tcp + description: 'Protocol defines a protocol of the communication. + Possible values: `tcp`, `grpc`, `http`, `http2`.' + enum: + - tcp + - grpc + - http + - http2 + type: string + type: + default: HostnameGenerator + description: Type of the match, only `HostnameGenerator` is available + at the moment. + enum: + - HostnameGenerator + type: string + required: + - port + type: object + tls: + description: Tls provides a TLS configuration when proxy is resposible + for a TLS origination + properties: + allowRenegotiation: + default: false + description: |- + AllowRenegotiation defines if TLS sessions will allow renegotiation. + Setting this to true is not recommended for security reasons. + type: boolean + enabled: + default: false + description: Enabled defines if proxy should originate TLS. + type: boolean + verification: + description: Verification section for providing TLS verification + details. + properties: + caCert: + description: CaCert defines a certificate of CA. + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret + key. + type: string + type: object + clientCert: + description: ClientCert defines a certificate of a client. + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret + key. + type: string + type: object + clientKey: + description: ClientKey defines a client private key. + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret + key. + type: string + type: object + mode: + default: Secured + description: Mode defines if proxy should skip verification, + one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default + `Secured`. + enum: + - SkipSAN + - SkipCA + - Secured + - SkipAll + type: string + serverName: + description: ServerName overrides the default Server Name + Indicator set by Kuma. + type: string + subjectAltNames: + description: SubjectAltNames list of names to verify in the + certificate. + items: + properties: + type: + default: Exact + description: 'Type specifies matching type, one of `Exact`, + `Prefix`. Default: `Exact`' + enum: + - Exact + - Prefix + type: string + value: + description: Value to match. + type: string + required: + - value + type: object + type: array + type: object + version: + description: Version section for providing version specification. + properties: + max: + default: TLSAuto + description: Max defines maximum supported version. One of + `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + min: + default: TLSAuto + description: Min defines minimum supported version. One of + `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + type: object + type: object + required: + - match + type: object + status: + description: Status is the current status of the Kuma MeshExternalService + resource. + properties: + addresses: + description: Addresses section for generated domains + items: + properties: + hostname: + type: string + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + origin: + type: string + type: object + type: array + hostnameGenerators: + items: + properties: + conditions: + description: Conditions is an array of hostname generator conditions. + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + required: + - hostnameGeneratorRef + type: object + type: array + vip: + description: Vip section for allocated IP + properties: + ip: + description: Value allocated IP for a provided domain with `HostnameGenerator` + type in a match section. + type: string + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshfaultinjections.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshfaultinjections.yaml new file mode 100644 index 0000000000..86ac2d654d --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshfaultinjections.yaml @@ -0,0 +1,563 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshfaultinjections.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshFaultInjection + listKind: MeshFaultInjectionList + plural: meshfaultinjections + shortNames: + - mfi + singular: meshfaultinjection + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshFaultInjection allows you to test the resiliency of your + services by injecting faults like delays, connection aborts, and response + bandwidth limits into the traffic. This is useful for chaos testing and + validating that your applications handle failures gracefully. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshFaultInjection + resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + http: + description: Http allows to define list of Http faults between + dataplanes. + items: + description: FaultInjection defines the configuration + of faults between dataplanes. + properties: + abort: + description: |- + Abort defines a configuration of not delivering requests to destination + service and replacing the responses from destination dataplane by + predefined status code + properties: + httpStatus: + description: HTTP status code which will be returned + to source side + format: int32 + type: integer + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which abort will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - httpStatus + - percentage + type: object + delay: + description: Delay defines configuration of delaying + a response from a destination + properties: + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which delay will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + value: + description: The duration during which the response + will be delayed + type: string + required: + - percentage + - value + type: object + responseBandwidth: + description: |- + ResponseBandwidth defines a configuration to limit the speed of + responding to the requests + properties: + limit: + description: |- + Limit is represented by value measure in Gbps, Mbps, kbps, e.g. + 10kbps + type: string + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which response bandwidth limit will be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - limit + - percentage + type: object + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + rules: + description: Rules defines inbound fault injection configuration + items: + properties: + default: + description: Default defines fault configuration + properties: + http: + description: Http allows to define list of Http faults between + dataplanes. + items: + description: FaultInjection defines the configuration + of faults between dataplanes. + properties: + abort: + description: |- + Abort defines a configuration of not delivering requests to destination + service and replacing the responses from destination dataplane by + predefined status code + properties: + httpStatus: + description: HTTP status code which will be returned + to source side + format: int32 + type: integer + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which abort will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - httpStatus + - percentage + type: object + delay: + description: Delay defines configuration of delaying + a response from a destination + properties: + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which delay will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + value: + description: The duration during which the response + will be delayed + type: string + required: + - percentage + - value + type: object + responseBandwidth: + description: |- + ResponseBandwidth defines a configuration to limit the speed of + responding to the requests + properties: + limit: + description: |- + Limit is represented by value measure in Gbps, Mbps, kbps, e.g. + 10kbps + type: string + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which response bandwidth limit will be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - limit + - percentage + type: object + type: object + type: array + type: object + matches: + description: Matches defines list of matches for which fault + injection will be applied + items: + properties: + sni: + description: SNI defines a matcher configuration for matching + by SNI value carried on the TLS connection + properties: + type: + description: Type defines how to match traffic by + SNI. Only `Exact` is supported. + enum: + - Exact + type: string + value: + description: Value is the SNI carried on the TLS connection + that needs to match for the configuration to be + applied + type: string + required: + - type + - value + type: object + spiffeID: + description: SpiffeID defines a matcher configuration + for SpiffeID matching + properties: + type: + description: Type defines how to match incoming traffic + by SpiffeID. `Exact` or `Prefix` are allowed. + enum: + - Exact + - Prefix + type: string + value: + description: Value is SpiffeID of a client that needs + to match for the configuration to be applied + type: string + required: + - type + - value + type: object + type: object + type: array + required: + - default + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: To list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + http: + description: Http allows to define list of Http faults between + dataplanes. + items: + description: FaultInjection defines the configuration + of faults between dataplanes. + properties: + abort: + description: |- + Abort defines a configuration of not delivering requests to destination + service and replacing the responses from destination dataplane by + predefined status code + properties: + httpStatus: + description: HTTP status code which will be returned + to source side + format: int32 + type: integer + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which abort will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - httpStatus + - percentage + type: object + delay: + description: Delay defines configuration of delaying + a response from a destination + properties: + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which delay will be injected, has to be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + value: + description: The duration during which the response + will be delayed + type: string + required: + - percentage + - value + type: object + responseBandwidth: + description: |- + ResponseBandwidth defines a configuration to limit the speed of + responding to the requests + properties: + limit: + description: |- + Limit is represented by value measure in Gbps, Mbps, kbps, e.g. + 10kbps + type: string + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests on which response bandwidth limit will be + either int or decimal represented as string. + x-kubernetes-int-or-string: true + required: + - limit + - percentage + type: object + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayconfigs.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayconfigs.yaml new file mode 100644 index 0000000000..a6275328a2 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayconfigs.yaml @@ -0,0 +1,227 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshgatewayconfigs.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshGatewayConfig + listKind: MeshGatewayConfigList + plural: meshgatewayconfigs + singular: meshgatewayconfig + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + MeshGatewayConfig holds the configuration of a MeshGateway. A + GatewayClass can refer to a MeshGatewayConfig via parametersRef. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MeshGatewayConfigSpec specifies the options available for + a Kuma MeshGateway. + properties: + crossMesh: + description: |- + CrossMesh specifies whether listeners configured by this gateway are + cross mesh listeners. + type: boolean + podTemplate: + description: PodTemplate configures the Pod owned by this config. + properties: + metadata: + description: Metadata holds metadata configuration for a Service. + properties: + annotations: + additionalProperties: + type: string + description: Annotations holds annotations to be set on an + object. + type: object + labels: + additionalProperties: + type: string + description: Labels holds labels to be set on an objects. + type: object + type: object + spec: + description: Spec holds some customizable fields of a Pod. + properties: + container: + description: Container corresponds to PodSpec.Container + properties: + securityContext: + description: ContainerSecurityContext corresponds to PodSpec.Container.SecurityContext + properties: + readOnlyRootFilesystem: + description: ReadOnlyRootFilesystem corresponds to + PodSpec.Container.SecurityContext.ReadOnlyRootFilesystem + type: boolean + type: object + type: object + securityContext: + description: PodSecurityContext corresponds to PodSpec.SecurityContext + properties: + fsGroup: + description: FSGroup corresponds to PodSpec.SecurityContext.FSGroup + format: int64 + type: integer + type: object + serviceAccountName: + description: ServiceAccountName corresponds to PodSpec.ServiceAccountName. + type: string + type: object + type: object + replicas: + default: 1 + description: |- + Replicas is the number of dataplane proxy replicas to create. For + now this is a fixed number, but in the future it could be + automatically scaled based on metrics. + format: int32 + minimum: 1 + type: integer + resources: + description: |- + Resources specifies the compute resources for the proxy container. + The default can be set in the control plane config. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + serviceTemplate: + description: ServiceTemplate configures the Service owned by this + config. + properties: + metadata: + description: Metadata holds metadata configuration for a Service. + properties: + annotations: + additionalProperties: + type: string + description: Annotations holds annotations to be set on an + object. + type: object + labels: + additionalProperties: + type: string + description: Labels holds labels to be set on an objects. + type: object + type: object + spec: + description: Spec holds some customizable fields of a Service. + properties: + loadBalancerIP: + description: LoadBalancerIP corresponds to ServiceSpec.LoadBalancerIP. + type: string + type: object + type: object + serviceType: + default: LoadBalancer + description: |- + ServiceType specifies the type of managed Service that will be + created to expose the dataplane proxies to traffic from outside + the cluster. The ports to expose will be taken from the matching Gateway + resource. If there is no matching Gateway, the managed Service will + be deleted. + enum: + - LoadBalancer + - ClusterIP + - NodePort + type: string + tags: + additionalProperties: + type: string + description: |- + Tags specifies a set of Kuma tags that are included in the + MeshGatewayInstance and thus propagated to every Dataplane generated to + serve the MeshGateway. + These tags should include a maximum of one `kuma.io/service` tag. + type: object + type: object + status: + description: |- + MeshGatewayConfigStatus holds information about the status of the gateway + instance. + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayinstances.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayinstances.yaml new file mode 100644 index 0000000000..d398857523 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayinstances.yaml @@ -0,0 +1,356 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshgatewayinstances.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshGatewayInstance + listKind: MeshGatewayInstanceList + plural: meshgatewayinstances + singular: meshgatewayinstance + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + MeshGatewayInstance represents a managed instance of a dataplane proxy for a Kuma + Gateway. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: MeshGatewayInstanceSpec specifies the options available for + a GatewayDataplane. + properties: + podTemplate: + description: PodTemplate configures the Pod owned by this config. + properties: + metadata: + description: Metadata holds metadata configuration for a Service. + properties: + annotations: + additionalProperties: + type: string + description: Annotations holds annotations to be set on an + object. + type: object + labels: + additionalProperties: + type: string + description: Labels holds labels to be set on an objects. + type: object + type: object + spec: + description: Spec holds some customizable fields of a Pod. + properties: + container: + description: Container corresponds to PodSpec.Container + properties: + securityContext: + description: ContainerSecurityContext corresponds to PodSpec.Container.SecurityContext + properties: + readOnlyRootFilesystem: + description: ReadOnlyRootFilesystem corresponds to + PodSpec.Container.SecurityContext.ReadOnlyRootFilesystem + type: boolean + type: object + type: object + securityContext: + description: PodSecurityContext corresponds to PodSpec.SecurityContext + properties: + fsGroup: + description: FSGroup corresponds to PodSpec.SecurityContext.FSGroup + format: int64 + type: integer + type: object + serviceAccountName: + description: ServiceAccountName corresponds to PodSpec.ServiceAccountName. + type: string + type: object + type: object + replicas: + default: 1 + description: |- + Replicas is the number of dataplane proxy replicas to create. For + now this is a fixed number, but in the future it could be + automatically scaled based on metrics. + format: int32 + minimum: 1 + type: integer + resources: + description: |- + Resources specifies the compute resources for the proxy container. + The default can be set in the control plane config. + properties: + claims: + description: |- + Claims lists the names of resources, defined in spec.resourceClaims, + that are used by this container. + + This field depends on the + DynamicResourceAllocation feature gate. + + This field is immutable. It can only be set for containers. + items: + description: ResourceClaim references one entry in PodSpec.ResourceClaims. + properties: + name: + description: |- + Name must match the name of one entry in pod.spec.resourceClaims of + the Pod where this field is used. It makes that resource available + inside a container. + type: string + request: + description: |- + Request is the name chosen for a request in the referenced claim. + If empty, everything from the claim is made available, otherwise + only the result of this request. + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + limits: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Limits describes the maximum amount of compute resources allowed. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + requests: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: |- + Requests describes the minimum amount of compute resources required. + If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, + otherwise to an implementation-defined value. Requests cannot exceed Limits. + More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + type: object + type: object + serviceTemplate: + description: ServiceTemplate configures the Service owned by this + config. + properties: + metadata: + description: Metadata holds metadata configuration for a Service. + properties: + annotations: + additionalProperties: + type: string + description: Annotations holds annotations to be set on an + object. + type: object + labels: + additionalProperties: + type: string + description: Labels holds labels to be set on an objects. + type: object + type: object + spec: + description: Spec holds some customizable fields of a Service. + properties: + loadBalancerIP: + description: LoadBalancerIP corresponds to ServiceSpec.LoadBalancerIP. + type: string + type: object + type: object + serviceType: + default: LoadBalancer + description: |- + ServiceType specifies the type of managed Service that will be + created to expose the dataplane proxies to traffic from outside + the cluster. The ports to expose will be taken from the matching Gateway + resource. If there is no matching Gateway, the managed Service will + be deleted. + enum: + - LoadBalancer + - ClusterIP + - NodePort + type: string + tags: + additionalProperties: + type: string + description: |- + Tags specifies the Kuma tags that are propagated to the managed + dataplane proxies. These tags should not include `kuma.io/service` tag + since is auto-generated, and should match exactly one Gateway + resource. + type: object + type: object + status: + description: |- + MeshGatewayInstanceStatus holds information about the status of the gateway + instance. + properties: + conditions: + description: Conditions is an array of gateway instance conditions. + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + loadBalancer: + description: |- + LoadBalancer contains the current status of the load-balancer, + if one is present. + properties: + ingress: + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. + items: + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. + properties: + hostname: + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) + type: string + ip: + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) + type: string + ipMode: + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. + type: string + ports: + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it + items: + description: PortStatus represents the error condition + of a service port + properties: + error: + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" + type: string + required: + - error + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayroutes.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayroutes.yaml new file mode 100644 index 0000000000..7c7ecf7c96 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgatewayroutes.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshgatewayroutes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshGatewayRoute + listKind: MeshGatewayRouteList + plural: meshgatewayroutes + singular: meshgatewayroute + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshGatewayRoute resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgateways.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgateways.yaml new file mode 100644 index 0000000000..fadbef4c40 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshgateways.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshgateways.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshGateway + listKind: MeshGatewayList + plural: meshgateways + shortNames: + - mgw + singular: meshgateway + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshGateway resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshglobalratelimits.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshglobalratelimits.yaml new file mode 100644 index 0000000000..195b309122 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshglobalratelimits.yaml @@ -0,0 +1,603 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshglobalratelimits.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshGlobalRateLimit + listKind: MeshGlobalRateLimitList + plural: meshglobalratelimits + shortNames: + - mgrl + singular: meshglobalratelimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshGlobalRateLimit + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshGlobalRateLimit + resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + backend: + description: Backend defines location of rate limit backend + service. + properties: + rateLimitService: + properties: + limitOnServiceFail: + description: LimitOnServiceFail will pass limit + requests if ratelimit service is not reachable. + type: boolean + timeout: + description: Timeout for rate limit request made + form Data Plane Proxy to rate limit service. + type: string + url: + description: Url defines address of rate limit service. + type: string + type: object + required: + - rateLimitService + type: object + http: + properties: + disabled: + description: Define if rate limiting should be disabled. + type: boolean + onRateLimit: + description: Describes the actions to take on a rate + limit event + properties: + headers: + description: The Headers to be added to the HTTP + response on a rate limit event + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + status: + description: The HTTP status code to be set on a + rate limit event + format: int32 + type: integer + type: object + ratelimitOnRequest: + description: Defines rate limit based on request content + items: + properties: + kind: + description: 'Kind defines type of rate limit + config. Possible options: OnHeader.' + enum: + - OnHeader + type: string + limits: + description: Limits defines limit configuration. + items: + properties: + requestRate: + description: Defines how many requests are + allowed per interval. + properties: + interval: + description: The interval the number + of units is accounted for. Only 1s, + 1m, 1h or 24h can be configured. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + value: + description: Value of the request element + on which rate limit should apply. E.g. + header value. + type: string + required: + - value + type: object + type: array + name: + description: Name of the request element on which + rate limit should apply. E.g. header name. + type: string + required: + - kind + - limits + - name + type: object + type: array + requestRate: + description: Defines how many requests are allowed per + interval. + properties: + interval: + description: The interval the number of units is + accounted for. Only 1s, 1m, 1h or 24h can be configured. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + type: object + mode: + description: |- + Mode defines rate limit behavior when limits are reached. Possible options: Limit and Shadow. Setting Shadow will + not block over the limit requests but will update metrics. This is useful for testing rate limit configuration. + enum: + - Limit + - Shadow + type: string + required: + - backend + - http + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: To list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + backend: + description: Backend defines location of rate limit backend + service. + properties: + rateLimitService: + properties: + limitOnServiceFail: + description: LimitOnServiceFail will pass limit + requests if ratelimit service is not reachable. + type: boolean + timeout: + description: Timeout for rate limit request made + form Data Plane Proxy to rate limit service. + type: string + url: + description: Url defines address of rate limit service. + type: string + type: object + required: + - rateLimitService + type: object + http: + properties: + disabled: + description: Define if rate limiting should be disabled. + type: boolean + onRateLimit: + description: Describes the actions to take on a rate + limit event + properties: + headers: + description: The Headers to be added to the HTTP + response on a rate limit event + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + status: + description: The HTTP status code to be set on a + rate limit event + format: int32 + type: integer + type: object + ratelimitOnRequest: + description: Defines rate limit based on request content + items: + properties: + kind: + description: 'Kind defines type of rate limit + config. Possible options: OnHeader.' + enum: + - OnHeader + type: string + limits: + description: Limits defines limit configuration. + items: + properties: + requestRate: + description: Defines how many requests are + allowed per interval. + properties: + interval: + description: The interval the number + of units is accounted for. Only 1s, + 1m, 1h or 24h can be configured. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + value: + description: Value of the request element + on which rate limit should apply. E.g. + header value. + type: string + required: + - value + type: object + type: array + name: + description: Name of the request element on which + rate limit should apply. E.g. header name. + type: string + required: + - kind + - limits + - name + type: object + type: array + requestRate: + description: Defines how many requests are allowed per + interval. + properties: + interval: + description: The interval the number of units is + accounted for. Only 1s, 1m, 1h or 24h can be configured. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + type: object + mode: + description: |- + Mode defines rate limit behavior when limits are reached. Possible options: Limit and Shadow. Setting Shadow will + not block over the limit requests but will update metrics. This is useful for testing rate limit configuration. + enum: + - Limit + - Shadow + type: string + required: + - backend + - http + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshhealthchecks.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshhealthchecks.yaml new file mode 100644 index 0000000000..225a25ae8e --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshhealthchecks.yaml @@ -0,0 +1,397 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshhealthchecks.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshHealthCheck + listKind: MeshHealthCheckList + plural: meshhealthchecks + shortNames: + - mhc + singular: meshhealthcheck + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshHealthCheck enables active health checking of services in + the mesh. It periodically probes service endpoints using TCP, HTTP, or gRPC + health checks to detect and remove unhealthy instances from the load balancing + pool, improving overall service reliability. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshHealthCheck resource. + properties: + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: To list makes a match between the consumed services and + corresponding configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + alwaysLogHealthCheckFailures: + description: |- + If set to true, health check failure events will always be logged. If set + to false, only the initial health check failure event will be logged. The + default value is false. + type: boolean + eventLogPath: + description: |- + Specifies the path to the file where Envoy can log health check events. + If empty, no event log will be written. + type: string + failTrafficOnPanic: + description: |- + If set to true, Envoy will not consider any hosts when the cluster is in + 'panic mode'. Instead, the cluster will fail all requests as if all hosts + are unhealthy. This can help avoid potentially overwhelming a failing + service. + type: boolean + grpc: + description: |- + GrpcHealthCheck defines gRPC configuration which will instruct the service + the health check will be made for is a gRPC service. + properties: + authority: + description: |- + The value of the :authority header in the gRPC health check request, + by default name of the cluster this health check is associated with + type: string + disabled: + description: If true the GrpcHealthCheck is disabled + type: boolean + serviceName: + description: Service name parameter which will be sent + to gRPC service + type: string + type: object + healthyPanicThreshold: + anyOf: + - type: integer + - type: string + description: |- + Allows to configure panic threshold for Envoy cluster. If not specified, + the default is 50%. To disable panic mode, set to 0%. + Either int or decimal represented as string. + + Deprecated: the setting has been moved to MeshCircuitBreaker policy, + please use MeshCircuitBreaker policy instead. + x-kubernetes-int-or-string: true + healthyThreshold: + description: |- + Number of consecutive healthy checks before considering a host healthy. + If not specified then the default value is 1 + format: int32 + type: integer + http: + description: |- + HttpHealthCheck defines HTTP configuration which will instruct the service + the health check will be made for is an HTTP service. + properties: + disabled: + description: If true the HttpHealthCheck is disabled + type: boolean + expectedStatuses: + description: List of HTTP response statuses which are + considered healthy + items: + format: int32 + type: integer + type: array + path: + description: |- + The HTTP path which will be requested during the health check + (ie. /health) + If not specified then the default value is "/" + type: string + requestHeadersToAdd: + description: |- + The list of HTTP headers which should be added to each health check + request + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: object + initialJitter: + description: |- + If specified, Envoy will start health checking after a random time in + ms between 0 and initialJitter. This only applies to the first health + check. + type: string + interval: + description: |- + Interval between consecutive health checks. + If not specified then the default value is 1m + type: string + intervalJitter: + description: |- + If specified, during every interval Envoy will add IntervalJitter to the + wait time. + type: string + intervalJitterPercent: + description: |- + If specified, during every interval Envoy will add IntervalJitter * + IntervalJitterPercent / 100 to the wait time. If IntervalJitter and + IntervalJitterPercent are both set, both of them will be used to + increase the wait time. + format: int32 + type: integer + noTrafficInterval: + description: |- + The "no traffic interval" is a special health check interval that is used + when a cluster has never had traffic routed to it. This lower interval + allows cluster information to be kept up to date, without sending a + potentially large amount of active health checking traffic for no reason. + Once a cluster has been used for traffic routing, Envoy will shift back + to using the standard health check interval that is defined. Note that + this interval takes precedence over any other. The default value for "no + traffic interval" is 60 seconds. + type: string + reuseConnection: + description: Reuse health check connection between health + checks. Default is true. + type: boolean + tcp: + description: |- + TcpHealthCheck defines configuration for specifying bytes to send and + expected response during the health check + properties: + disabled: + description: If true the TcpHealthCheck is disabled + type: boolean + receive: + description: |- + List of Base64 encoded blocks of strings expected as a response. When checking the response, + "fuzzy" matching is performed such that each block must be found, and + in the order specified, but not necessarily contiguous. + If not provided or empty, checks will be performed as "connect only" and be marked as successful when TCP connection is successfully established. + items: + type: string + type: array + send: + description: Base64 encoded content of the message which + will be sent during the health check to the target + type: string + type: object + timeout: + description: |- + Maximum time to wait for a health check response. + If not specified then the default value is 15s + type: string + unhealthyThreshold: + description: |- + Number of consecutive unhealthy checks before considering a host + unhealthy. + If not specified then the default value is 5 + format: int32 + type: integer + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshhttproutes.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshhttproutes.yaml new file mode 100644 index 0000000000..577f8fbb6e --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshhttproutes.yaml @@ -0,0 +1,687 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshhttproutes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshHTTPRoute + listKind: MeshHTTPRouteList + plural: meshhttproutes + shortNames: + - mhttpr + singular: meshhttproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + NOTICE: This policy defines its own `GetDefault` method so that it can have the given + structure for deserialization but still use the generic policy merging + machinery. + // + MeshHTTPRoute configures how HTTP requests are routed between services in the mesh. It enables advanced traffic management including path-based routing, header matching, request/response modification, redirects, URL rewrites, traffic mirroring, and weighted load balancing across service endpoints. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshHTTPRoute resource. + properties: + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: To matches destination services of requests and holds + configuration. + items: + properties: + hostnames: + description: |- + Hostnames is only valid when targeting MeshGateway and limits the + effects of the rules to requests to this hostname. + Given hostnames must intersect with the hostname of the listeners the + route attaches to. + items: + type: string + type: array + rules: + description: |- + Rules contains the routing rules applies to a combination of top-level + targetRef and the targetRef in this entry. + items: + properties: + default: + description: |- + Default holds routing rules that can be merged with rules from other + policies. + properties: + backendRefs: + items: + description: BackendRef defines where to forward + traffic. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use + to identify cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + port: + description: Port is only supported when this + ref refers to a real MeshService object + format: int32 + type: integer + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + weight: + default: 1 + minimum: 0 + type: integer + required: + - kind + type: object + type: array + filters: + items: + properties: + requestHeaderModifier: + description: |- + Only one action is supported per header name. + Configuration to set or add multiple values for a header must use RFC 7230 + header value formatting, separating each value with a comma. + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + items: + type: string + maxItems: 16 + type: array + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + properties: + backendRef: + description: BackendRef defines where to + forward traffic. + properties: + kind: + description: Kind of the referenced + resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future + use to identify cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + port: + description: Port is only supported + when this ref refers to a real MeshService + object + format: int32 + type: integer + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + weight: + default: 1 + minimum: 0 + type: integer + required: + - kind + type: object + percentage: + anyOf: + - type: integer + - type: string + description: |- + Percentage of requests to mirror. If not specified, all requests + to the target cluster will be mirrored. + x-kubernetes-int-or-string: true + required: + - backendRef + type: object + requestRedirect: + properties: + hostname: + description: |- + PreciseHostname is the fully qualified domain name of a network host. This + matches the RFC 1123 definition of a hostname with 1 notable exception that + numeric IP addresses are not allowed. + + Note that as per RFC1035 and RFC1123, a *label* must consist of lower case + alphanumeric characters or '-', and must start and end with an alphanumeric + character. No other punctuation is allowed. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: |- + Path defines parameters used to modify the path of the incoming request. + The modified path is then used to construct the location header. + When empty, the request path is used as-is. + properties: + replaceFullPath: + type: string + replacePrefixMatch: + type: string + type: + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: |- + Port is the port to be used in the value of the `Location` + header in the response. + When empty, port (if specified) of the request is used. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + enum: + - http + - https + type: string + statusCode: + default: 302 + description: StatusCode is the HTTP status + code to be used in response. + enum: + - 301 + - 302 + - 303 + - 307 + - 308 + type: integer + type: object + responseHeaderModifier: + description: |- + Only one action is supported per header name. + Configuration to set or add multiple values for a header must use RFC 7230 + header value formatting, separating each value with a comma. + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + items: + type: string + maxItems: 16 + type: array + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + - URLRewrite + - RequestMirror + type: string + urlRewrite: + properties: + hostToBackendHostname: + description: |- + HostToBackendHostname rewrites the hostname to the hostname of the + upstream host. This option is only available when targeting MeshGateways. + type: boolean + hostname: + description: Hostname is the value to be + used to replace the host header value + during forwarding. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: Path defines a path rewrite. + properties: + replaceFullPath: + type: string + replacePrefixMatch: + type: string + type: + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + type: array + type: object + matches: + description: |- + Matches describes how to match HTTP requests this rule should be applied + to. + items: + properties: + headers: + items: + description: |- + HeaderMatch describes how to select an HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name MUST be lower case + as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2). + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - Present + - RegularExpression + - Absent + - Prefix + type: string + value: + description: Value is the value of HTTP Header + to be matched. + type: string + required: + - name + type: object + type: array + method: + enum: + - CONNECT + - DELETE + - GET + - HEAD + - OPTIONS + - PATCH + - POST + - PUT + - TRACE + type: string + path: + properties: + type: + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + description: |- + Exact or prefix matches must be an absolute path. A prefix matches only + if separated by a slash or the entire path. + minLength: 1 + type: string + required: + - type + - value + type: object + queryParams: + description: |- + QueryParams matches based on HTTP URL query parameters. Multiple matches + are ANDed together such that all listed matches must succeed. + items: + properties: + name: + minLength: 1 + type: string + type: + enum: + - Exact + - RegularExpression + type: string + value: + type: string + required: + - name + - type + - value + type: object + type: array + type: object + minItems: 1 + type: array + required: + - default + - matches + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + request destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - rules + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshidentities.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshidentities.yaml new file mode 100644 index 0000000000..13d466442e --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshidentities.yaml @@ -0,0 +1,285 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshidentities.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshIdentity + listKind: MeshIdentityList + plural: meshidentities + shortNames: + - mid + singular: meshidentity + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshIdentity manages service identity and certificate provisioning + for workloads in the mesh. It configures how services obtain their identity + certificates, supporting multiple providers including bundled certificates + (self-signed or user-provided CA), SPIRE integration, and custom SPIFFE + ID configuration for secure service-to-service authentication. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshIdentity resource. + properties: + provider: + properties: + bundled: + description: |- + Bundled provides information about certificates that are generated by the control plane, + either autogenerated or provided by the user. + properties: + autogenerate: + description: Autogenerate configures the control plane to + use self-signed certificates. + properties: + enabled: + type: boolean + type: object + ca: + description: CA has configuration related to the CA + properties: + certificate: + description: Certificate allows the user to specify a + custom certificate. + properties: + envVar: + properties: + name: + type: string + required: + - name + type: object + file: + properties: + path: + type: string + required: + - path + type: object + insecureInline: + properties: + value: + type: string + required: + - value + type: object + secretRef: + properties: + kind: + enum: + - Secret + type: string + name: + type: string + required: + - kind + - name + type: object + type: + enum: + - File + - Secret + - EnvVar + - InsecureInline + type: string + required: + - type + type: object + privateKey: + description: PrivateKey allows the user to specify a custom + private key. + properties: + envVar: + properties: + name: + type: string + required: + - name + type: object + file: + properties: + path: + type: string + required: + - path + type: object + insecureInline: + properties: + value: + type: string + required: + - value + type: object + secretRef: + properties: + kind: + enum: + - Secret + type: string + name: + type: string + required: + - kind + - name + type: object + type: + enum: + - File + - Secret + - EnvVar + - InsecureInline + type: string + required: + - type + type: object + type: object + certificateParameters: + description: CertificateParameters allows users to define + certificate generation parameters. + properties: + expiry: + type: string + type: object + insecureAllowSelfSigned: + description: InsecureAllowSelfSigned allows users to enable + the use of self-signed certificates. + type: boolean + meshTrustCreation: + description: |- + MeshTrustCreation defines whether a MeshTrust resource should be automatically created + from an existing MeshIdentity. If not defined, the control plane automatically generates a MeshTrust. + enum: + - Enabled + - Disabled + type: string + type: object + extension: + description: Extension indicates that custom provider is used. + properties: + config: + description: Config is a freeform configuration for the extension. + x-kubernetes-preserve-unknown-fields: true + name: + description: Name is the name of the extension provider. + type: string + required: + - name + type: object + spire: + description: Spire indicates that SPIRE is used for certificate + delivery. + properties: + agent: + description: Spire agent configuration + properties: + timeout: + description: |- + Connection timeout to the socket exposed by Spire agent + Default 1 second. + type: string + type: object + type: object + type: + description: Type specifies the type of certificate provider. + enum: + - Bundled + - Spire + - Extension + type: string + required: + - type + type: object + selector: + properties: + dataplane: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + type: object + spiffeID: + properties: + path: + type: string + trustDomain: + type: string + type: object + type: object + status: + description: Status is the current status of the Kuma MeshIdentity resource. + properties: + conditions: + description: Conditions is an array of hostname generator conditions. + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshinsights.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshinsights.yaml new file mode 100644 index 0000000000..254a35c0f5 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshinsights.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshInsight + listKind: MeshInsightList + plural: meshinsights + singular: meshinsight + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshInsight resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshloadbalancingstrategies.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshloadbalancingstrategies.yaml new file mode 100644 index 0000000000..aca969d9a0 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshloadbalancingstrategies.yaml @@ -0,0 +1,670 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshloadbalancingstrategies.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshLoadBalancingStrategy + listKind: MeshLoadBalancingStrategyList + plural: meshloadbalancingstrategies + shortNames: + - mlbs + singular: meshloadbalancingstrategy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshLoadBalancingStrategy configures how traffic is distributed + across service instances. It supports multiple load balancing algorithms + (round-robin, least request, ring hash, random, maglev), locality-aware + routing to prefer nearby instances, and cross-zone failover strategies for + high availability. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshLoadBalancingStrategy + resource. + properties: + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: To list makes a match between the consumed services and + corresponding configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + hashPolicies: + description: |- + HashPolicies specify a list of request/connection properties that are used to calculate a hash. + These hash policies are executed in the specified order. If a hash policy has the “terminal” attribute + set to true, and there is already a hash generated, the hash is returned immediately, + ignoring the rest of the hash policy list. + items: + properties: + connection: + properties: + sourceIP: + description: Hash on source IP address. + type: boolean + type: object + cookie: + properties: + name: + description: The name of the cookie that will + be used to obtain the hash key. + minLength: 1 + type: string + path: + description: The name of the path for the cookie. + type: string + ttl: + description: If specified, a cookie with the TTL + will be generated if the cookie is not present. + type: string + required: + - name + type: object + filterState: + properties: + key: + description: |- + The name of the Object in the per-request filterState, which is + an Envoy::Hashable object. If there is no data associated with the key, + or the stored object is not Envoy::Hashable, no hash will be produced. + minLength: 1 + type: string + required: + - key + type: object + header: + properties: + name: + description: The name of the request header that + will be used to obtain the hash key. + minLength: 1 + type: string + required: + - name + type: object + queryParameter: + properties: + name: + description: |- + The name of the URL query parameter that will be used to obtain the hash key. + If the parameter is not present, no hash will be produced. Query parameter names + are case-sensitive. + minLength: 1 + type: string + required: + - name + type: object + terminal: + description: |- + Terminal is a flag that short-circuits the hash computing. This field provides + a ‘fallback’ style of configuration: “if a terminal policy doesn’t work, fallback + to rest of the policy list”, it saves time when the terminal policy works. + If true, and there is already a hash computed, ignore rest of the list of hash polices. + type: boolean + type: + enum: + - Header + - Cookie + - Connection + - SourceIP + - QueryParameter + - FilterState + type: string + required: + - type + type: object + type: array + loadBalancer: + description: LoadBalancer allows to specify load balancing + algorithm. + properties: + leastRequest: + description: |- + LeastRequest selects N random available hosts as specified in 'choiceCount' (2 by default) + and picks the host which has the fewest active requests + properties: + activeRequestBias: + anyOf: + - type: integer + - type: string + description: |- + ActiveRequestBias refers to dynamic weights applied when hosts have varying load + balancing weights. A higher value here aggressively reduces the weight of endpoints + that are currently handling active requests. In essence, the higher the ActiveRequestBias + value, the more forcefully it reduces the load balancing weight of endpoints that are + actively serving requests. + x-kubernetes-int-or-string: true + choiceCount: + description: |- + ChoiceCount is the number of random healthy hosts from which the host with + the fewest active requests will be chosen. Defaults to 2 so that Envoy performs + two-choice selection if the field is not set. + format: int32 + minimum: 2 + type: integer + type: object + maglev: + description: |- + Maglev implements consistent hashing to upstream hosts. Maglev can be used as + a drop in replacement for the ring hash load balancer any place in which + consistent hashing is desired. + properties: + hashPolicies: + description: |- + HashPolicies specify a list of request/connection properties that are used to calculate a hash. + These hash policies are executed in the specified order. If a hash policy has the “terminal” attribute + set to true, and there is already a hash generated, the hash is returned immediately, + ignoring the rest of the hash policy list. + items: + properties: + connection: + properties: + sourceIP: + description: Hash on source IP address. + type: boolean + type: object + cookie: + properties: + name: + description: The name of the cookie that + will be used to obtain the hash key. + minLength: 1 + type: string + path: + description: The name of the path for + the cookie. + type: string + ttl: + description: If specified, a cookie with + the TTL will be generated if the cookie + is not present. + type: string + required: + - name + type: object + filterState: + properties: + key: + description: |- + The name of the Object in the per-request filterState, which is + an Envoy::Hashable object. If there is no data associated with the key, + or the stored object is not Envoy::Hashable, no hash will be produced. + minLength: 1 + type: string + required: + - key + type: object + header: + properties: + name: + description: The name of the request header + that will be used to obtain the hash + key. + minLength: 1 + type: string + required: + - name + type: object + queryParameter: + properties: + name: + description: |- + The name of the URL query parameter that will be used to obtain the hash key. + If the parameter is not present, no hash will be produced. Query parameter names + are case-sensitive. + minLength: 1 + type: string + required: + - name + type: object + terminal: + description: |- + Terminal is a flag that short-circuits the hash computing. This field provides + a ‘fallback’ style of configuration: “if a terminal policy doesn’t work, fallback + to rest of the policy list”, it saves time when the terminal policy works. + If true, and there is already a hash computed, ignore rest of the list of hash polices. + type: boolean + type: + enum: + - Header + - Cookie + - Connection + - SourceIP + - QueryParameter + - FilterState + type: string + required: + - type + type: object + type: array + tableSize: + description: |- + The table size for Maglev hashing. Maglev aims for “minimal disruption” + rather than an absolute guarantee. Minimal disruption means that when + the set of upstream hosts change, a connection will likely be sent + to the same upstream as it was before. Increasing the table size reduces + the amount of disruption. The table size must be prime number limited to 5000011. + If it is not specified, the default is 65537. + format: int32 + maximum: 5000011 + minimum: 1 + type: integer + type: object + random: + description: |- + Random selects a random available host. The random load balancer generally + performs better than round-robin if no health checking policy is configured. + Random selection avoids bias towards the host in the set that comes after a failed host. + type: object + ringHash: + description: |- + RingHash implements consistent hashing to upstream hosts. Each host is mapped + onto a circle (the “ring”) by hashing its address; each request is then routed + to a host by hashing some property of the request, and finding the nearest + corresponding host clockwise around the ring. + properties: + hashFunction: + description: |- + HashFunction is a function used to hash hosts onto the ketama ring. + The value defaults to XX_HASH. Available values – XX_HASH, MURMUR_HASH_2. + enum: + - XXHash + - MurmurHash2 + type: string + hashPolicies: + description: |- + HashPolicies specify a list of request/connection properties that are used to calculate a hash. + These hash policies are executed in the specified order. If a hash policy has the “terminal” attribute + set to true, and there is already a hash generated, the hash is returned immediately, + ignoring the rest of the hash policy list. + items: + properties: + connection: + properties: + sourceIP: + description: Hash on source IP address. + type: boolean + type: object + cookie: + properties: + name: + description: The name of the cookie that + will be used to obtain the hash key. + minLength: 1 + type: string + path: + description: The name of the path for + the cookie. + type: string + ttl: + description: If specified, a cookie with + the TTL will be generated if the cookie + is not present. + type: string + required: + - name + type: object + filterState: + properties: + key: + description: |- + The name of the Object in the per-request filterState, which is + an Envoy::Hashable object. If there is no data associated with the key, + or the stored object is not Envoy::Hashable, no hash will be produced. + minLength: 1 + type: string + required: + - key + type: object + header: + properties: + name: + description: The name of the request header + that will be used to obtain the hash + key. + minLength: 1 + type: string + required: + - name + type: object + queryParameter: + properties: + name: + description: |- + The name of the URL query parameter that will be used to obtain the hash key. + If the parameter is not present, no hash will be produced. Query parameter names + are case-sensitive. + minLength: 1 + type: string + required: + - name + type: object + terminal: + description: |- + Terminal is a flag that short-circuits the hash computing. This field provides + a ‘fallback’ style of configuration: “if a terminal policy doesn’t work, fallback + to rest of the policy list”, it saves time when the terminal policy works. + If true, and there is already a hash computed, ignore rest of the list of hash polices. + type: boolean + type: + enum: + - Header + - Cookie + - Connection + - SourceIP + - QueryParameter + - FilterState + type: string + required: + - type + type: object + type: array + maxRingSize: + description: |- + Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, + but can be lowered to further constrain resource use. + format: int32 + maximum: 8000000 + minimum: 1 + type: integer + minRingSize: + description: |- + Minimum hash ring size. The larger the ring is (that is, + the more hashes there are for each provided host) the better the request distribution + will reflect the desired weights. Defaults to 1024 entries, and limited to 8M entries. + format: int32 + maximum: 8000000 + minimum: 1 + type: integer + type: object + roundRobin: + description: |- + RoundRobin is a load balancing algorithm that distributes requests + across available upstream hosts in round-robin order. + type: object + type: + enum: + - RoundRobin + - LeastRequest + - RingHash + - Random + - Maglev + type: string + required: + - type + type: object + localityAwareness: + description: LocalityAwareness contains configuration for + locality aware load balancing. + properties: + crossZone: + description: |- + CrossZone defines locality aware load balancing priorities when dataplane proxies inside local zone + are unavailable + properties: + failover: + description: Failover defines list of load balancing + rules in order of priority + items: + properties: + from: + description: From defines the list of zones + to which the rule applies + properties: + zones: + items: + type: string + type: array + required: + - zones + type: object + to: + description: To defines to which zones the + traffic should be load balanced + properties: + type: + description: Type defines how target zones + will be picked from available zones + enum: + - None + - Only + - Any + - AnyExcept + type: string + zones: + items: + type: string + type: array + required: + - type + type: object + required: + - to + type: object + type: array + failoverThreshold: + description: |- + FailoverThreshold defines the percentage of live destination dataplane proxies below which load balancing to the + next priority starts. + Example: If you configure failoverThreshold to 70, and you have deployed 10 destination dataplane proxies. + Load balancing to next priority will start when number of live destination dataplane proxies drops below 7. + Default 50 + properties: + percentage: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - percentage + type: object + type: object + disabled: + description: |- + Disabled allows to disable locality-aware load balancing. + When disabled requests are distributed across all endpoints regardless of locality. + type: boolean + localZone: + description: LocalZone defines locality aware load balancing + priorities between dataplane proxies inside a zone + properties: + affinityTags: + description: AffinityTags list of tags for local + zone load balancing. + items: + properties: + key: + description: Key defines tag for which affinity + is configured + type: string + weight: + description: |- + Weight of the tag used for load balancing. The bigger the weight the bigger the priority. + Percentage of local traffic load balanced to tag is computed by dividing weight by sum of weights from all tags. + For example with two affinity tags first with weight 80 and second with weight 20, + then 80% of traffic will be redirected to the first tag, and 20% of traffic will be redirected to second one. + Setting weights is not mandatory. When weights are not set control plane will compute default weight based on list order. + Default: If you do not specify weight we will adjust them so that 90% traffic goes to first tag, 9% to next, and 1% to third and so on. + format: int32 + type: integer + required: + - key + type: object + type: array + type: object + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshmetrics.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshmetrics.yaml new file mode 100644 index 0000000000..bc15e2b7b1 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshmetrics.yaml @@ -0,0 +1,361 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshmetrics.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshMetric + listKind: MeshMetricList + plural: meshmetrics + shortNames: + - mm + singular: meshmetric + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshMetric enables collection and export of service mesh metrics. + It configures sidecar and application metrics scraping, allows customization + of which metrics are published, and supports exporting to Prometheus or + OpenTelemetry backends for monitoring and observability. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshMetric resource. + properties: + default: + description: MeshMetric configuration. + properties: + applications: + description: |- + Applications is a list of applications that Dataplane Proxy will scrape. + Ignored on zone-proxy-only Dataplanes (zone ingress/egress exist without a co-located workload). + items: + properties: + address: + description: Address on which an application listens. + type: string + name: + description: Name of the application to scrape + type: string + path: + default: /metrics + description: Path on which an application expose HTTP endpoint + with metrics. + type: string + port: + description: Port on which an application expose HTTP endpoint + with metrics. + format: int32 + type: integer + required: + - port + type: object + type: array + backends: + description: Backends list that will be used to collect metrics. + items: + properties: + openTelemetry: + description: OpenTelemetry backend configuration + properties: + backendRef: + description: |- + BackendRef is a reference to a MeshOpenTelemetryBackend resource that + defines the collector endpoint. Mutually exclusive with Endpoint. + properties: + kind: + description: Kind of the backend resource. + enum: + - MeshOpenTelemetryBackend + type: string + labels: + additionalProperties: + type: string + description: |- + Labels to match the referenced resource. When multiple resources match, + the oldest by creation time wins. + type: object + required: + - kind + type: object + endpoint: + default: "" + description: |- + Endpoint for OpenTelemetry collector. + + Deprecated: use BackendRef instead. + type: string + refreshInterval: + description: RefreshInterval defines how frequent metrics + should be pushed to collector + type: string + type: object + prometheus: + description: Prometheus backend configuration. + properties: + clientId: + description: ClientId of the Prometheus backend. Needed + when using MADS for DP discovery. + type: string + path: + default: /metrics + description: Path on which a dataplane should expose + HTTP endpoint with Prometheus metrics. + type: string + port: + default: 5670 + description: Port on which a dataplane should expose + HTTP endpoint with Prometheus metrics. + format: int32 + type: integer + tls: + description: Configuration of TLS for prometheus listener. + properties: + mode: + default: Disabled + description: Configuration of TLS for Prometheus + listener. + enum: + - Disabled + - ProvidedTLS + - ActiveMTLSBackend + type: string + type: object + type: object + type: + description: Type of the backend that will be used to collect + metrics. At the moment only Prometheus backend is available. + enum: + - Prometheus + - OpenTelemetry + type: string + required: + - type + type: object + type: array + sidecar: + description: Sidecar metrics collection configuration + properties: + includeUnused: + description: |- + IncludeUnused if false will scrape only metrics that has been by sidecar (counters incremented + at least once, gauges changed at least once, and histograms added to at + least once). If true will scrape all metrics (even the ones with zeros). + If not specified then the default value is false. + type: boolean + profiles: + description: Profiles allows to customize which metrics are + published. + properties: + appendProfiles: + description: AppendProfiles allows to combine the metrics + from multiple predefined profiles. + items: + properties: + name: + description: 'Name of the predefined profile, one + of: all, basic, none' + enum: + - All + - Basic + - None + type: string + required: + - name + type: object + type: array + exclude: + description: |- + Exclude makes it possible to exclude groups of metrics from a resulting profile. + Exclude is subordinate to Include. + items: + properties: + match: + description: Match is the value used to match using + particular Type + type: string + type: + description: 'Type defined the type of selector, + one of: prefix, regex, exact' + enum: + - Prefix + - Regex + - Exact + - Contains + type: string + required: + - match + - type + type: object + type: array + include: + description: |- + Include makes it possible to include additional metrics in a selected profiles. + Include takes precedence over Exclude. + items: + properties: + match: + description: Match is the value used to match using + particular Type + type: string + type: + description: 'Type defined the type of selector, + one of: prefix, regex, exact' + enum: + - Prefix + - Regex + - Exact + - Contains + type: string + required: + - match + - type + type: object + type: array + type: object + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + type: object + status: + description: Status is the current status of the Kuma MeshMetric resource. + properties: + conditions: + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshmultizoneservices.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshmultizoneservices.yaml new file mode 100644 index 0000000000..9bd644ef6b --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshmultizoneservices.yaml @@ -0,0 +1,241 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshmultizoneservices.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshMultiZoneService + listKind: MeshMultiZoneServiceList + plural: meshmultizoneservices + shortNames: + - mzsvc + singular: meshmultizoneservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.addresses[0].hostname + name: Hostname + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + MeshMultiZoneService provides global load balancing and service discovery across multiple zones in a multi-zone mesh deployment. It aggregates MeshServices from different zones by label selectors, creating a unified service endpoint with automatic VIP assignment and hostname generation for cross-zone communication and failover. + MeshMultizoneServices are only created on global + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshMultiZoneService + resource. + properties: + ports: + description: Ports is a list of ports from selected MeshServices + items: + properties: + appProtocol: + default: tcp + description: Protocol identifies a protocol supported by a service. + type: string + name: + type: string + port: + format: int32 + type: integer + required: + - port + type: object + minItems: 1 + type: array + selector: + description: Selector is a way to select multiple MeshServices + properties: + meshService: + description: MeshService selects MeshServices + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + required: + - meshService + type: object + required: + - ports + - selector + type: object + status: + description: Status is the current status of the Kuma MeshMultiZoneService + resource. + properties: + addresses: + description: Addresses is a list of addresses generated by HostnameGenerator + items: + properties: + hostname: + type: string + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + origin: + type: string + type: object + type: array + conditions: + description: Conditions is an array of current conditions + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + hostnameGenerators: + description: Status of hostnames generator applied on this resource + items: + properties: + conditions: + description: Conditions is an array of hostname generator conditions. + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + required: + - hostnameGeneratorRef + type: object + type: array + meshServices: + description: MeshServices is a list of matched MeshServices + items: + properties: + mesh: + type: string + name: + description: Name is a core name of MeshService + type: string + namespace: + type: string + zone: + type: string + required: + - mesh + - name + - namespace + - zone + type: object + type: array + vips: + description: VIPs is a list of assigned Kuma VIPs. + items: + properties: + ip: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshopas.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshopas.yaml new file mode 100644 index 0000000000..7079c1a5a4 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshopas.yaml @@ -0,0 +1,208 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshopas.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshOPA + listKind: MeshOPAList + plural: meshopas + shortNames: + - mopa + singular: meshopa + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshOPA + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshOPA resource. + properties: + default: + properties: + agentConfig: + description: AgentConfig defines bootstrap OPA agent configuration. + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret key. + type: string + type: object + appendPolicies: + description: Policies define OPA policies that will be applied + on OPA Agent. + items: + properties: + ignoreDecision: + description: If true, then policy won't be taken into account + when making a decision. + type: boolean + rego: + description: 'OPA Policy written in Rego. Available values: + secret, inline, inlineString.' + properties: + inline: + description: Data source is inline bytes. + format: byte + type: string + inlineString: + description: Data source is inline string` + type: string + secret: + description: Data source is a secret with given Secret + key. + type: string + type: object + required: + - rego + type: object + type: array + authConfig: + description: AuthConfig are configurations specific to the filter. + properties: + onAgentFailure: + description: |- + OnAgentFailure either 'allow' or 'deny' (default to deny) whether + to allow requests when the authorization agent failed. + enum: + - Allow + - Deny + type: string + requestBody: + description: |- + RequestBody configuration to apply on the request body sent to the + authorization agent (if absent, the body is not sent). + properties: + maxSize: + description: |- + MaxSize defines the maximum payload size sent to authorization agent. If the payload + is larger it will be truncated and there will be a header + `x-envoy-auth-partial-body: true`. If it is set to 0 no body will be + sent to the agent. + format: int32 + type: integer + sendRawBody: + description: SendRawBody enable sending raw body instead + of the body encoded into UTF-8 + type: boolean + type: object + statusOnError: + description: |- + StatusOnError is the http status to return when there's a connection + failure between the dataplane and the authorization agent + format: int32 + type: integer + timeout: + description: Timeout for the single gRPC request from Envoy + to OPA Agent. + type: string + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshopentelemetrybackends.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshopentelemetrybackends.yaml new file mode 100644 index 0000000000..2214bce946 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshopentelemetrybackends.yaml @@ -0,0 +1,176 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshopentelemetrybackends.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshOpenTelemetryBackend + listKind: MeshOpenTelemetryBackendList + plural: meshopentelemetrybackends + shortNames: + - motb + singular: meshopentelemetrybackend + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + MeshOpenTelemetryBackend defines a shared OTel collector endpoint for observability policies. + An empty spec is valid and represents the node-local default flow + (kuma-dp resolves the address at runtime using HOST_IP or 127.0.0.1). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshOpenTelemetryBackend + resource. + properties: + endpoint: + description: |- + Endpoint optionally defines the OTel collector address and port. + When omitted, the CP defaults port to 4317 and leaves address empty; + kuma-dp resolves the address at runtime using HOST_IP or 127.0.0.1. + properties: + address: + description: |- + Address of the OTel collector (hostname or IP). + When omitted, kuma-dp resolves it at runtime using HOST_IP or 127.0.0.1. + type: string + path: + description: |- + Path is an optional base path prefix for HTTP endpoints. + The CP appends signal-specific suffixes (/v1/traces, /v1/metrics, /v1/logs). + Non-empty value is rejected by validation when protocol is grpc. + type: string + port: + description: Port of the OTel collector. Defaults to 4317 when + omitted. + format: int32 + type: integer + type: object + env: + description: |- + Env controls whether standard OTEL exporter env vars participate in the + final exporter config for this backend. + Defaults to mode: Optional, precedence: EnvFirst, allowSignalOverrides: true + when omitted. + properties: + allowSignalOverrides: + description: |- + AllowSignalOverrides controls whether per-signal OTEL env vars + (OTEL_EXPORTER_OTLP_TRACES_*, OTEL_EXPORTER_OTLP_METRICS_*, + OTEL_EXPORTER_OTLP_LOGS_*) may diverge from the shared + OTEL_EXPORTER_OTLP_* values. + true (default): per-signal vars override the shared values for that + signal. + false: per-signal vars are ignored; the shared values apply to all + signals. When per-signal overrides are dropped this way, + SignalOverridesDisallowed appears in blockedReasons (a soft block - + export still works via the shared config). + type: boolean + mode: + default: Optional + description: |- + Mode controls whether OTEL env vars participate in the merge. + Disabled: env vars are skipped entirely; only explicit backend fields and + built-in defaults apply. + Optional (default): env vars are used when present; absence is fine. + Required: env vars must supply the missing fields - if any required field + is missing the signal is blocked (state: missing, RequiredEnvMissing in + blockedReasons) even when an explicit value or default could fill it. + enum: + - Disabled + - Optional + - Required + type: string + precedence: + default: EnvFirst + description: |- + Precedence controls which source wins when both an explicit backend field + and an env var are present for the same field. + EnvFirst (default): env vars win; explicit backend fields fill gaps. + ExplicitFirst: explicit backend fields win; env vars fill gaps. + In either case, built-in defaults are the last fallback. + enum: + - ExplicitFirst + - EnvFirst + type: string + type: object + protocol: + description: |- + Protocol selects gRPC or HTTP transport for the collector connection. + Defaults to grpc when omitted. + enum: + - grpc + - http + type: string + type: object + status: + description: Status is the current status of the Kuma MeshOpenTelemetryBackend + resource. + properties: + conditions: + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshpassthroughs.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshpassthroughs.yaml new file mode 100644 index 0000000000..0c6b03178f --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshpassthroughs.yaml @@ -0,0 +1,178 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshpassthroughs.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshPassthrough + listKind: MeshPassthroughList + plural: meshpassthroughs + shortNames: + - mp + singular: meshpassthrough + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshPassthrough controls how traffic to external services (outside + the mesh) is handled by the sidecar proxy. It allows you to configure passthrough + mode to permit, deny, or selectively allow traffic to specific external + destinations based on domain names, IPs, or CIDR ranges. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshPassthrough resource. + properties: + default: + description: MeshPassthrough configuration. + properties: + appendMatch: + description: AppendMatch is a list of destinations that should + be allowed through the sidecar. + items: + properties: + port: + description: Port defines the port to which a user makes + a request. + format: int32 + type: integer + protocol: + default: tcp + description: 'Protocol defines the communication protocol. + Possible values: `tcp`, `tls`, `grpc`, `http`, `http2`, + `mysql`.' + enum: + - tcp + - tls + - grpc + - http + - http2 + - mysql + type: string + type: + description: Type of the match, one of `Domain`, `IP` or + `CIDR` is available. + enum: + - Domain + - IP + - CIDR + type: string + value: + description: Value for the specified Type. + type: string + required: + - type + - value + type: object + type: array + passthroughMode: + description: |- + Defines the passthrough behavior. Possible values: `All`, `None`, `Matched` + When `All` or `None` `appendMatch` has no effect. + If not specified then the default value is "Matched". + enum: + - All + - Matched + - None + type: string + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshproxypatches.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshproxypatches.yaml new file mode 100644 index 0000000000..31329c167e --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshproxypatches.yaml @@ -0,0 +1,556 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshproxypatches.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshProxyPatch + listKind: MeshProxyPatchList + plural: meshproxypatches + shortNames: + - mpp + singular: meshproxypatch + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshProxyPatch provides advanced customization of the Envoy proxy + configuration generated by Kuma. It allows you to add, remove, or modify + Envoy resources (clusters, listeners, filters, virtual hosts) using YAML + patches or JSON patches for fine-grained control beyond standard policies. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshProxyPatch resource. + properties: + default: + description: |- + Default is a configuration specific to the group of destinations + referenced in 'targetRef'. + properties: + appendModifications: + description: AppendModifications is a list of modifications applied + on the selected proxy. + items: + properties: + cluster: + description: Cluster is a modification of Envoy's Cluster + resource. + properties: + jsonPatches: + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's Cluster + resource + items: + description: JsonPatchBlock is one json patch operation + block. + properties: + from: + description: From is a jsonpatch from string, + used by move and copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: Value must be a valid json value + used by replace and add operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + match: + description: Match is a set of conditions that have + to be matched for modification operation to happen. + properties: + name: + description: Name of the cluster to match. + type: string + origin: + description: |- + Origin is the name of the component or plugin that generated the resource. + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. + ingress - resources generated for Zone Ingress. + egress - resources generated for Zone Egress. + gateway - resources generated for MeshGateway. + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. + type: string + type: object + operation: + description: Operation to execute on matched cluster. + enum: + - Add + - Remove + - Patch + type: string + value: + description: Value of xDS resource in YAML format to + add or patch. + type: string + required: + - operation + type: object + httpFilter: + description: |- + HTTPFilter is a modification of Envoy HTTP Filter + available in HTTP Connection Manager in a Listener resource. + properties: + jsonPatches: + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's + HTTP Filter available in HTTP Connection Manager in a Listener resource. + items: + description: JsonPatchBlock is one json patch operation + block. + properties: + from: + description: From is a jsonpatch from string, + used by move and copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: Value must be a valid json value + used by replace and add operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + match: + description: Match is a set of conditions that have + to be matched for modification operation to happen. + properties: + listenerName: + description: Name of the listener to match. + type: string + listenerTags: + additionalProperties: + type: string + description: Listener tags available in Listener#Metadata#FilterMetadata[io.kuma.tags] + type: object + name: + description: Name of the HTTP filter. For example + "envoy.filters.http.local_ratelimit" + type: string + origin: + description: |- + Origin is the name of the component or plugin that generated the resource. + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. + ingress - resources generated for Zone Ingress. + egress - resources generated for Zone Egress. + gateway - resources generated for MeshGateway. + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. + type: string + type: object + operation: + description: Operation to execute on matched listener. + enum: + - Remove + - Patch + - AddFirst + - AddBefore + - AddAfter + - AddLast + type: string + value: + description: Value of xDS resource in YAML format to + add or patch. + type: string + required: + - operation + type: object + listener: + description: Listener is a modification of Envoy's Listener + resource. + properties: + jsonPatches: + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's Listener + resource + items: + description: JsonPatchBlock is one json patch operation + block. + properties: + from: + description: From is a jsonpatch from string, + used by move and copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: Value must be a valid json value + used by replace and add operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + match: + description: Match is a set of conditions that have + to be matched for modification operation to happen. + properties: + name: + description: Name of the listener to match. + type: string + origin: + description: |- + Origin is the name of the component or plugin that generated the resource. + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. + ingress - resources generated for Zone Ingress. + egress - resources generated for Zone Egress. + gateway - resources generated for MeshGateway. + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. + type: string + tags: + additionalProperties: + type: string + description: Tags available in Listener#Metadata#FilterMetadata[io.kuma.tags] + type: object + type: object + operation: + description: Operation to execute on matched listener. + enum: + - Add + - Remove + - Patch + type: string + value: + description: Value of xDS resource in YAML format to + add or patch. + type: string + required: + - operation + type: object + networkFilter: + description: NetworkFilter is a modification of Envoy Listener's + filter. + properties: + jsonPatches: + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy Listener's + filter. + items: + description: JsonPatchBlock is one json patch operation + block. + properties: + from: + description: From is a jsonpatch from string, + used by move and copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: Value must be a valid json value + used by replace and add operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + match: + description: Match is a set of conditions that have + to be matched for modification operation to happen. + properties: + listenerName: + description: Name of the listener to match. + type: string + listenerTags: + additionalProperties: + type: string + description: Listener tags available in Listener#Metadata#FilterMetadata[io.kuma.tags] + type: object + name: + description: Name of the network filter. For example + "envoy.filters.network.ratelimit" + type: string + origin: + description: |- + Origin is the name of the component or plugin that generated the resource. + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. + ingress - resources generated for Zone Ingress. + egress - resources generated for Zone Egress. + gateway - resources generated for MeshGateway. + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. + type: string + type: object + operation: + description: Operation to execute on matched listener. + enum: + - Remove + - Patch + - AddFirst + - AddBefore + - AddAfter + - AddLast + type: string + value: + description: Value of xDS resource in YAML format to + add or patch. + type: string + required: + - operation + type: object + virtualHost: + description: |- + VirtualHost is a modification of Envoy's VirtualHost + referenced in HTTP Connection Manager in a Listener resource. + properties: + jsonPatches: + description: |- + JsonPatches specifies list of jsonpatches to apply to on Envoy's + VirtualHost resource + items: + description: JsonPatchBlock is one json patch operation + block. + properties: + from: + description: From is a jsonpatch from string, + used by move and copy operations. + type: string + op: + description: Op is a jsonpatch operation string. + enum: + - add + - remove + - replace + - move + - copy + type: string + path: + description: Path is a jsonpatch path string. + type: string + value: + description: Value must be a valid json value + used by replace and add operations. + x-kubernetes-preserve-unknown-fields: true + required: + - op + - path + type: object + type: array + match: + description: Match is a set of conditions that have + to be matched for modification operation to happen. + properties: + name: + description: Name of the VirtualHost to match. + type: string + origin: + description: |- + Origin is the name of the component or plugin that generated the resource. + + Here is the list of well-known origins: + inbound - resources generated for handling incoming traffic. + outbound - resources generated for handling outgoing traffic. + transparent - resources generated for transparent proxy functionality. + prometheus - resources generated when Prometheus metrics are enabled. + direct-access - resources generated for Direct Access functionality. + ingress - resources generated for Zone Ingress. + egress - resources generated for Zone Egress. + gateway - resources generated for MeshGateway. + + The list is not complete, because policy plugins can introduce new resources. + For example MeshTrace plugin can create Cluster with "mesh-trace" origin. + type: string + routeConfigurationName: + description: Name of the RouteConfiguration resource + to match. + type: string + type: object + operation: + description: Operation to execute on matched listener. + enum: + - Add + - Remove + - Patch + type: string + value: + description: Value of xDS resource in YAML format to + add or patch. + type: string + required: + - match + - operation + type: object + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - default + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshratelimits.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshratelimits.yaml new file mode 100644 index 0000000000..9f028f2c9b --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshratelimits.yaml @@ -0,0 +1,681 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshratelimits.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshRateLimit + listKind: MeshRateLimitList + plural: meshratelimits + shortNames: + - mrl + singular: meshratelimit + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshRateLimit protects services from being overwhelmed by limiting + the rate of incoming requests or connections. It supports local rate limiting + for both HTTP (requests per interval) and TCP (connections per interval) + traffic with customizable response codes and headers for rate-limited requests. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshRateLimit resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + local: + description: LocalConf defines local http or/and tcp rate + limit configuration + properties: + http: + description: |- + LocalHTTP defines configuration of local HTTP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter + properties: + disabled: + description: Define if rate limiting should be disabled. + type: boolean + onRateLimit: + description: Describes the actions to take on a + rate limit event + properties: + headers: + description: The Headers to be added to the + HTTP response on a rate limit event + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + status: + description: The HTTP status code to be set + on a rate limit event + format: int32 + type: integer + type: object + requestRate: + description: Defines how many requests are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + type: object + tcp: + description: |- + LocalTCP defines confguration of local TCP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter + properties: + connectionRate: + description: Defines how many connections are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + disabled: + description: |- + Define if rate limiting should be disabled. + Default: false + type: boolean + type: object + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + rules: + description: Rules defines inbound rate limiting configurations. + items: + properties: + default: + description: Default contains configuration of the inbound rate + limits + properties: + local: + description: LocalConf defines local http or/and tcp rate + limit configuration + properties: + http: + description: |- + LocalHTTP defines configuration of local HTTP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter + properties: + disabled: + description: Define if rate limiting should be disabled. + type: boolean + onRateLimit: + description: Describes the actions to take on a + rate limit event + properties: + headers: + description: The Headers to be added to the + HTTP response on a rate limit event + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + status: + description: The HTTP status code to be set + on a rate limit event + format: int32 + type: integer + type: object + requestRate: + description: Defines how many requests are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + type: object + tcp: + description: |- + LocalTCP defines confguration of local TCP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter + properties: + connectionRate: + description: Defines how many connections are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + disabled: + description: |- + Define if rate limiting should be disabled. + Default: false + type: boolean + type: object + type: object + type: object + matches: + description: Matches define additional conditions for applying + this rate limit rule. + items: + properties: + sni: + description: SNI defines a matcher configuration for matching + by SNI value carried on the TLS connection + properties: + type: + description: Type defines how to match traffic by + SNI. Only `Exact` is supported. + enum: + - Exact + type: string + value: + description: Value is the SNI carried on the TLS connection + that needs to match for the configuration to be + applied + type: string + required: + - type + - value + type: object + spiffeID: + description: SpiffeID defines a matcher configuration + for SpiffeID matching + properties: + type: + description: Type defines how to match incoming traffic + by SpiffeID. `Exact` or `Prefix` are allowed. + enum: + - Exact + - Prefix + type: string + value: + description: Value is SpiffeID of a client that needs + to match for the configuration to be applied + type: string + required: + - type + - value + type: object + type: object + type: array + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: To list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + local: + description: LocalConf defines local http or/and tcp rate + limit configuration + properties: + http: + description: |- + LocalHTTP defines configuration of local HTTP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter + properties: + disabled: + description: Define if rate limiting should be disabled. + type: boolean + onRateLimit: + description: Describes the actions to take on a + rate limit event + properties: + headers: + description: The Headers to be added to the + HTTP response on a rate limit event + properties: + add: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + set: + items: + properties: + name: + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + status: + description: The HTTP status code to be set + on a rate limit event + format: int32 + type: integer + type: object + requestRate: + description: Defines how many requests are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + type: object + tcp: + description: |- + LocalTCP defines confguration of local TCP rate limiting + https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter + properties: + connectionRate: + description: Defines how many connections are allowed + per interval. + properties: + interval: + description: The interval the number of units + is accounted for. + type: string + num: + description: |- + Number of units per interval (depending on usage it can be a number of requests, + or a number of connections). + format: int32 + type: integer + required: + - interval + - num + type: object + disabled: + description: |- + Define if rate limiting should be disabled. + Default: false + type: boolean + type: object + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshretries.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshretries.yaml new file mode 100644 index 0000000000..1ffdfa0fbc --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshretries.yaml @@ -0,0 +1,517 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshretries.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshRetry + listKind: MeshRetryList + plural: meshretries + shortNames: + - mr + singular: meshretry + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshRetry configures automatic retry behavior for failed requests + to improve service reliability. It supports configurable retry conditions, + limits, timeouts, and backoff strategies for HTTP, gRPC, and TCP traffic, + helping services recover from transient failures. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshRetry resource. + properties: + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: To list makes a match between the consumed services and + corresponding configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + grpc: + description: GRPC defines a configuration of retries for + GRPC traffic + properties: + backOff: + description: |- + BackOff is a configuration of durations which will be used in an exponential + backoff strategy between retries. + properties: + baseInterval: + description: |- + BaseInterval is an amount of time which should be taken between retries. + Must be greater than zero. Values less than 1 ms are rounded up to 1 ms. + If not specified then the default value is "25ms". + type: string + maxInterval: + description: |- + MaxInterval is a maximal amount of time which will be taken between retries. + Default is 10 times the "BaseInterval". + type: string + type: object + numRetries: + description: |- + NumRetries is the number of attempts that will be made on failed (and + retriable) requests. If not set, the default value is 1. + format: int32 + type: integer + perTryTimeout: + description: |- + PerTryTimeout is the maximum amount of time each retry attempt can take + before it times out. If not set, the global request timeout for the route + will be used. Setting this value to 0 will disable the per-try timeout. + type: string + rateLimitedBackOff: + description: |- + RateLimitedBackOff is a configuration of backoff which will be used when + the upstream returns one of the headers configured. + properties: + maxInterval: + description: |- + MaxInterval is a maximal amount of time which will be taken between retries. + If not specified then the default value is "300s". + type: string + resetHeaders: + description: |- + ResetHeaders specifies the list of headers (like Retry-After or X-RateLimit-Reset) + to match against the response. Headers are tried in order, and matched + case-insensitive. The first header to be parsed successfully is used. + If no headers match the default exponential BackOff is used instead. + items: + properties: + format: + description: The format of the reset header. + enum: + - Seconds + - UnixTimestamp + type: string + name: + description: The Name of the reset header. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + required: + - format + - name + type: object + type: array + type: object + retryOn: + description: RetryOn is a list of conditions which will + cause a retry. + example: + - Canceled + - DeadlineExceeded + - Internal + - ResourceExhausted + - Unavailable + items: + enum: + - Canceled + - DeadlineExceeded + - Internal + - ResourceExhausted + - Unavailable + type: string + type: array + type: object + http: + description: HTTP defines a configuration of retries for + HTTP traffic + properties: + backOff: + description: |- + BackOff is a configuration of durations which will be used in exponential + backoff strategy between retries. + properties: + baseInterval: + description: |- + BaseInterval is an amount of time which should be taken between retries. + Must be greater than zero. Values less than 1 ms are rounded up to 1 ms. + If not specified then the default value is "25ms". + type: string + maxInterval: + description: |- + MaxInterval is a maximal amount of time which will be taken between retries. + Default is 10 times the "BaseInterval". + type: string + type: object + hostSelection: + description: |- + HostSelection is a list of predicates that dictate how hosts should be selected + when requests are retried. + items: + properties: + predicate: + description: Type is requested predicate mode. + enum: + - OmitPreviousHosts + - OmitHostsWithTags + - OmitPreviousPriorities + type: string + tags: + additionalProperties: + type: string + description: |- + Tags is a map of metadata to match against for selecting the omitted hosts. Required if Type is + OmitHostsWithTags + type: object + updateFrequency: + default: 2 + description: |- + UpdateFrequency is how often the priority load should be updated based on previously attempted priorities. + Used for OmitPreviousPriorities. + format: int32 + type: integer + required: + - predicate + type: object + type: array + hostSelectionMaxAttempts: + description: |- + HostSelectionMaxAttempts is the maximum number of times host selection will be + reattempted before giving up, at which point the host that was last selected will + be routed to. If unspecified, this will default to retrying once. + format: int64 + type: integer + numRetries: + description: |- + NumRetries is the number of attempts that will be made on failed (and + retriable) requests. If not set, the default value is 1. + format: int32 + type: integer + perTryTimeout: + description: |- + PerTryTimeout is the amount of time after which retry attempt should time out. + If left unspecified, the global route timeout for the request will be used. + Consequently, when using a 5xx based retry policy, a request that times out + will not be retried as the total timeout budget would have been exhausted. + Setting this timeout to 0 will disable it. + type: string + rateLimitedBackOff: + description: |- + RateLimitedBackOff is a configuration of backoff which will be used + when the upstream returns one of the headers configured. + properties: + maxInterval: + description: |- + MaxInterval is a maximal amount of time which will be taken between retries. + If not specified then the default value is "300s". + type: string + resetHeaders: + description: |- + ResetHeaders specifies the list of headers (like Retry-After or X-RateLimit-Reset) + to match against the response. Headers are tried in order, and matched + case-insensitive. The first header to be parsed successfully is used. + If no headers match the default exponential BackOff is used instead. + items: + properties: + format: + description: The format of the reset header. + enum: + - Seconds + - UnixTimestamp + type: string + name: + description: The Name of the reset header. + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + required: + - format + - name + type: object + type: array + type: object + retriableRequestHeaders: + description: |- + RetriableRequestHeaders is an HTTP headers which must be present in the request + for retries to be attempted. + items: + description: |- + HeaderMatch describes how to select an HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name MUST be lower case + as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2). + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - Present + - RegularExpression + - Absent + - Prefix + type: string + value: + description: Value is the value of HTTP Header + to be matched. + type: string + required: + - name + type: object + type: array + retriableResponseHeaders: + description: |- + RetriableResponseHeaders is an HTTP response headers that trigger a retry + if present in the response. A retry will be triggered if any of the header + matches the upstream response headers. + items: + description: |- + HeaderMatch describes how to select an HTTP route by matching HTTP request + headers. + properties: + name: + description: |- + Name is the name of the HTTP Header to be matched. Name MUST be lower case + as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2). + maxLength: 256 + minLength: 1 + pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - Present + - RegularExpression + - Absent + - Prefix + type: string + value: + description: Value is the value of HTTP Header + to be matched. + type: string + required: + - name + type: object + type: array + retryOn: + description: |- + RetryOn is a list of conditions which will cause a retry. Available values are: + [5XX, GatewayError, Reset, Retriable4xx, ConnectFailure, EnvoyRatelimited, + RefusedStream, Http3PostConnectFailure, HttpMethodConnect, HttpMethodDelete, + HttpMethodGet, HttpMethodHead, HttpMethodOptions, HttpMethodPatch, + HttpMethodPost, HttpMethodPut, HttpMethodTrace]. + Also, any HTTP status code (500, 503, etc.). + example: + - 5XX + - GatewayError + - Reset + - Retriable4xx + - ConnectFailure + - EnvoyRatelimited + - RefusedStream + - Http3PostConnectFailure + - HttpMethodConnect + - HttpMethodDelete + - HttpMethodGet + - HttpMethodHead + - HttpMethodOptions + - HttpMethodPatch + - HttpMethodPost + - HttpMethodPut + - HttpMethodTrace + - "500" + - "503" + items: + type: string + type: array + type: object + tcp: + description: TCP defines a configuration of retries for + TCP traffic + properties: + maxConnectAttempt: + description: |- + MaxConnectAttempt is a maximal amount of TCP connection attempts + which will be made before giving up + format: int32 + type: integer + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshservices.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshservices.yaml new file mode 100644 index 0000000000..7032d8bf73 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshservices.yaml @@ -0,0 +1,234 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshservices.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshService + listKind: MeshServiceList + plural: meshservices + shortNames: + - msvc + singular: meshservice + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.addresses[0].hostname + name: Hostname + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshService represents a service in the mesh with its connectivity + and health information. It defines service endpoints by selecting data plane + proxies through labels or direct references, configures service ports and + protocols, tracks service availability and health status, and provides automatic + VIP assignment and hostname generation for service discovery. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshService resource. + properties: + identities: + items: + properties: + type: + enum: + - ServiceTag + - SpiffeID + type: string + value: + type: string + required: + - type + - value + type: object + type: array + ports: + items: + properties: + appProtocol: + default: tcp + description: Protocol identifies a protocol supported by a service. + type: string + name: + type: string + port: + format: int32 + type: integer + targetPort: + anyOf: + - type: integer + - type: string + x-kubernetes-int-or-string: true + required: + - port + type: object + type: array + x-kubernetes-list-map-keys: + - port + - appProtocol + x-kubernetes-list-type: map + selector: + properties: + dataplaneLabels: + properties: + matchLabels: + additionalProperties: + type: string + type: object + type: object + dataplaneRef: + properties: + name: + type: string + type: object + dataplaneTags: + additionalProperties: + type: string + type: object + type: object + state: + default: Unavailable + description: |- + State of MeshService. Available if there is at least one healthy endpoint. Otherwise, Unavailable. + It's used for cross zone communication to check if we should send traffic to it, when MeshService is aggregated into MeshMultiZoneService. + enum: + - Available + - Unavailable + type: string + type: object + status: + description: Status is the current status of the Kuma MeshService resource. + properties: + addresses: + items: + properties: + hostname: + type: string + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + origin: + type: string + type: object + type: array + dataplaneProxies: + description: Data plane proxies statistics selected by this MeshService. + properties: + connected: + description: Number of data plane proxies connected to the zone + control plane + type: integer + healthy: + description: Number of data plane proxies with all healthy inbounds + selected by this MeshService. + type: integer + total: + description: Total number of data plane proxies. + type: integer + type: object + hostnameGenerators: + items: + properties: + conditions: + description: Conditions is an array of hostname generator conditions. + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + hostnameGeneratorRef: + properties: + coreName: + type: string + required: + - coreName + type: object + required: + - hostnameGeneratorRef + type: object + type: array + tls: + properties: + status: + enum: + - Ready + - NotReady + type: string + type: object + vips: + items: + properties: + ip: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtcproutes.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtcproutes.yaml new file mode 100644 index 0000000000..306aa8c6f0 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtcproutes.yaml @@ -0,0 +1,294 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshtcproutes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTCPRoute + listKind: MeshTCPRouteList + plural: meshtcproutes + shortNames: + - mtcpr + singular: meshtcproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + NOTICE: This policy defines its own `GetDefault` method so that it can have the given + structure for deserialization but still use the generic policy merging + machinery. + // + MeshTCPRoute configures routing for TCP traffic between services in the mesh. It enables traffic splitting and weighted load balancing across different backend endpoints, useful for canary deployments, blue-green deployments, and gradual traffic migration for TCP-based services. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTCPRoute resource. + properties: + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: |- + To list makes a match between the consumed services and corresponding + configurations + items: + properties: + rules: + description: |- + Rules contains the routing rules applies to a combination of top-level + targetRef and the targetRef in this entry. + items: + properties: + default: + description: |- + Default holds routing rules that can be merged with rules from other + policies. + properties: + backendRefs: + items: + description: BackendRef defines where to forward + traffic. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use + to identify cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + port: + description: Port is only supported when this + ref refers to a real MeshService object + format: int32 + type: integer + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + weight: + default: 1 + minimum: 0 + type: integer + required: + - kind + type: object + type: array + type: object + required: + - default + type: object + maxItems: 1 + type: array + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - rules + - targetRef + type: object + minItems: 1 + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtimeouts.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtimeouts.yaml new file mode 100644 index 0000000000..5015029983 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtimeouts.yaml @@ -0,0 +1,479 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshtimeouts.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTimeout + listKind: MeshTimeoutList + plural: meshtimeouts + shortNames: + - mt + singular: meshtimeout + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshTimeout configures timeout limits for service-to-service + communication to prevent requests from hanging indefinitely. It supports + connection timeouts, idle timeouts, and HTTP-specific timeouts (request, + stream, headers) to ensure timely failure detection and improve service + responsiveness. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTimeout resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + connectionTimeout: + description: |- + ConnectionTimeout specifies the amount of time proxy will wait for an TCP connection to be established. + Default value is 5 seconds. Cannot be set to 0. + type: string + http: + description: Http provides configuration for HTTP specific + timeouts + properties: + maxConnectionDuration: + description: |- + MaxConnectionDuration is the time after which a connection will be drained and/or closed, + starting from when it was first established. Setting this timeout to 0 will disable it. + Disabled by default. + type: string + maxStreamDuration: + description: |- + MaxStreamDuration is the maximum time that a stream’s lifetime will span. + Setting this timeout to 0 will disable it. Disabled by default. + type: string + requestHeadersTimeout: + description: |- + RequestHeadersTimeout The amount of time that proxy will wait for the request headers to be received. The timer is + activated when the first byte of the headers is received, and is disarmed when the last byte of + the headers has been received. If not specified or set to 0, this timeout is disabled. + Disabled by default. + type: string + requestTimeout: + description: |- + RequestTimeout The amount of time that proxy will wait for the entire request to be received. + The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent, + OR when the response is initiated. Setting this timeout to 0 will disable it. + Default is 15s. + type: string + streamIdleTimeout: + description: |- + StreamIdleTimeout is the amount of time that proxy will allow a stream to exist with no activity. + Setting this timeout to 0 will disable it. Default is 30m + type: string + type: object + idleTimeout: + description: |- + IdleTimeout is defined as the period in which there are no bytes sent or received on connection + Setting this timeout to 0 will disable it. Be cautious when disabling it because + it can lead to connection leaking. Default value is 1h. + type: string + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + rules: + description: |- + Rules defines inbound timeout configurations. When matches are present, the rule is applied only + to traffic selected by the given source and destination matchers. + items: + properties: + default: + description: Default contains configuration of the inbound timeouts + properties: + connectionTimeout: + description: |- + ConnectionTimeout specifies the amount of time proxy will wait for an TCP connection to be established. + Default value is 5 seconds. Cannot be set to 0. + type: string + http: + description: Http provides configuration for HTTP specific + timeouts + properties: + maxConnectionDuration: + description: |- + MaxConnectionDuration is the time after which a connection will be drained and/or closed, + starting from when it was first established. Setting this timeout to 0 will disable it. + Disabled by default. + type: string + maxStreamDuration: + description: |- + MaxStreamDuration is the maximum time that a stream’s lifetime will span. + Setting this timeout to 0 will disable it. Disabled by default. + type: string + requestHeadersTimeout: + description: |- + RequestHeadersTimeout The amount of time that proxy will wait for the request headers to be received. The timer is + activated when the first byte of the headers is received, and is disarmed when the last byte of + the headers has been received. If not specified or set to 0, this timeout is disabled. + Disabled by default. + type: string + requestTimeout: + description: |- + RequestTimeout The amount of time that proxy will wait for the entire request to be received. + The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent, + OR when the response is initiated. Setting this timeout to 0 will disable it. + Default is 15s. + type: string + streamIdleTimeout: + description: |- + StreamIdleTimeout is the amount of time that proxy will allow a stream to exist with no activity. + Setting this timeout to 0 will disable it. Default is 30m + type: string + type: object + idleTimeout: + description: |- + IdleTimeout is defined as the period in which there are no bytes sent or received on connection + Setting this timeout to 0 will disable it. Be cautious when disabling it because + it can lead to connection leaking. Default value is 1h. + type: string + type: object + matches: + description: Matches define predicates for selecting traffic + this configuration applies to. + items: + properties: + sni: + description: SNI defines a matcher configuration for matching + by SNI value carried on the TLS connection + properties: + type: + description: Type defines how to match traffic by + SNI. Only `Exact` is supported. + enum: + - Exact + type: string + value: + description: Value is the SNI carried on the TLS connection + that needs to match for the configuration to be + applied + type: string + required: + - type + - value + type: object + spiffeID: + description: SpiffeID defines a matcher configuration + for SpiffeID matching + properties: + type: + description: Type defines how to match incoming traffic + by SpiffeID. `Exact` or `Prefix` are allowed. + enum: + - Exact + - Prefix + type: string + value: + description: Value is SpiffeID of a client that needs + to match for the configuration to be applied + type: string + required: + - type + - value + type: object + type: object + type: array + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + to: + description: To list makes a match between the consumed services and + corresponding configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of destinations referenced in + 'targetRef' + properties: + connectionTimeout: + description: |- + ConnectionTimeout specifies the amount of time proxy will wait for an TCP connection to be established. + Default value is 5 seconds. Cannot be set to 0. + type: string + http: + description: Http provides configuration for HTTP specific + timeouts + properties: + maxConnectionDuration: + description: |- + MaxConnectionDuration is the time after which a connection will be drained and/or closed, + starting from when it was first established. Setting this timeout to 0 will disable it. + Disabled by default. + type: string + maxStreamDuration: + description: |- + MaxStreamDuration is the maximum time that a stream’s lifetime will span. + Setting this timeout to 0 will disable it. Disabled by default. + type: string + requestHeadersTimeout: + description: |- + RequestHeadersTimeout The amount of time that proxy will wait for the request headers to be received. The timer is + activated when the first byte of the headers is received, and is disarmed when the last byte of + the headers has been received. If not specified or set to 0, this timeout is disabled. + Disabled by default. + type: string + requestTimeout: + description: |- + RequestTimeout The amount of time that proxy will wait for the entire request to be received. + The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent, + OR when the response is initiated. Setting this timeout to 0 will disable it. + Default is 15s. + type: string + streamIdleTimeout: + description: |- + StreamIdleTimeout is the amount of time that proxy will allow a stream to exist with no activity. + Setting this timeout to 0 will disable it. Default is 30m + type: string + type: object + idleTimeout: + description: |- + IdleTimeout is defined as the period in which there are no bytes sent or received on connection + Setting this timeout to 0 will disable it. Be cautious when disabling it because + it can lead to connection leaking. Default value is 1h. + type: string + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + destinations. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtlses.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtlses.yaml new file mode 100644 index 0000000000..6679af6d2e --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtlses.yaml @@ -0,0 +1,306 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshtlses.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTLS + listKind: MeshTLSList + plural: meshtlses + shortNames: + - mtls + singular: meshtls + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshTLS configures TLS and mutual TLS (mTLS) settings for secure + communication between services in the mesh. It allows you to enforce encryption, + configure TLS versions and cipher suites, and control whether mTLS is required + (strict mode) or optional (permissive mode) for inbound traffic. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTLS resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + mode: + description: Mode defines the behavior of inbound listeners + with regard to traffic encryption. + enum: + - Permissive + - Strict + type: string + tlsCiphers: + description: TlsCiphers section for providing ciphers specification. + items: + enum: + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-RSA-CHACHA20-POLY1305 + type: string + type: array + tlsVersion: + description: Version section for providing version specification. + properties: + max: + default: TLSAuto + description: Max defines maximum supported version. + One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + min: + default: TLSAuto + description: Min defines minimum supported version. + One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + type: object + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + rules: + description: |- + Rules defines inbound tls configurations. Currently limited to + selecting all inbound traffic, as L7 matching is not yet implemented. + items: + properties: + default: + description: Default contains configuration of the inbound tls + properties: + mode: + description: Mode defines the behavior of inbound listeners + with regard to traffic encryption. + enum: + - Permissive + - Strict + type: string + tlsCiphers: + description: TlsCiphers section for providing ciphers specification. + items: + enum: + - ECDHE-ECDSA-AES128-GCM-SHA256 + - ECDHE-ECDSA-AES256-GCM-SHA384 + - ECDHE-ECDSA-CHACHA20-POLY1305 + - ECDHE-RSA-AES128-GCM-SHA256 + - ECDHE-RSA-AES256-GCM-SHA384 + - ECDHE-RSA-CHACHA20-POLY1305 + type: string + type: array + tlsVersion: + description: Version section for providing version specification. + properties: + max: + default: TLSAuto + description: Max defines maximum supported version. + One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + min: + default: TLSAuto + description: Min defines minimum supported version. + One of `TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`. + enum: + - TLSAuto + - TLS10 + - TLS11 + - TLS12 + - TLS13 + type: string + type: object + type: object + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined in-place. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtraces.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtraces.yaml new file mode 100644 index 0000000000..a0e7db3860 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtraces.yaml @@ -0,0 +1,356 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshtraces.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTrace + listKind: MeshTraceList + plural: meshtraces + shortNames: + - mtr + singular: meshtrace + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshTrace enables distributed tracing to track requests as they + flow through multiple services in the mesh. It supports exporting trace + data to backends like Zipkin, Datadog, and OpenTelemetry, with configurable + sampling rates and custom tags for detailed observability and debugging + of service interactions. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTrace resource. + properties: + default: + description: MeshTrace configuration. + properties: + backends: + description: |- + A one element array of backend definition. + Envoy allows configuring only 1 backend, so the natural way of + representing that would be just one object. Unfortunately due to the + reasons explained in MADR 009-tracing-policy this has to be a one element + array for now. + items: + description: Only one of zipkin, datadog or openTelemetry can + be used. + properties: + datadog: + description: Datadog backend configuration. + properties: + splitService: + default: false + description: |- + Determines if datadog service name should be split based on traffic + direction and destination. For example, with `splitService: true` and a + `backend` service that communicates with a couple of databases, you would + get service names like `backend_INBOUND`, `backend_OUTBOUND_db1`, and + `backend_OUTBOUND_db2` in Datadog. + type: boolean + url: + description: |- + Address of Datadog collector, only host and port are allowed (no paths, + fragments etc.) + type: string + required: + - url + type: object + openTelemetry: + description: OpenTelemetry backend configuration. + properties: + backendRef: + description: |- + BackendRef is a reference to a MeshOpenTelemetryBackend resource that + defines the collector endpoint. Mutually exclusive with Endpoint. + properties: + kind: + description: Kind of the backend resource. + enum: + - MeshOpenTelemetryBackend + type: string + labels: + additionalProperties: + type: string + description: |- + Labels to match the referenced resource. When multiple resources match, + the oldest by creation time wins. + type: object + required: + - kind + type: object + endpoint: + default: "" + description: |- + Address of OpenTelemetry collector. + + Deprecated: use BackendRef instead. + example: otel-collector:4317 + type: string + type: object + type: + enum: + - Zipkin + - Datadog + - OpenTelemetry + type: string + zipkin: + description: Zipkin backend configuration. + properties: + apiVersion: + default: httpJson + description: |- + Version of the API. + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L66 + enum: + - httpJson + - httpProto + type: string + sharedSpanContext: + default: true + description: |- + Determines whether client and server spans will share the same span + context. + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L63 + type: boolean + traceId128bit: + default: false + description: Generate 128bit traces. + type: boolean + url: + description: Address of Zipkin collector. + type: string + required: + - url + type: object + required: + - type + type: object + maxItems: 1 + type: array + sampling: + description: |- + Sampling configuration. + Sampling is the process by which a decision is made on whether to + process/export a span or not. + properties: + client: + anyOf: + - type: integer + - type: string + description: |- + Target percentage of requests that will be force traced if the + 'x-client-trace-id' header is set. Mirror of client_sampling in Envoy + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L127-L133 + Either int or decimal represented as string. + If not specified then the default value is 100. + x-kubernetes-int-or-string: true + overall: + anyOf: + - type: integer + - type: string + description: |- + Target percentage of requests will be traced + after all other sampling checks have been applied (client, force tracing, + random sampling). This field functions as an upper limit on the total + configured sampling rate. For instance, setting client to 100 + but overall to 1 will result in only 1% of client requests with + the appropriate headers to be force traced. Mirror of + overall_sampling in Envoy + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L142-L150 + Either int or decimal represented as string. + If not specified then the default value is 100. + x-kubernetes-int-or-string: true + random: + anyOf: + - type: integer + - type: string + description: |- + Target percentage of requests that will be randomly selected for trace + generation, if not requested by the client or not forced. + Mirror of random_sampling in Envoy + https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L135-L140 + Either int or decimal represented as string. + If not specified then the default value is 100. + x-kubernetes-int-or-string: true + type: object + tags: + description: |- + Custom tags configuration. You can add custom tags to traces based on + headers or literal values. + items: + description: |- + Custom tags configuration. + Only one of literal or header can be used. + properties: + header: + description: Tag taken from a header. + properties: + default: + description: |- + Default value to use if header is missing. + If the default is missing and there is no value the tag will not be + included. + type: string + name: + description: Name of the header. + type: string + required: + - name + type: object + literal: + description: Tag taken from literal value. + type: string + name: + description: Name of the tag. + type: string + required: + - name + type: object + type: array + type: object + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + type: object + status: + description: Status is the current status of the Kuma MeshTrace resource. + properties: + conditions: + items: + properties: + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - message + - reason + - status + - type + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtrafficpermissions.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtrafficpermissions.yaml new file mode 100644 index 0000000000..f5e43b90e9 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtrafficpermissions.yaml @@ -0,0 +1,364 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshtrafficpermissions.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTrafficPermission + listKind: MeshTrafficPermissionList + plural: meshtrafficpermissions + shortNames: + - mtp + singular: meshtrafficpermission + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.targetRef.kind + name: TargetRef Kind + type: string + - jsonPath: .spec.targetRef.name + name: TargetRef Name + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshTrafficPermission controls which services are allowed to + communicate with each other in the mesh. It provides fine-grained access + control by allowing you to define allow/deny rules based on service identity, + enabling zero-trust security and supporting shadow mode for testing permission + changes before enforcement. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTrafficPermission + resource. + properties: + from: + description: From list makes a match between clients and corresponding + configurations + items: + properties: + default: + description: |- + Default is a configuration specific to the group of clients referenced in + 'targetRef' + properties: + action: + description: 'Action defines a behavior for the specified + group of clients:' + enum: + - Allow + - Deny + - AllowWithShadowDeny + type: string + type: object + targetRef: + description: |- + TargetRef is a reference to the resource that represents a group of + clients. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify + cross mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + required: + - targetRef + type: object + type: array + rules: + description: Rules defines inbound permissions configuration + items: + properties: + default: + properties: + allow: + description: Allow definees a list of matches for which + access will be allowed + items: + properties: + sni: + description: SNI defines a matcher configuration for + matching by SNI value carried on the TLS connection + properties: + type: + description: Type defines how to match traffic + by SNI. Only `Exact` is supported. + enum: + - Exact + type: string + value: + description: Value is the SNI carried on the TLS + connection that needs to match for the configuration + to be applied + type: string + required: + - type + - value + type: object + spiffeID: + description: SpiffeID defines a matcher configuration + for SpiffeID matching + properties: + type: + description: Type defines how to match incoming + traffic by SpiffeID. `Exact` or `Prefix` are + allowed. + enum: + - Exact + - Prefix + type: string + value: + description: Value is SpiffeID of a client that + needs to match for the configuration to be applied + type: string + required: + - type + - value + type: object + type: object + type: array + allowWithShadowDeny: + description: |- + AllowWithShadowDeny defines a list of matches for which access will be allowed but emits logs as if + requests are denied + items: + properties: + sni: + description: SNI defines a matcher configuration for + matching by SNI value carried on the TLS connection + properties: + type: + description: Type defines how to match traffic + by SNI. Only `Exact` is supported. + enum: + - Exact + type: string + value: + description: Value is the SNI carried on the TLS + connection that needs to match for the configuration + to be applied + type: string + required: + - type + - value + type: object + spiffeID: + description: SpiffeID defines a matcher configuration + for SpiffeID matching + properties: + type: + description: Type defines how to match incoming + traffic by SpiffeID. `Exact` or `Prefix` are + allowed. + enum: + - Exact + - Prefix + type: string + value: + description: Value is SpiffeID of a client that + needs to match for the configuration to be applied + type: string + required: + - type + - value + type: object + type: object + type: array + deny: + description: Deny defines a list of matches for which access + will be denied + items: + properties: + sni: + description: SNI defines a matcher configuration for + matching by SNI value carried on the TLS connection + properties: + type: + description: Type defines how to match traffic + by SNI. Only `Exact` is supported. + enum: + - Exact + type: string + value: + description: Value is the SNI carried on the TLS + connection that needs to match for the configuration + to be applied + type: string + required: + - type + - value + type: object + spiffeID: + description: SpiffeID defines a matcher configuration + for SpiffeID matching + properties: + type: + description: Type defines how to match incoming + traffic by SpiffeID. `Exact` or `Prefix` are + allowed. + enum: + - Exact + - Prefix + type: string + value: + description: Value is SpiffeID of a client that + needs to match for the configuration to be applied + type: string + required: + - type + - value + type: object + type: object + type: array + type: object + required: + - default + type: object + type: array + targetRef: + description: |- + TargetRef is a reference to the resource the policy takes an effect on. + The resource could be either a real store object or virtual resource + defined inplace. + properties: + kind: + description: Kind of the referenced resource + enum: + - Mesh + - MeshSubset + - MeshGateway + - MeshService + - MeshExternalService + - MeshMultiZoneService + - MeshServiceSubset + - MeshHTTPRoute + - Dataplane + type: string + labels: + additionalProperties: + type: string + description: |- + Labels are used to select group of MeshServices that match labels. Either Labels or + Name and Namespace can be used. + type: object + mesh: + description: Mesh is reserved for future use to identify cross + mesh resources. + type: string + name: + description: |- + Name of the referenced resource. Can only be used with kinds: `MeshService`, + `MeshServiceSubset` and `MeshGatewayRoute` + type: string + namespace: + description: |- + Namespace specifies the namespace of target resource. If empty only resources in policy namespace + will be targeted. + type: string + proxyTypes: + description: |- + ProxyTypes specifies the data plane types that are subject to the policy. When not specified, + all data plane types are targeted by the policy. + items: + enum: + - Sidecar + - Gateway + type: string + type: array + sectionName: + description: |- + SectionName is used to target specific section of resource. + For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected. + type: string + tags: + additionalProperties: + type: string + description: |- + Tags used to select a subset of proxies by tags. Can only be used with kinds + `MeshSubset` and `MeshServiceSubset` + type: object + required: + - kind + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtrusts.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtrusts.yaml new file mode 100644 index 0000000000..9cd915705e --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshtrusts.yaml @@ -0,0 +1,111 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshtrusts.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshTrust + listKind: MeshTrustList + plural: meshtrusts + shortNames: + - mtrust + singular: meshtrust + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshTrust defines trusted Certificate Authority (CA) bundles + for a trust domain in the mesh. It establishes trust relationships for service-to-service + mTLS authentication by specifying which CA certificates are trusted to verify + service identities, supporting PEM-encoded CA bundles and enabling secure + cross-service communication within the trust domain. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshTrust resource. + properties: + caBundles: + description: |- + CABundles contains a list of CA bundles supported by this TrustDomain. + At least one CA bundle must be specified. + items: + properties: + pem: + description: Pem contains the PEM-encoded CA bundle if the Type + is set to a PEM-based format. + properties: + value: + description: Value holds the PEM-encoded CA bundle as a + string. + type: string + required: + - value + type: object + type: + description: Type specifies the format or source type of the + CA bundle. + enum: + - Pem + type: string + required: + - type + type: object + minItems: 1 + type: array + origin: + description: |- + Origin specifies whether the resource was created from a MeshIdentity. + + Deprecated: use Status.Origin instead + properties: + kri: + description: Resource identifier + type: string + type: object + trustDomain: + description: TrustDomain is the trust domain associated with this + resource. + maxLength: 253 + type: string + required: + - caBundles + - trustDomain + type: object + status: + description: Status is the current status of the Kuma MeshTrust resource. + properties: + origin: + description: Origin specifies whether the resource was created from + a MeshIdentity. + properties: + kri: + description: Resource identifier + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshzoneaddresses.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshzoneaddresses.yaml new file mode 100644 index 0000000000..8009ad1479 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_meshzoneaddresses.yaml @@ -0,0 +1,64 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: meshzoneaddresses.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: MeshZoneAddress + listKind: MeshZoneAddressList + plural: meshzoneaddresses + shortNames: + - mza + singular: meshzoneaddress + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: MeshZoneAddress holds the public address and port for a mesh-scoped + zone ingress proxy. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma MeshZoneAddress resource. + properties: + address: + description: Address is the publicly reachable address of the zone + ingress. + minLength: 1 + type: string + port: + description: Port is the publicly reachable port of the zone ingress. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - address + - port + type: object + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_proxytemplates.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_proxytemplates.yaml new file mode 100644 index 0000000000..df92fb010b --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_proxytemplates.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: proxytemplates.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ProxyTemplate + listKind: ProxyTemplateList + plural: proxytemplates + singular: proxytemplate + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ProxyTemplate resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_ratelimits.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_ratelimits.yaml new file mode 100644 index 0000000000..d378fc503f --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_ratelimits.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: ratelimits.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: RateLimit + listKind: RateLimitList + plural: ratelimits + singular: ratelimit + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma RateLimit resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_retries.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_retries.yaml new file mode 100644 index 0000000000..24c21cbd60 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_retries.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: retries.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Retry + listKind: RetryList + plural: retries + singular: retry + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Retry resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_serviceinsights.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_serviceinsights.yaml new file mode 100644 index 0000000000..2efdc6b33d --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_serviceinsights.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: serviceinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ServiceInsight + listKind: ServiceInsightList + plural: serviceinsights + singular: serviceinsight + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ServiceInsight resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_timeouts.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_timeouts.yaml new file mode 100644 index 0000000000..6df1fcfaf5 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_timeouts.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: timeouts.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Timeout + listKind: TimeoutList + plural: timeouts + singular: timeout + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Timeout resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficlogs.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficlogs.yaml new file mode 100644 index 0000000000..953dfd379a --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficlogs.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: trafficlogs.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: TrafficLog + listKind: TrafficLogList + plural: trafficlogs + singular: trafficlog + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma TrafficLog resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficpermissions.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficpermissions.yaml new file mode 100644 index 0000000000..c9fcf87782 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficpermissions.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: trafficpermissions.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: TrafficPermission + listKind: TrafficPermissionList + plural: trafficpermissions + singular: trafficpermission + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma TrafficPermission resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficroutes.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficroutes.yaml new file mode 100644 index 0000000000..50d0d3ab58 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_trafficroutes.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: trafficroutes.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: TrafficRoute + listKind: TrafficRouteList + plural: trafficroutes + singular: trafficroute + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma TrafficRoute resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_traffictraces.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_traffictraces.yaml new file mode 100644 index 0000000000..338adaea11 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_traffictraces.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: traffictraces.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: TrafficTrace + listKind: TrafficTraceList + plural: traffictraces + singular: traffictrace + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma TrafficTrace resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_virtualoutbounds.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_virtualoutbounds.yaml new file mode 100644 index 0000000000..6786d12887 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_virtualoutbounds.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: virtualoutbounds.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: VirtualOutbound + listKind: VirtualOutboundList + plural: virtualoutbounds + singular: virtualoutbound + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma VirtualOutbound resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_workloads.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_workloads.yaml new file mode 100644 index 0000000000..8033937d34 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_workloads.yaml @@ -0,0 +1,81 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: workloads.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Workload + listKind: WorkloadList + plural: workloads + shortNames: + - wl + singular: workload + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Workload represents a logical grouping of data plane proxies + in the mesh, providing visibility into their operational status. It tracks + statistics about the data plane proxies that belong to a workload, including + the number of connected, healthy, and total proxies, enabling monitoring + and health assessment of your workload deployments. Workloads is also the + primary way data-planes are grouped together in metrics and traces. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Workload resource. + type: object + status: + description: Status is the current status of the Kuma Workload resource. + properties: + dataplaneProxies: + description: DataplaneProxies defines statistics of data plane proxies + that are part of this workload + properties: + connected: + description: Connected defines number of connected data plane + proxies + format: int32 + type: integer + healthy: + description: Healthy defines number of healthy data plane proxies + for this workload + format: int32 + type: integer + total: + description: Total defines total number of data plane proxies + for this workload + format: int32 + type: integer + required: + - connected + - healthy + - total + type: object + type: object + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneegresses.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneegresses.yaml new file mode 100644 index 0000000000..9a3d05e437 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneegresses.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: zoneegresses.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ZoneEgress + listKind: ZoneEgressList + plural: zoneegresses + shortNames: + - ze + singular: zoneegress + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Zone name + jsonPath: .spec.zone + name: zone + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ZoneEgress resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneegressinsights.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneegressinsights.yaml new file mode 100644 index 0000000000..72ae6dc5fc --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneegressinsights.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: zoneegressinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ZoneEgressInsight + listKind: ZoneEgressInsightList + plural: zoneegressinsights + singular: zoneegressinsight + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ZoneEgressInsight resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneingresses.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneingresses.yaml new file mode 100644 index 0000000000..601c0bcd86 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneingresses.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: zoneingresses.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ZoneIngress + listKind: ZoneIngressList + plural: zoneingresses + shortNames: + - zi + singular: zoneingress + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Zone name + jsonPath: .spec.zone + name: zone + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ZoneIngress resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true + subresources: {} diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneingressinsights.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneingressinsights.yaml new file mode 100644 index 0000000000..648174d868 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneingressinsights.yaml @@ -0,0 +1,51 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: zoneingressinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ZoneIngressInsight + listKind: ZoneIngressInsightList + plural: zoneingressinsights + singular: zoneingressinsight + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ZoneIngressInsight + resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneinsights.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneinsights.yaml new file mode 100644 index 0000000000..27e221e257 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zoneinsights.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: zoneinsights.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: ZoneInsight + listKind: ZoneInsightList + plural: zoneinsights + singular: zoneinsight + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma ZoneInsight resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/kuma.io_zones.yaml b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zones.yaml new file mode 100644 index 0000000000..59922713ff --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/kuma.io_zones.yaml @@ -0,0 +1,52 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.21.0 + name: zones.kuma.io +spec: + group: kuma.io + names: + categories: + - kuma + kind: Zone + listKind: ZoneList + plural: zones + shortNames: + - z + singular: zone + scope: Cluster + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + mesh: + description: |- + Mesh is the name of the Kuma mesh this resource belongs to. + It may be omitted for cluster-scoped resources. + type: string + metadata: + type: object + spec: + description: Spec is the specification of the Kuma Zone resource. + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: true diff --git a/app/assets/mesh/2.14.x/raw/crds/opa-policy.yaml b/app/assets/mesh/2.14.x/raw/crds/opa-policy.yaml new file mode 100644 index 0000000000..fb4111fe1e --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/crds/opa-policy.yaml @@ -0,0 +1,25 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + creationTimestamp: null + name: opapolicies.kuma.io +spec: + group: kuma.io + names: + kind: OPAPolicy + plural: opapolicies + scope: Cluster + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + description: OPAPolicy is the Schema for the opapolicy API + properties: + mesh: + type: string + spec: + x-kubernetes-preserve-unknown-fields: true + type: object + type: object diff --git a/app/assets/mesh/2.14.x/raw/helm-values-prod/values.federated-zone-cp.yaml b/app/assets/mesh/2.14.x/raw/helm-values-prod/values.federated-zone-cp.yaml new file mode 100644 index 0000000000..9501642d01 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/helm-values-prod/values.federated-zone-cp.yaml @@ -0,0 +1,166 @@ +kuma: + controlPlane: + mode: "zone" + # (action): please specify a name for the zone + zone: + + tls: + apiServer: + # (action): please prepare the content of this secret before installing Kong Mesh + # it contains the keys "tls.crt" and "tls.key", and the content items should be in "PEM" format + # more details on preparing certificates: https://docs.konghq.com/mesh/latest/production/secure-deployment/certificates/ + secretName: kong-mesh-apiserver-tls + kdsZoneClient: + # (action): please prepare the content of this secret before installing Kong Mesh + # the certificate can be extracted from the trusted global CP server + # it should contain the key "ca.crt", and the content certificate should be in "PEM" format + # more details on certificates verifying: https://docs.konghq.com/mesh/latest/production/secure-deployment/certificates/#control-plane-to-control-plane-multizone + secretName: kong-mesh-kds-global-ca + skipVerify: false + + apiServer: + corsAllowedDomains: + # change these values you want to access the control plane API server or Mesh GUI from a custom domain + - https://localhost:5682 + # if you want to access the API server using the HTTP port, add the following line + # - http://localhost:5681 + + defaults: + # change these values if you want to open the admin access rights of control plane API server to more groups + adminRoleGroups: + - mesh-system:admin + - system:masters + + # (action): please specify the address of the global CP + # e.g. grpcs://my-global-cp.my-hostname.com:5685 + kdsGlobalAddress: "" + + envVars: + KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE: cpToken + # if you want to access the API server using the HTTP port, change the following switch to "true" + KUMA_API_SERVER_HTTP_ENABLED: "false" + + secrets: + # (action): please prepare the content of this secret before installing Kong Mesh + # the CP token is only required when installing a zone CP that is connecting to a global CP + # to obtain this CP token, please generate it using the `kumactl` connecting to the global CP + # kumactl generate zone-token --zone --scope cp --valid-for 43920h > $TOKEN_FLIE + # kubectl create -n kong-mesh-system secret generic kong-mesh-global-cp-token --from-file token=$TOKEN_FLIE + - Secret: kong-mesh-global-cp-token + Key: token + Env: KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE + + # please tune the resource allocation according to your actual mesh size and traffic load after Kong Mesh is installed. + # try to make the resource limits identical to requests to make components are assigned as a QoS class of Guaranteed + # more detail on sizing the CP: https://docs.konghq.com/mesh/latest/introduction/kuma-requirements/#sizing-your-control-plane + resources: + requests: + cpu: 1000m + memory: 1024Mi + limits: + cpu: 1000m + memory: 1024Mi + + replicas: 2 + autoscaling: + enabled: true + + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 50 + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 50 + + + podDisruptionBudget: + enabled: true + + cni: + # -- Install Kuma with CNI instead of proxy init container + enabled: false + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi + + ingress: + # -- If true, it deploys Ingress for cross cluster communication + enabled: false + # please tune the resource allocation according to your actual mesh size and traffic load after Kong Mesh is installed. + # try to make the resource limits identical to requests to make components are assigned as a QoS class of Guaranteed + resources: + requests: + cpu: 1000m + memory: 1024Mi + limits: + cpu: 1000m + memory: 1024Mi + + replicas: 2 + autoscaling: + enabled: true + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 50 + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 50 + + podDisruptionBudget: + enabled: true + +ratelimit: + # -- Whether Ratelimit Service should be deployed + enabled: false + replicas: 2 + autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 5 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + + # please tune the resource allocation according to your actual mesh size and traffic load after Kong Mesh is installed. + # try to make the resource limits identical to requests to make components are assigned as a QoS class of Guaranteed + resources: + requests: + cpu: 500m + memory: 512Mi + limits: + cpu: 500m + memory: 512Mi + + secrets: + # (action): please prepare the content of this secret before installing Kong Mesh + # the value should be set according to your redis server configuration + # it is only required when the ratelimit component is enabled + - Secret: ratelimit-redis-auth + Key: redis-pass + Env: REDIS_AUTH +global: + ratelimit: + servertls: + enabled: true \ No newline at end of file diff --git a/app/assets/mesh/2.14.x/raw/helm-values-prod/values.global-cp.yaml b/app/assets/mesh/2.14.x/raw/helm-values-prod/values.global-cp.yaml new file mode 100644 index 0000000000..5203cd9a63 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/helm-values-prod/values.global-cp.yaml @@ -0,0 +1,73 @@ +kuma: + controlPlane: + mode: "global" + + tls: + apiServer: + # (action): please prepare the content of this secret before installing Kong Mesh + # it contains the keys "tls.crt" and "tls.key", and the content items should be in "PEM" format + # more details on preparing certificates: https://docs.konghq.com/mesh/latest/production/secure-deployment/certificates/ + secretName: kong-mesh-apiserver-tls + kdsGlobalServer: + # (action): please prepare the content of this secret before installing Kong Mesh + # it contains the keys "ca.crt", "tls.crt" and "tls.key", and the content items should be in "PEM" format + # more details on preparing certificates: https://docs.konghq.com/mesh/latest/production/secure-deployment/certificates/ + secretName: kong-mesh-kds-global-server-tls + + apiServer: + corsAllowedDomains: + # change these values you want to access the control plane API server or Mesh GUI from a custom domain + - https://localhost:5682 + # if you want to access the API server using the HTTP port, add the following line + # - http://localhost:5681 + + defaults: + # change these values if you want to open the admin access rights of control plane API server to more groups + adminRoleGroups: + - mesh-system:admin + - system:masters + + envVars: + # if you want to access the API server using the HTTP port, change the following switch to "true" + KUMA_API_SERVER_HTTP_ENABLED: "false" + + secrets: + # (action): please prepare the content of this secret before installing Kong Mesh + # to obtain this license, please contact your Kong Account Manager and import it into your cluster: + # kubectl create -n kong-mesh-system secret generic kong-mesh-license --from-file license.json=$KMESH_LICENSE_FILE + - Secret: kong-mesh-license + Key: license.json + Env: KMESH_LICENSE_INLINE + + # please tune the resource allocation according to your actual mesh size and traffic load after Kong Mesh is installed + # try to make the resource limits identical to requests to make components are assigned as a QoS class of Guaranteed + # more details on sizing the CP: https://docs.konghq.com/mesh/latest/introduction/kuma-requirements/#sizing-your-control-plane + resources: + requests: + cpu: 1000m + memory: 1024Mi + limits: + cpu: 1000m + memory: 1024Mi + + replicas: 2 + autoscaling: + enabled: true + + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 50 + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 50 + + + podDisruptionBudget: + enabled: true \ No newline at end of file diff --git a/app/assets/mesh/2.14.x/raw/helm-values-prod/values.single-zone-cp.yaml b/app/assets/mesh/2.14.x/raw/helm-values-prod/values.single-zone-cp.yaml new file mode 100644 index 0000000000..a0be5d0f3f --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/helm-values-prod/values.single-zone-cp.yaml @@ -0,0 +1,117 @@ +kuma: + controlPlane: + mode: "zone" + + tls: + apiServer: + # (action): please prepare the content of this secret before installing Kong Mesh + # it contains the keys "tls.crt" and "tls.key", and the content items should be in "PEM" format + # more details on preparing certificates: https://docs.konghq.com/mesh/latest/production/secure-deployment/certificates/ + secretName: kong-mesh-apiserver-tls + + apiServer: + corsAllowedDomains: + # change these values you want to access the control plane API server or Mesh GUI from a custom domain + - https://localhost:5682 + # if you want to access the API server using the HTTP port, add the following line + # - http://localhost:5681 + + defaults: + # change these values if you want to open the admin access rights of control plane API server to more groups + adminRoleGroups: + - mesh-system:admin + - system:masters + + envVars: + # if you want to access the API server using the HTTP port, change the following switch to "true" + KUMA_API_SERVER_HTTP_ENABLED: "false" + + secrets: + # (action): please prepare the content of this secret before installing Kong Mesh + # to obtain this license, please contact your Kong Account Manager and import it into your cluster: + # kubectl create -n kong-mesh-system secret generic kong-mesh-license --from-file license.json=$KMESH_LICENSE_FILE + - Secret: kong-mesh-license + Key: license.json + Env: KMESH_LICENSE_INLINE + + # please tune the resource allocation according to your actual mesh size and traffic load after Kong Mesh is installed. + # try to make the resource limits identical to requests to make components are assigned as a QoS class of Guaranteed + # more details on sizing the CP: https://docs.konghq.com/mesh/latest/introduction/kuma-requirements/#sizing-your-control-plane + resources: + requests: + cpu: 1000m + memory: 1024Mi + limits: + cpu: 1000m + memory: 1024Mi + + replicas: 2 + autoscaling: + enabled: true + + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 50 + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 50 + + + podDisruptionBudget: + enabled: true + + cni: + # -- Install Kuma with CNI instead of proxy init container + enabled: false + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 100m + memory: 100Mi + +ratelimit: + # -- Whether Ratelimit Service should be deployed + enabled: false + replicas: 2 + autoscaling: + enabled: true + minReplicas: 2 + maxReplicas: 5 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + + # please tune the resource allocation according to your actual mesh size and traffic load after Kong Mesh is installed. + # try to make the resource limits identical to requests to make components are assigned as a QoS class of Guaranteed + resources: + requests: + cpu: 500m + memory: 512Mi + limits: + cpu: 500m + memory: 512Mi + + secrets: + # (action): please prepare the content of this secret before installing Kong Mesh + # the value should be set according to your redis server configuration + # it is only required when the ratelimit component is enabled + - Secret: ratelimit-redis-auth + Key: redis-pass + Env: REDIS_AUTH +global: + ratelimit: + servertls: + enabled: true \ No newline at end of file diff --git a/app/assets/mesh/2.14.x/raw/helm-values.yaml b/app/assets/mesh/2.14.x/raw/helm-values.yaml new file mode 100644 index 0000000000..5ecf17468c --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/helm-values.yaml @@ -0,0 +1,149 @@ +kuma: + nameOverride: kong-mesh + # The default registry and tag to use for all Kuma images + global: + image: + registry: "docker.io/kong" + tag: + + controlPlane: + secrets: # {Env: "KMESH_LICENSE_INLINE", Secret: "kong-mesh-license", Key: "license"} + image: + repository: "kuma-cp" + webhooks: + validator: + additionalRules: | + - apiGroups: + - kuma.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - opapolicies + - accessaudits + - accessroles + - accessrolebindings + ownerReference: + additionalRules: | + - apiGroups: + - kuma.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - opapolicies + konnect: + # -- Control Plane Id of the control-plane in Mesh Konnect + cpId: "" + defaults: + adminRoleGroups: + - mesh-system:authenticated + - mesh-system:unauthenticated + - system:authenticated + - system:unauthenticated + plugins: + policies: + meshglobalratelimits: true + meshopas: true +ratelimit: + # -- Whether Ratelimit Service should be deployed + enabled: false + # -- Ratelimit service docker image + image: + # -- Ratelimit Service ImagePullPolicy + pullPolicy: IfNotPresent + # -- Ratelimit Service image registry + registry: "envoyproxy" + # -- Ratelimit Service image repository + repository: "ratelimit" + # -- Ratelimit Service image tag + tag: "542a6047@sha256:84a90618cfe3aa95179359606d75cade0d380734c9490dcf9d84c4400854b107" + # -- Log level of ratelimit service. Available values are: "INFO", "DEBUG" + logLevel: INFO + # -- Whether debug port should be exposed + exposeDebugPort: false + # -- Pod restart policy for the ratelimit + restartPolicy: Always + redis: + # -- Redis address. Need to be specified for ratelimit service to start + address: + # -- Redis port. Need to be specified for ratelimit service to start + port: + # -- Additional environment variables that will be passed to the ratelimit service + envVars: {} + service: + # -- Service type of the Ratelimit Service + type: ClusterIP + # -- Additional annotations to put on the Ratelimit service + annotations: { } + # -- Port on which Ratelimit Service is exposed + port: 10003 + # -- Port on which service is exposed on Node for service of type NodePort + nodePort: + # -- Additional pod annotations (deprecated favor `podAnnotations`) + annotations: { } + # -- Additional pod annotations + podAnnotations: { } + # -- (object with { Env: string, Secret: string, Key: string }) Secrets to add as environment variables, + # where `Env` is the name of the env variable, + # `Secret` is the name of the Secret, + # and `Key` is the key of the Secret value to use + secrets: # {Env: "REDIS_AUTH", Secret: "ratelimit-redis-auth", Key: "redis-pass"} + # someSecret: + # Secret: some-secret + # Key: secret_key + # Env: SOME_SECRET + # Horizontal Pod Autoscaling configuration + autoscaling: + # -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster + enabled: false + # -- The minimum CP pods to allow + minReplicas: 1 + # -- The max CP pods to scale to + maxReplicas: 5 + # -- For clusters that don't support autoscaling/v2beta, autoscaling/v1 is used + targetCPUUtilizationPercentage: 80 + # -- For clusters that do support autoscaling/v2beta, use metrics + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + # -- Number of replicas of the Ratelimit Service. Ignored when autoscaling is enabled + replicas: 1 + # -- Optionally override the resource spec + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + memory: 512Mi + # -- Labels to add to resources in addition to default labels + extraLabels: { } + # -- Security context at the pod level for ratelimit service + podSecurityContext: + runAsNonRoot: true + runAsUser: 5678 + runAsGroup: 5678 + # -- Security context at the container level for ratelimit service + containerSecurityContext: + readOnlyRootFilesystem: true + +# -- This configuration is global and accessible in the Kong Mesh and Kuma chart which is included as submodule +global: + ratelimit: + serverTls: + # -- Whether Ratelimit Service should use TLS for protecting communication with DPP + enabled: false + # -- Secret that contains tls.crt, tls.key and ca.crt for protecting + # Ratelimit service with DPP communication. Should be specified if you don't + # want to use autogenerated one + secretName: "" + # -- Base64 encoded CA certificate (the same as in global.ratelimit.serverTls.secret#ca.crt) + caBundle: "" diff --git a/app/assets/mesh/2.14.x/raw/kuma-cp.yaml b/app/assets/mesh/2.14.x/raw/kuma-cp.yaml new file mode 100644 index 0000000000..12f7e3c91b --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/kuma-cp.yaml @@ -0,0 +1,1100 @@ +# Environment type. Available values are: "kubernetes" or "universal" +environment: universal # ENV: KUMA_ENVIRONMENT +# Mode in which Kuma CP is running. Available values are: "global", "zone", "standalone" (deprecated, use "zone") +mode: zone # ENV: KUMA_MODE +# Resource Store configuration +store: + # Type of Store used in the Control Plane. Available values are: "kubernetes", "postgres" or "memory" + type: memory # ENV: KUMA_STORE_TYPE + # Kubernetes Store configuration (used when store.type=kubernetes) + kubernetes: + # Namespace where Control Plane is installed to. + systemNamespace: kong-mesh-system # ENV: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE + # Postgres Store configuration (used when store.type=postgres) + postgres: + # Host of the Postgres DB + host: 127.0.0.1 # ENV: KUMA_STORE_POSTGRES_HOST + # Port of the Postgres DB + port: 15432 # ENV: KUMA_STORE_POSTGRES_PORT + # User of the Postgres DB + user: kuma # ENV: KUMA_STORE_POSTGRES_USER + # Password of the Postgres DB + password: kuma # ENV: KUMA_STORE_POSTGRES_PASSWORD + # Database name of the Postgres DB + dbName: kuma # ENV: KUMA_STORE_POSTGRES_DB_NAME + # Driver to use, one of: pgx, postgres + driverName: pgx # ENV: KUMA_STORE_POSTGRES_DRIVER_NAME + # Connection Timeout to the DB in seconds + connectionTimeout: 5 # ENV: KUMA_STORE_POSTGRES_CONNECTION_TIMEOUT + # MaxConnectionIdleTime (applied only when driverName=pgx) is the duration after which an idle connection will be automatically closed by the health check. + maxConnectionIdleTime: "30m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_IDLE_TIME + # MaxConnectionLifetime (applied only when driverName=pgx) is the duration since creation after which a connection will be automatically closed + maxConnectionLifetime: "1h" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME + # MaxConnectionLifetimeJitter (applied only when driverName=pgx) is the duration after maxConnectionLifetime to randomly decide to close a connection. + # This helps prevent all connections from being closed at the exact same time, starving the pool. + maxConnectionLifetimeJitter: "1m" # ENV: KUMA_STORE_POSTGRES_MAX_CONNECTION_LIFETIME_JITTER + # HealthCheckInterval (applied only when driverName=pgx) is the duration between checks of the health of idle connections. + healthCheckInterval: "30s" # ENV: KUMA_STORE_POSTGRES_HEALTH_CHECK_INTERVAL + # MinOpenConnections (applied only when driverName=pgx) is the minimum number of open connections to the database + minOpenConnections: 0 # ENV: KUMA_STORE_POSTGRES_MIN_OPEN_CONNECTIONS + # MaxOpenConnections is the maximum number of open connections to the database + # `0` value means number of open connections is unlimited + maxOpenConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_OPEN_CONNECTIONS + # MaxIdleConnections is the maximum number of connections in the idle connection pool + # <0 value means no idle connections and 0 means default max idle connections. + maxIdleConnections: 50 # ENV: KUMA_STORE_POSTGRES_MAX_IDLE_CONNECTIONS + # MaxListQueryElements defines maximum number of changed elements before requesting full list of elements from the store. + maxListQueryElements: 0 # ENV: KUMA_STORE_POSTGRES_MAX_LIST_QUERY_ELEMENTS + # TLS settings + tls: + # Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" + mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE + # Path to TLS Certificate of the client. Required when server has METHOD=cert + certPath: # ENV: KUMA_STORE_POSTGRES_TLS_CERT_PATH + # Path to TLS Key of the client. Required when server has METHOD=cert + keyPath: # ENV: KUMA_STORE_POSTGRES_TLS_KEY_PATH + # Path to the root certificate. Used in verifyCa and verifyFull modes. + caPath: # ENV: KUMA_STORE_POSTGRES_TLS_ROOT_CERT_PATH + # ReadReplica is a setting for a DB replica used only for read queries + readReplica: + # Host of the Postgres DB read replica. If not set, read replica is not used. + host: "" # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_HOST + # Port of the Postgres DB read replica + port: 5432 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_PORT + # Ratio in [0-100] range. How many SELECT queries (out of 100) will use read replica. + ratio: 100 # ENV: KUMA_STORE_POSTGRES_READ_REPLICA_RATIO + # Cache for read only operations. This cache is local to the instance of the control plane. + cache: + # If true then cache is enabled + enabled: true # ENV: KUMA_STORE_CACHE_ENABLED + # Expiration time for elements in cache. + expirationTime: 1s # ENV: KUMA_STORE_CACHE_EXPIRATION_TIME + # Upsert (get and update) configuration + upsert: + # Base time for exponential backoff on upsert operations when retry is enabled + conflictRetryBaseBackoff: 200ms # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_BASE_BACKOFF + # Max retries on upsert (get and update) operation when retry is enabled + conflictRetryMaxTimes: 10 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_MAX_TIMES + # Percentage of jitter. For example: if backoff is 20s, and this value 10, the backoff will be between 18s and 22s. + conflictRetryJitterPercent: 30 # ENV: KUMA_STORE_UPSERT_CONFLICT_RETRY_JITTER_PERCENT + # If true, skips validation of resource delete. + # For example you don't have to delete all Dataplane objects before you delete a Mesh + unsafeDelete: false # ENV: KUMA_STORE_UNSAFE_DELETE +# Configuration of Bootstrap Server, which provides bootstrap config to Dataplanes +bootstrapServer: + # Parameters of bootstrap configuration + params: + # Address of Envoy Admin + adminAddress: 127.0.0.1 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ADDRESS + # Port of Envoy Admin + adminPort: 9901 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_PORT + # If true, Envoy admin API binds to a Unix domain socket instead of TCP + envoyAdminUnixSocket: true # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ENVOY_ADMIN_UNIX_SOCKET + # Port for the readiness reporter when admin uses Unix domain socket + readinessPort: 9902 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_READINESS_PORT + # Path to access log file of Envoy Admin + adminAccessLogPath: /dev/null # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_ADMIN_ACCESS_LOG_PATH + # Host of XDS Server. By default it is the same host as the one used by kuma-dp to connect to the control plane + xdsHost: "" # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_HOST + # Port of XDS Server. By default it is autoconfigured from KUMA_DP_SERVER_PORT + xdsPort: 0 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_PORT + # Connection timeout to the XDS Server + xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT + # Cap on the gRPC C-Core receive flow-control window for the kuma-dp xDS + # client. Set as the GoogleGrpc channel arg `grpc.max_receive_message_length`. + # Default 4 MiB is large enough for gateway DPs with 450+ listeners; the + # gRPC C-Core default of 4 MiB sizes the per-stream HTTP/2 receive window + # too small for the initial xDS push on those DPs and stalls the stream. + xdsGrpcMaxReceiveMessageBytes: 4194304 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_GRPC_MAX_RECEIVE_MESSAGE_BYTES +# Monitoring Assignment Discovery Service (MADS) server configuration +monitoringAssignmentServer: + # Whether the MADS server is enabled + enabled: true # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ENABLED + # Port of a gRPC server that serves Monitoring Assignment Discovery Service (MADS). + port: 5676 # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_PORT + # Which MADS API versions to serve + apiVersions: ["v1"] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_API_VERSIONS + # Interval for re-generating monitoring assignments for clients connected to the Control Plane. + assignmentRefreshInterval: 1s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL + # The default timeout for a single fetch-based discovery request, if not specified + defaultFetchTimeout: 30s # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_DEFAULT_FETCH_TIMEOUT + # Path to TLS certificate file + tlsCertFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CERT_FILE + # Path to TLS key file + tlsKeyFile: "" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_KEY_FILE + # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. + tlsMinVersion: "TLSv1_2" # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MIN_VERSION + # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. + tlsMaxVersion: # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_MAX_VERSION + # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. + tlsCipherSuites: [] # ENV: KUMA_MONITORING_ASSIGNMENT_SERVER_TLS_CIPHER_SUITES +# Envoy XDS server configuration +xdsServer: + # Interval for re-genarting configuration for Dataplanes connected to the Control Plane + dataplaneConfigurationRefreshInterval: 1s # ENV: KUMA_XDS_SERVER_DATAPLANE_CONFIGURATION_REFRESH_INTERVAL + # Interval for flushing status of Dataplanes connected to the Control Plane + dataplaneStatusFlushInterval: 10s # ENV: KUMA_XDS_SERVER_DATAPLANE_STATUS_FLUSH_INTERVAL + # Backoff that is executed when Control Plane is sending the response that was previously rejected by Dataplane + nackBackoff: 5s # ENV: KUMA_XDS_SERVER_NACK_BACKOFF + # A delay between proxy terminating a connection and the CP trying to deregister the proxy. + # It is used only in universal mode when you use direct lifecycle. + # Setting this setting to 0s disables the delay. + # Disabling this may cause race conditions that one instance of CP removes proxy object + # while proxy is connected to another instance of the CP. + dataplaneDeregistrationDelay: 10s # ENV: KUMA_XDS_DATAPLANE_DEREGISTRATION_DELAY +# API Server configuration +apiServer: + # HTTP configuration of the API Server + http: + # If true then API Server will be served on HTTP + enabled: true # ENV: KUMA_API_SERVER_HTTP_ENABLED + # Network interface on which HTTP API Server will be exposed + interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTP_INTERFACE + # Port of the API Server + port: 5681 # ENV: KUMA_API_SERVER_HTTP_PORT + # HTTPS configuration of the API Server + https: + # If true then API Server will be served on HTTPS + enabled: true # ENV: KUMA_API_SERVER_HTTPS_ENABLED + # Network interface on which HTTPS API Server will be exposed + interface: 0.0.0.0 # ENV: KUMA_API_SERVER_HTTPS_INTERFACE + # Port of the HTTPS API Server + port: 5682 # ENV: KUMA_API_SERVER_HTTPS_PORT + # Path to TLS certificate file. Autoconfigured from KUMA_GENERAL_TLS_CERT_FILE if empty + tlsCertFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE + # Path to TLS key file. Autoconfigured from KUMA_GENERAL_TLS_KEY_FILE if empty + tlsKeyFile: "" # ENV: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE + # Path to the CA certificate which is used to sign client certificates. It is used only for verifying client certificates. + tlsCaFile: "" # ENV: KUMA_API_SERVER_HTTPS_CLIENT_CERTS_CA_FILE + # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. + tlsMinVersion: "TLSv1_2" # ENV: KUMA_API_SERVER_HTTPS_TLS_MIN_VERSION + # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. + tlsMaxVersion: # ENV: KUMA_API_SERVER_HTTPS_TLS_MAX_VERSION + # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. + tlsCipherSuites: [] # ENV: KUMA_API_SERVER_HTTPS_TLS_CIPHER_SUITES + # If true, then HTTPS connection will require client cert. + requireClientCert: false # ENV: KUMA_API_SERVER_HTTPS_REQUIRE_CLIENT_CERT + # Authentication configuration for administrative endpoints like Dataplane Token or managing Secrets + auth: + # Directory of authorized client certificates (only validate in HTTPS) + clientCertsDir: "" # ENV: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR + # Api Server Authentication configuration + authn: + # Type of authentication mechanism (available values: "adminClientCerts", "tokens") + type: tokens # ENV: KUMA_API_SERVER_AUTHN_TYPE + # Localhost is authenticated as a user admin of group admin + localhostIsAdmin: true # ENV: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN + # Configuration for tokens authentication + tokens: + # If true then User Token with name admin and group admin will be created and placed as admin-user-token Kuma secret + bootstrapAdminToken: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_BOOTSTRAP_ADMIN_TOKEN + # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline. + enableIssuer: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_ENABLE_ISSUER + # Token validator configuration + validator: + # If true then Kuma secrets with prefix "user-token-signing-key" are considered as signing keys. + useSecrets: true # ENV: KUMA_API_SERVER_AUTHN_TOKENS_VALIDATOR_USE_SECRETS + # List of public keys used to validate the token. Example: + # - kid: 1 + # key: | + # -----BEGIN RSA PUBLIC KEY----- + # MIIBCgKCAQEAq.... + # -----END RSA PUBLIC KEY----- + # - kid: 2 + # keyFile: /keys/public.pem + publicKeys: [] + # If true, then API Server will operate in read only mode (serving GET requests) + readOnly: false # ENV: KUMA_API_SERVER_READ_ONLY + # Allowed domains for Cross-Origin Resource Sharing. The value can be either domain or regexp + corsAllowedDomains: [] # ENV: KUMA_API_SERVER_CORS_ALLOWED_DOMAINS + # Can be used if you use a reverse proxy + rootUrl: "" # ENV: KUMA_API_SERVER_ROOT_URL + # The path to serve the API from + basePath: "/" # ENV: KUMA_API_SERVER_BASE_PATH + # configuration specific to the GUI + gui: + # Whether to serve the gui (if mode=zone this has no effect) + enabled: true # ENV: KUMA_API_SERVER_GUI_ENABLED + # Can be used if you use a reverse proxy or want to serve the gui from a different path + rootUrl: "" # ENV: KUMA_API_SERVER_GUI_ROOT_URL + # The path to serve the GUI from + basePath: "/gui" # ENV: KUMA_API_SERVER_GUI_BASE_PATH + # The amount of time allowed to read request headers + readHeaderTimeout: 1s # ENV: KUMA_API_SERVER_READ_HEADER_TIMEOUT + # The maximum duration for reading the entire request + readTimeout: 10s # ENV: KUMA_API_SERVER_READ_TIMEOUT + # The maximum duration before timing out writes of the response + writeTimeout: 30s # ENV: KUMA_API_SERVER_WRITE_TIMEOUT + # The maximum amount of time to wait for the next request when keep-alives are enabled + idleTimeout: 2m0s # ENV: KUMA_API_SERVER_IDLE_TIMEOUT +# Environment-specific configuration +runtime: + # Kubernetes-specific configuration + kubernetes: + # Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL. + controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME + # Taint controller that prevents applications from scheduling until CNI is ready. + nodeTaintController: + # If true enables the taint controller. + enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED + # Value of app label on CNI pod that indicates if node can be ready. + cniApp: "" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP + # Value of CNI namespace. + cniNamespace: "kube-system" # ENV: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_NAMESPACE + # Admission WebHook Server configuration + admissionServer: + # Address the Admission WebHook Server should be listening on + address: # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS + # Port the Admission WebHook Server should be listening on + port: 5443 # ENV: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT + # Directory with a TLS cert and private key for the Admission WebHook Server. + # TLS certificate file must be named `tls.crt`. + # TLS key file must be named `tls.key`. + certDir: # ENV: kuma_runtime_kubernetes_admission_server_cert_dir + # Injector defines configuration of a Kuma Sidecar Injector. + injector: + # if true runs kuma-cp in CNI compatible mode + cniEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED + # list of exceptions for Kuma injection + exceptions: + # a map of labels for exception. If pod matches label with given value Kuma won't be injected. Specify '*' to match any value. + labels: + openshift.io/build.name: "*" + openshift.io/deployer-pod-for.name: "*" + # (Deprecated, set ApplicationProbeProxyPort to 0 to disable probe proxying) VirtualProbesEnabled enables automatic converting HttpGet probes to virtual. + # Virtual probe serves on sub-path of insecure port 'virtualProbesPort', + # i.e :8080/health/readiness -> :9000/8080/health/readiness where 9000 is virtualProbesPort + virtualProbesEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_ENABLED + # (Deprecated, use ApplicationProbeProxyPort instead) VirtualProbesPort is a port for exposing virtual probes which are not secured by mTLS + virtualProbesPort: 9000 # ENV: KUMA_RUNTIME_KUBERNETES_VIRTUAL_PROBES_PORT + # ApplicationProbeProxyPort is a port for proxying application probes, it is not secured by mTLS. By setting to 0, probe proxying will be disabled. + applicationProbeProxyPort: 9001 # ENV: KUMA_RUNTIME_KUBERNETES_APPLICATION_PROBE_PROXY_PORT + # CaCertFile is CA certificate which will be used to verify a connection to the control plane. + caCertFile: # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE + # SidecarContainer defines configuration of the Kuma sidecar container. + sidecarContainer: + # Image name. + image: kuma/kuma-dp:latest # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE + # Redirect port for inbound traffic. + redirectPortInbound: 15006 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_INBOUND + # IP family mode enabled for traffic redirection, can be 'dualstack' or 'ipv4' + ipFamilyMode: dualstack # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IP_FAMILY_MODE + # Redirect port for outbound traffic. + redirectPortOutbound: 15001 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_REDIRECT_PORT_OUTBOUND + # User ID. + uid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_UID + # Group ID. + gid: 5678 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_GUI + # Drain time for listeners. + drainTime: 30s # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_DRAIN_TIME + # Readiness probe. + readinessProbe: + # Number of seconds after the container has started before readiness probes are initiated. + initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_INITIAL_DELAY_SECONDS + # Number of seconds after which the probe times out. + timeoutSeconds: 3 # ENV : KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_TIMEOUT_SECONDS + # Number of seconds after which the probe times out. + periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_PERIOD_SECONDS + # Minimum consecutive successes for the probe to be considered successful after having failed. + successThreshold: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_SUCCESS_THRESHOLD + # Minimum consecutive failures for the probe to be considered failed after having succeeded. + failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_READINESS_PROBE_FAILURE_THRESHOLD + # Liveness probe. + livenessProbe: + # Number of seconds after the container has started before liveness probes are initiated. + initialDelaySeconds: 60 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_INITIAL_DELAY_SECONDS + # Number of seconds after which the probe times out. + timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_TIMEOUT_SECONDS + # How often (in seconds) to perform the probe. + periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_PERIOD_SECONDS + # Minimum consecutive failures for the probe to be considered failed after having succeeded. + failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_LIVENESS_PROBE_FAILURE_THRESHOLD + # Startup probe (if sidecar containers feature is enabled). + startupProbe: + # Number of seconds after the container has started before startup probes are initiated. + initialDelaySeconds: 1 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_INITIAL_DELAY_SECONDS + # Number of seconds after which the probe times out. + timeoutSeconds: 3 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_TIMEOUT_SECONDS + # How often (in seconds) to perform the probe. + periodSeconds: 5 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_PERIOD_SECONDS + # Minimum consecutive failures for the probe to be considered failed after having succeeded. + failureThreshold: 12 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_STARTUP_PROBE_FAILURE_THRESHOLD + # Compute resource requirements. + resources: + # Minimum amount of compute resources required. + requests: + # CPU, in cores. (500m = .5 cores) + cpu: 50m # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_CPU + # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + memory: 64Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_REQUESTS_MEMORY + # Maximum amount of compute resources allowed. + limits: + # CPU, in cores. (500m = .5 cores). Set to 0 to disable CPU limit. + cpu: "0" # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_CPU + # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + memory: 512Mi # ENV: KUMA_INJECTOR_SIDECAR_CONTAINER_RESOURCES_LIMITS_MEMORY + # Additional environment variables that can be placed on Kuma DP sidecar + envVars: {} # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_ENV_VARS + # If true, it enables a postStart script that waits until Envoy is ready. + # With the current Kubernetes behavior, any other container in the Pod will wait until the script is complete. + waitForDataplaneReady: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_WAIT_FOR_DATAPLANE_READY + # InitContainer defines configuration of the Kuma init container + initContainer: + # Image name. + image: kuma/kuma-init:latest # ENV: KUMA_INJECTOR_INIT_CONTAINER_IMAGE + # Compute resource requirements. + resources: + # Minimum amount of compute resources required. + requests: + # CPU, in cores. (500m = .5 cores) + cpu: 20m # ENV: KUMA_INJECTOR_INIT_CONTAINER_RESOURCES_REQUESTS_CPU + # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + memory: 20M # ENV: KUMA_INJECTOR_INIT_CONTAINER_RESOURCES_REQUESTS_MEMORY + # Maximum amount of compute resources allowed. + limits: + # CPU, in cores. (500m = .5 cores). Set to 0 to disable CPU limit. + cpu: "0" # ENV: KUMA_INJECTOR_INIT_CONTAINER_RESOURCES_LIMITS_CPU + # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + memory: 50M # ENV: KUMA_INJECTOR_INIT_CONTAINER_RESOURCES_LIMITS_MEMORY + # ValidationContainer defines configuration of the Kuma validation init container + validationContainer: + # Compute resource requirements. + resources: + # Minimum amount of compute resources required. + requests: + # CPU, in cores. (500m = .5 cores) + cpu: 20m # ENV: KUMA_INJECTOR_VALIDATION_CONTAINER_RESOURCES_REQUESTS_CPU + # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + memory: 20M # ENV: KUMA_INJECTOR_VALIDATION_CONTAINER_RESOURCES_REQUESTS_MEMORY + # Maximum amount of compute resources allowed. + limits: + # CPU, in cores. (500m = .5 cores). Set to 0 to disable CPU limit. + cpu: "0" # ENV: KUMA_INJECTOR_VALIDATION_CONTAINER_RESOURCES_LIMITS_CPU + # Memory, in bytes. (500Gi = 500GiB = 500 * 1024 * 1024 * 1024) + memory: 50M # ENV: KUMA_INJECTOR_VALIDATION_CONTAINER_RESOURCES_LIMITS_MEMORY + # ContainerPatches is an optional list of ContainerPatch names which will be applied + # to init and sidecar containers if workload is not annotated with a patch list. + containerPatches: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_CONTAINER_PATCHES + # Configuration for a traffic that is intercepted by sidecar + sidecarTraffic: + # List of inbound ports that will be excluded from interception. + # This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ports annotation is specified on Pod. + excludeInboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_PORTS + # List of outbound ports that will be excluded from interception. + # This setting is applied on every pod unless traffic.kuma.io/exclude-oubound-ports annotation is specified on Pod. + excludeOutboundPorts: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_PORTS + # List of inbound IP addresses that will be excluded from interception. + # This setting is applied on every pod unless traffic.kuma.io/exclude-inbound-ips annotation is specified on the Pod. + # IP addresses can be specified with or without CIDR notation, and multiple addresses can be separated by commas. + excludeInboundIPs: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_INBOUND_IPS + # List of outbound IP addresses that will be excluded from interception. + # This setting is applied on every pod unless traffic.kuma.io/exclude-outbound-ips annotation is specified on the Pod. + # IP addresses can be specified with or without CIDR notation, and multiple addresses can be separated by commas. + excludeOutboundIPs: [] # ENV: KUMA_RUNTIME_KUBERNETES_SIDECAR_TRAFFIC_EXCLUDE_OUTBOUND_IPS + builtinDNS: + # Use the built-in DNS + enabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_ENABLED + # Redirect port for DNS + port: 15053 # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_PORT + # Enable coredns query logging if true + logging: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_LOGGING + # Use the embedded DNS instead (This is an experimental feature) + experimentalProxy: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_EXPERIMENTAL_PROXY + # EBPF defines configuration for the ebpf, when transparent proxy is marked to be + # installed using ebpf instead of iptables + ebpf: + # Install transparent proxy using ebpf + enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED + # Name of the environmental variable which will include IP address of the pod + instanceIPEnvVarName: INSTANCE_IP # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME + # Path where BPF file system will be mounted for pinning ebpf programs and maps + bpffsPath: /sys/fs/bpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH + # Path of mounted cgroup2 + cgroupPath: /sys/fs/cgroup # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH + # Name of the network interface which should be used to attach to it TC programs + # when not specified, we will try to automatically determine it + tcAttachIface: "" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE + # Path where compiled eBPF programs are placed + programsSourcePath: /tmp/kuma-ebpf # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH + # IgnoredServiceSelectorLabels defines a list ignored labels in Service selector. + # If Pod matches a Service with ignored labels, but does not match it fully, it gets Ignored inbound. + # It is useful when you change Service selector and expect traffic to be sent immediately. + # An example of this is ArgoCD's BlueGreen deployment and "rollouts-pod-template-hash" selector. + ignoredServiceSelectorLabels: [] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_IGNORED_SERVICE_SELECTOR_LABELS + # nodeLabelsToCopy defines a list of node labels that should be copied to the Pod. + nodeLabelsToCopy: ["topology.kubernetes.io/zone", "topology.kubernetes.io/region", "kubernetes.io/hostname"] # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_NODE_LABELS_TO_COPY + # TransparentProxyConfigMapName is used to specify the name of the ConfigMap that contains transparent proxy + # configuration. If this value is left empty, the transparent proxy configuration will not be loaded from + # a ConfigMap. The actual value is expected to be provided via an environment variable + transparentProxyConfigMap: "" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_TRANSPARENT_PROXY_CONFIGMAP_NAME + # unifiedResourceNamingEnabled enables automatic injection of the unified naming feature flag into all sidecar-injected workloads. + # When set to true, the injector will add the required environment variable directly to the `kuma-sidecar` container. + # This ensures that the data plane proxy uses the new unified naming format for Envoy resources and stats. + unifiedResourceNamingEnabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_UNIFIED_RESOURCE_NAMING_ENABLED + # OtelPipeEnabled controls whether kuma-dp pipe mode is enabled for OTel backends. + # When true (default), kuma-dp proxies OTel traffic through a Unix socket. + otelPipeEnabled: true # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_OTEL_PIPE_ENABLED + # Spire is used to specify spire integration configuration. + spire: + # If true, enables mounting of SPIRE-related resources. + enabled: false # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SPIRE_ENABLED + # mountPath is the location inside the container where the SPIRE agent socket will be mounted. + mountPath: "/run/spire/sockets" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SPIRE_MOUNT_PATH + # socketFileName is the name of the socket on the host + socketFileName: "socket" # ENV: KUMA_RUNTIME_KUBERNETES_INJECTOR_SPIRE_SOCKET_FILE_NAME + marshalingCacheExpirationTime: 5m # ENV: KUMA_RUNTIME_KUBERNETES_MARSHALING_CACHE_EXPIRATION_TIME + # Kubernetes's resources reconciliation concurrency configuration + controllersConcurrency: + # PodController defines maximum concurrent reconciliations of Pod resources + # Default value 10. If set to 0 kube controller-runtime default value of 1 will be used. + podController: 10 # ENV: KUMA_RUNTIME_KUBERNETES_CONTROLLERS_CONCURRENCY_POD_CONTROLLER + # Kubernetes client configuration + clientConfig: + # Qps defines maximum requests kubernetes client is allowed to make per second. + # Default value 100. If set to 0 kube-client default value of 5 will be used. + qps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_QPS + # BurstQps defines maximum burst requests kubernetes client is allowed to make per second + # Default value 100. If set to 0 kube-client default value of 10 will be used. + burstQps: 100 # ENV: KUMA_RUNTIME_KUBERNETES_CLIENT_CONFIG_BURST_QPS + leaderElection: + # LeaseDuration is the duration that non-leader candidates will + # wait to force acquire leadership. This is measured against time of + # last observed ack. Default is 15 seconds. + leaseDuration: 15s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_LEASE_DURATION + # RenewDeadline is the duration that the acting controlplane will retry + # refreshing leadership before giving up. Default is 10 seconds. + renewDeadline: 10s # ENV: KUMA_RUNTIME_KUBERNETES_LEADER_ELECTION_RENEW_DEADLINE + # SkipMeshOwnerReference is a flag that allows to skip adding Mesh owner reference to resources. + # If this is set to true, deleting a Mesh will not delete resources that belong to that Mesh. + # This can be useful when resources are managed in Argo CD where creation/deletion is managed there. + skipMeshOwnerReference: false # ENV: KUMA_RUNTIME_KUBERNETES_SKIP_MESH_OWNER_REFERENCE + # If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace. + # The downside is that control plane requires permission to read Secrets in all namespaces. + supportGatewaySecretsInAllNamespaces: false # ENV: KUMA_RUNTIME_KUBERNETES_SUPPORT_GATEWAY_SECRETS_IN_ALL_NAMESPACES + # WorkloadLabels is a prioritized list of pod labels to use for generating the kuma.io/workload label on DataplaneProxy. + # The first non-empty label value found will be used. If no labels match, falls back to ServiceAccount name. + # Default is empty list (uses ServiceAccount as workload identifier). + workloadLabels: [] # ENV: KUMA_RUNTIME_KUBERNETES_WORKLOAD_LABELS + # DisallowMultipleMeshesPerNamespace prevents pods from using kuma.io/mesh label in ways that would create + # multiple meshes within a single namespace. When enabled, Workload generation is skipped for namespaces + # with multiple meshes and a warning event is emitted. + disallowMultipleMeshesPerNamespace: false # ENV: KUMA_RUNTIME_KUBERNETES_DISALLOW_MULTIPLE_MESHES_PER_NAMESPACE + # Universal-specific configuration + universal: + # DataplaneCleanupAge defines how long Dataplane should be offline to be cleaned up by GC + dataplaneCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_DATAPLANE_CLEANUP_AGE + # ZoneResourceCleanupAge defines how long ZoneIngress and ZoneEgress should be offline to be cleaned up by GC + zoneResourceCleanupAge: 72h0m0s # ENV: KUMA_RUNTIME_UNIVERSAL_ZONE_RESOURCE_CLEANUP_AGE + # VIPRefreshInterval defines how often all meshes' VIPs should be recomputed + vipRefreshInterval: 500ms # ENV: KUMA_RUNTIME_UNIVERSAL_VIP_REFRESH_INTERVAL + # Spire defines default configuration of the spire properties + spire: + # SocketPath is the location of the socket file one the host + socketPath: /tmp/spire-agent/public/api.sock # ENV: KUMA_RUNTIME_UNIVERSAL_SPIRE_SOCKET_PATH + workload: + # How often we check whether Workloads need to be generated from Dataplanes + generationInterval: 2s # ENV: KUMA_RUNTIME_UNIVERSAL_WORKLOAD_GENERATION_INTERVAL +# Default Kuma entities configuration +defaults: + # If true, it skips creating the default Mesh + skipMeshCreation: false # ENV: KUMA_DEFAULTS_SKIP_MESH_CREATION + # If true, it skips creating the default tenant resources + skipTenantResources: false # ENV: KUMA_DEFAULTS_SKIP_TENANT_RESOURCES + # If true, it creates the default routing (TrafficPermission and TrafficRoute) resources for a new Mesh + createMeshRoutingResources: false # ENV: KUMA_DEFAULTS_CREATE_MESH_ROUTING_RESOURCES + # If true, it skips creating default hostname generators + skipHostnameGenerators: false # ENV: KUMA_DEFAULTS_SKIP_HOSTNAME_GENERATORS +# Metrics configuration +metrics: + dataplane: + # How many latest subscriptions will be stored in DataplaneInsight object, if equals 0 then unlimited + subscriptionLimit: 2 # ENV: KUMA_METRICS_DATAPLANE_SUBSCRIPTION_LIMIT + # How long data plane proxy can stay Online without active xDS connection + idleTimeout: 5m # ENV: KUMA_METRICS_DATAPLANE_IDLE_TIMEOUT + zone: + # How many latest subscriptions will be stored in ZoneInsights object, if equals 0 then unlimited + subscriptionLimit: 10 # ENV: KUMA_METRICS_ZONE_SUBSCRIPTION_LIMIT + # How long zone can stay Online without active KDS connection + idleTimeout: 5m # ENV: KUMA_METRICS_ZONE_IDLE_TIMEOUT + # Compact finished metrics (do not store config and details of KDS exchange). + compactFinishedSubscriptions: false # ENV: KUMA_METRICS_ZONE_COMPACT_FINISHED_SUBSCRIPTIONS + mesh: + # Minimum time between 2 refresh of insights + minResyncInterval: 1s # ENV: KUMA_METRICS_MESH_MIN_RESYNC_INTERVAL + # time between triggering a full refresh of all the insights + fullResyncInterval: 20s # ENV: KUMA_METRICS_MESH_FULL_RESYNC_INTERVAL + # the size of the buffer between event creation and processing + bufferSize: 1000 # ENV: KUMA_METRICS_MESH_BUFFER_SIZE + # the number of workers that process metrics events + eventProcessors: 1 # ENV: KUMA_METRICS_MESH_EVENT_PROCESSORS + controlPlane: + # If true metrics show number of resources in the system should be reported + reportResourcesCount: true # ENV: KUMA_METRICS_CONTROL_PLANE_REPORT_RESOURCES_COUNT + openTelemetry: + # If true, CP metrics will be pushed via OTLP when OTEL_EXPORTER_OTLP_ENDPOINT is set + enabled: true # ENV: KUMA_METRICS_OPENTELEMETRY_ENABLED +# Reports configuration +reports: + # If true then usage stats will be reported + enabled: false # ENV: KUMA_REPORTS_ENABLED +# General configuration +general: + # dnsCacheTTL represents duration for how long Kuma CP will cache result of resolving dataplane's domain name + dnsCacheTTL: 10s # ENV: KUMA_GENERAL_DNS_CACHE_TTL + # TlsCertFile defines a path to a file with PEM-encoded TLS cert that will be used across all the Kuma Servers. + tlsCertFile: # ENV: KUMA_GENERAL_TLS_CERT_FILE + # TlsKeyFile defines a path to a file with PEM-encoded TLS key that will be used across all the Kuma Servers. + tlsKeyFile: # ENV: KUMA_GENERAL_TLS_KEY_FILE + # TlsMinVersion the minimum version of TLS used across all the Kuma Servers. + tlsMinVersion: "TLSv1_2" # ENV: KUMA_GENERAL_TLS_MIN_VERSION + # TlsMaxVersion the maximum version of TLS used across all the Kuma Servers. + tlsMaxVersion: # ENV: KUMA_GENERAL_TLS_MAX_VERSION + # TlsCipherSuites the list of cipher suites to be used across all the Kuma Servers. + tlsCipherSuites: [] # ENV: KUMA_GENERAL_TLS_CIPHER_SUITES + # WorkDir defines a path to the working directory + # Kuma stores in this directory autogenerated entities like certificates. + # If empty then the working directory is $HOME/.kuma + workDir: "" # ENV: KUMA_GENERAL_WORK_DIR + # ResilientComponentBaseBackoff configures base backoff for restarting resilient components: + # KDS sync, Insight resync, PostgresEventListener, etc. + resilientComponentBaseBackoff: 5s # ENV: KUMA_GENERAL_RESILIENT_COMPONENT_BASE_BACKOFF + # ResilientComponentMaxBackoff configures max backoff for restarting resilient component: + # KDS sync, Insight resync, PostgresEventListener, etc. + resilientComponentMaxBackoff: 1m # ENV: KUMA_GENERAL_RESILIENT_COMPONENT_MAX_BACKOFF +# DNS Server configuration +dnsServer: + # The domain that the server will resolve the services for + domain: "mesh" # ENV: KUMA_DNS_SERVER_DOMAIN + # The CIDR range used to allocate + CIDR: "240.0.0.0/4" # ENV: KUMA_DNS_SERVER_CIDR + # Will create a service ".mesh" dns entry for every service. + serviceVipEnabled: true # ENV: KUMA_DNS_SERVER_SERVICE_VIP_ENABLED + # The port to use along with the `.mesh` dns entry + serviceVipPort: 80 # ENV: KUMA_DNS_SERVICE_SERVICE_VIP_PORT +# Multizone mode +multizone: + global: + kds: + # Port of a gRPC server that serves Kuma Discovery Service (KDS). + grpcPort: 5685 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_GRPC_PORT + # Interval for refreshing state of the world + refreshInterval: 1s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_REFRESH_INTERVAL + # Interval for flushing Zone Insights (stats of multi-zone communication) + zoneInsightFlushInterval: 10s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_ZONE_INSIGHT_FLUSH_INTERVAL + # TlsEnabled turns on TLS for KDS + tlsEnabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_ENABLED + # TlsCertFile defines a path to a file with PEM-encoded TLS cert. + tlsCertFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE + # TlsKeyFile defines a path to a file with PEM-encoded TLS key. + tlsKeyFile: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE + # TlsMinVersion the minimum version of TLS + tlsMinVersion: "TLSv1_2" # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MIN_VERSION + # TlsMaxVersion the maximum version of TLS + tlsMaxVersion: # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_MAX_VERSION + # TlsCipherSuites the list of cipher suites + tlsCipherSuites: [] # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CIPHER_SUITES + # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS. + # In practice this means a limit on full list of one resource type. + maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MAX_MSG_SIZE + # MsgSendTimeout defines a timeout on sending a single KDS message. + # KDS stream between control planes is terminated if the control plane hits this timeout. + msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_MSG_SEND_TIMEOUT + # Backoff that is executed when the global control plane is sending the response that was previously rejected by zone control plane + nackBackoff: 5s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_NACK_BACKOFF + # Response backoff is a time Global CP waits before sending ACK/NACK. + # This is a way to slow down Zone CP from sending resources too often. + responseBackoff: 0s # ENV: KUMA_MULTIZONE_GLOBAL_KDS_RESPONSE_BACKOFF + # If true, Global CP logs full DeltaDiscoveryResponse payloads received from Zone CPs at V(1) instead of compact summaries. + logPayloads: false # ENV: KUMA_MULTIZONE_GLOBAL_KDS_LOG_PAYLOADS + tracing: + # Defines whether tracing is enabled for all gRPC methods + # of GlobalKDSServer and KDSSyncService or completely disabled + enabled: true # ENV: KUMA_MULTIZONE_GLOBAL_KDS_TRACING_ENABLED + zone: + # Kuma Zone name used to mark the zone dataplane resources + name: "default" # ENV: KUMA_MULTIZONE_ZONE_NAME + # GlobalAddress URL of Global Kuma CP + globalAddress: # ENV KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS + kds: + # Interval for refreshing state of the world + refreshInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_KDS_REFRESH_INTERVAL + # RootCAFile defines a path to a file with PEM-encoded Root CA. Client will verify server by using it. + rootCaFile: # ENV: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE + # If true, TLS connection to the server won't be verified. + tlsSkipVerify: false # ENV: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY + # MaxMsgSize defines a maximum size of the message in bytes that is exchanged using KDS. + # In practice this means a limit on full list of one resource type. + maxMsgSize: 10485760 # ENV: KUMA_MULTIZONE_ZONE_KDS_MAX_MSG_SIZE + # MsgSendTimeout defines a timeout on sending a single KDS message. + # KDS stream between control planes is terminated if the control plane hits this timeout. + msgSendTimeout: 60s # ENV: KUMA_MULTIZONE_ZONE_KDS_MSG_SEND_TIMEOUT + # Backoff that is executed when the zone control plane is sending the response that was previously rejected by global control plane + nackBackoff: 5s # ENV: KUMA_MULTIZONE_ZONE_KDS_NACK_BACKOFF + # Response backoff is a time Zone CP waits before sending ACK/NACK. + # This is a way to slow down Global CP from sending resources too often. + responseBackoff: 0s # ENV: KUMA_MULTIZONE_ZONE_KDS_RESPONSE_BACKOFF + # If true, Zone CP logs full DeltaDiscoveryResponse payloads received from Global CP at V(1) instead of compact summaries. + logPayloads: false # ENV: KUMA_MULTIZONE_ZONE_KDS_LOG_PAYLOADS + # disableOriginLabelValidation disables validation of the origin label when applying resources on Zone CP + disableOriginLabelValidation: false # ENV: KUMA_MULTIZONE_ZONE_DISABLE_ORIGIN_LABEL_VALIDATION + # IngressUpdateInterval is the interval between the CP updating the list of + # available services on ZoneIngress. + ingressUpdateInterval: 1s # ENV: KUMA_MULTIZONE_ZONE_INGRESS_UPDATE_INTERVAL +# Diagnostics configuration +diagnostics: + # Port of Diagnostic Server for checking health and readiness of the Control Plane + serverPort: 5680 # ENV: KUMA_DIAGNOSTICS_SERVER_PORT + # If true, enables https://golang.org/pkg/net/http/pprof/ debug endpoints + debugEndpoints: false # ENV: KUMA_DIAGNOSTICS_DEBUG_ENDPOINTS + # Whether tls is enabled or not + tlsEnabled: false # ENV: KUMA_DIAGNOSTICS_TLS_ENABLED + # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile + tlsCertFile: # ENV: KUMA_DIAGNOSTICS_TLS_CERT_FILE + # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile + tlsKeyFile: # ENV: KUMA_DIAGNOSTICS_TLS_KEY_FILE + # TlsMinVersion the minimum version of TLS + tlsMinVersion: "TLSv1_2" # ENV: KUMA_DIAGNOSTICS_TLS_MIN_VERSION + # TlsMaxVersion the maximum version of TLS + tlsMaxVersion: # ENV: KUMA_DIAGNOSTICS_TLS_MAX_VERSION + # TlsCipherSuites the list of cipher suites + tlsCipherSuites: [] # ENV: KUMA_DIAGNOSTICS_TLS_CIPHER_SUITES +# Dataplane Server configuration that servers API like Bootstrap/XDS for the Dataplane. +dpServer: + # Port of the DP Server + port: 5678 # ENV: KUMA_DP_SERVER_PORT + # TlsCertFile defines a path to a file with PEM-encoded TLS cert. If empty, autoconfigured from general.tlsCertFile + tlsCertFile: # ENV: KUMA_DP_SERVER_TLS_CERT_FILE + # TlsKeyFile defines a path to a file with PEM-encoded TLS key. If empty, autoconfigured from general.tlsKeyFile + tlsKeyFile: # ENV: KUMA_DP_SERVER_TLS_KEY_FILE + # TlsMinVersion the minimum version of TLS + tlsMinVersion: "TLSv1_2" # ENV: KUMA_DP_SERVER_TLS_MIN_VERSION + # TlsMaxVersion the maximum version of TLS + tlsMaxVersion: # ENV: KUMA_DP_SERVER_TLS_MAX_VERSION + # TlsCipherSuites the list of cipher suites + tlsCipherSuites: [] # ENV: KUMA_DP_SERVER_TLS_CIPHER_SUITES + # ReadHeaderTimeout defines the amount of time DP server will be allowed + # to read request headers. The connection's read deadline is reset + # after reading the headers and the Handler can decide what is considered + # too slow for the body. If ReadHeaderTimeout is zero there is no timeout. + # The timeout is configurable as in rare cases, when Kuma CP was restarting, + # 1s which is explicitly set in other servers was insufficient and DPs + # were failing to reconnect (we observed this in Projected Service Account + # Tokens e2e tests, which started flaking a lot after introducing explicit + # 1s timeout) + readHeaderTimeout: 5s # ENV: KUMA_DP_SERVER_READ_HEADER_TIMEOUT + # GracefulShutdownTimeout should be smaller than controller-runtime's + # shutdown budget (30s upstream default) and the pod's + # terminationGracePeriodSeconds. + gracefulShutdownTimeout: 10s # ENV: KUMA_DP_SERVER_GRACEFUL_SHUTDOWN_TIMEOUT + # Authn defines an authentication configuration for the DP Server + authn: + # Configuration for data plane proxy authentication. + dpProxy: + # Type of authentication. Available values: "serviceAccountToken", "dpToken", "none". + # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "dpToken" on Universal. + type: "" + # Configuration of dpToken authentication method + dpToken: + # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline. + enableIssuer: true + # DP Token validator configuration. + validator: + # If true then Kuma secrets with prefix "dataplane-token-signing-key-{mesh}" are considered as signing keys. + useSecrets: true + # List of public keys used to validate the token. Example: + # - kid: 1 + # mesh: default + # key: | + # -----BEGIN RSA PUBLIC KEY----- + # MIIBCgKCAQEAq.... + # -----END RSA PUBLIC KEY----- + # - kid: 2 + # mesh: demo + # keyFile: /keys/public.pem + publicKeys: [] + # Configuration for zone proxy authentication. + zoneProxy: + # Type of authentication. Available values: "serviceAccountToken", "zoneToken", "none". + # If empty, autoconfigured based on the environment - "serviceAccountToken" on Kubernetes, "zoneToken" on Universal. + type: "" + # Configuration for zoneToken authentication method. + zoneToken: + # If true the control plane token issuer is enabled. It's recommended to set it to false when all the tokens are issued offline. + enableIssuer: true + # Zone Token validator configuration. + validator: + # If true then Kuma secrets with prefix "zone-token-signing-key" are considered as signing keys. + useSecrets: true + # List of public keys used to validate the token. Example: + # - kid: 1 + # key: | + # -----BEGIN RSA PUBLIC KEY----- + # MIIBCgKCAQEAq.... + # -----END RSA PUBLIC KEY----- + # - kid: 2 + # keyFile: /keys/public.pem + publicKeys: [] + # If true then Envoy uses Google gRPC instead of Envoy gRPC which lets a proxy reload the auth data (service account token, dp token etc.) stored in the file without proxy restart. + enableReloadableTokens: false # ENV: KUMA_DP_SERVER_AUTHN_ENABLE_RELOADABLE_TOKENS + # Hds defines a Health Discovery Service configuration + hds: + # Enabled if true then Envoy will actively check application's ports, but only on Universal. + # On Kubernetes this feature disabled for now regardless the flag value + enabled: true # ENV: KUMA_DP_SERVER_HDS_ENABLED + # Interval for Envoy to send statuses for HealthChecks + interval: 5s # ENV: KUMA_DP_SERVER_HDS_INTERVAL + # RefreshInterval is an interval for re-genarting configuration for Dataplanes connected to the Control Plane + refreshInterval: 10s # ENV: KUMA_DP_SERVER_HDS_REFRESH_INTERVAL + # Check defines a HealthCheck configuration + checkDefaults: + # Timeout is a time to wait for a health check response. If the timeout is reached the + # health check attempt will be considered a failure + timeout: 2s # ENV: KUMA_DP_SERVER_HDS_CHECK_TIMEOUT + # Interval between health checks + interval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_INTERVAL + # NoTrafficInterval is a special health check interval that is used when a cluster has + # never had traffic routed to it + noTrafficInterval: 1s # ENV: KUMA_DP_SERVER_HDS_CHECK_NO_TRAFFIC_INTERVAL + # HealthyThreshold is a number of healthy health checks required before a host is marked healthy + healthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_HEALTHY_THRESHOLD + # UnhealthyThreshold is a number of unhealthy health checks required before a host is marked unhealthy + unhealthyThreshold: 1 # ENV: KUMA_DP_SERVER_HDS_CHECK_UNHEALTHY_THRESHOLD +# Intercommunication CP configuration +interCp: + # Catalog configuration. Catalog keeps a record of all live CP instances in the zone. + catalog: + # Indicates an address on which other control planes can communicate with this CP. + # If empty then it's autoconfigured by taking the first IP of the nonloopback network interface. + instanceAddress: "" # ENV: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS + # Interval on which CP will send heartbeat to a leader. + heartbeatInterval: 5s # ENV: KUMA_INTER_CP_CATALOG_HEARTBEAT_INTERVAL + # Interval on which CP will write all instances to a catalog. + writerInterval: 15s # ENV: KUMA_INTER_CP_CATALOG_WRITER_INTERVAL + # Intercommunication CP server configuration + server: + # Port of the inter-cp server + port: 5683 # ENV: KUMA_INTER_CP_SERVER_PORT + # TlsMinVersion the minimum version of TLS + tlsMinVersion: "TLSv1_2" # ENV: KUMA_INTER_CP_SERVER_TLS_MIN_VERSION + # TlsMaxVersion the maximum version of TLS + tlsMaxVersion: # ENV: KUMA_INTER_CP_SERVER_TLS_MAX_VERSION + # TlsCipherSuites the list of cipher suites + tlsCipherSuites: [] # ENV: KUMA_INTER_CP_SERVER_TLS_CIPHER_SUITES +# Access Control configuration +access: + # Type of access strategy (available values: "static", "rbac") + type: rbac + # Configuration of static access strategy + static: + # AdminResources defines an access to admin resources (Secret/GlobalSecret) + adminResources: + # List of users that are allowed to access admin resources + users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_USERS + # List of groups that are allowed to access admin resources + groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_ADMIN_RESOURCES_GROUPS + # GenerateDPToken defines an access to generating dataplane token + generateDpToken: + # List of users that are allowed to generate dataplane token + users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_USERS + # List of groups that are allowed to generate dataplane token + groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_DP_TOKEN_GROUPS + # GenerateUserToken defines an access to generating user token + generateUserToken: + # List of users that are allowed to generate user token + users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_USERS + # List of groups that are allowed to generate user token + groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_USER_TOKEN_GROUPS + # GenerateZoneToken defines an access to generating zone token + generateZoneToken: + # List of users that are allowed to generate zone token + users: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_USERS + # List of groups that are allowed to generate zone token + groups: ["mesh-system:admin"] # ENV: KUMA_ACCESS_STATIC_GENERATE_ZONE_TOKEN_GROUPS + viewConfigDump: + # List of users that are allowed to get envoy config dump + users: [] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_USERS + # List of groups that are allowed to get envoy config dump + groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_GET_CONFIG_DUMP_GROUPS + viewStats: + # List of users that are allowed to get envoy stats + users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_USERS + # List of groups that are allowed to get envoy stats + groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_STATS_GROUPS + viewClusters: + # List of users that are allowed to get envoy clusters + users: [] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_USERS + # List of groups that are allowed to get envoy clusters + groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_VIEW_CLUSTERS_GROUPS + controlPlaneMetadata: + # List of users that are allowed to get control plane metadata + users: [] # ENV: KUMA_ACCESS_STATIC_CONTROL_PLANE_METADATA_USERS + # List of groups that are allowed to get control plane metadata + groups: ["mesh-system:unauthenticated", "mesh-system:authenticated"] # ENV: KUMA_ACCESS_STATIC_CONTROL_PLANE_METADATA_GROUPS +# Configuration of experimental features of Kuma +experimental: + # If true, instead of embedding kubernetes outbounds into Dataplane object, they are persisted next to VIPs in ConfigMap + # This can improve performance, but it should be enabled only after all instances are migrated to version that supports this config + kubeOutboundsAsVIPs: true # ENV: KUMA_EXPERIMENTAL_KUBE_OUTBOUNDS_AS_VIPS + # Tag first virtual outbound model is compressed version of default Virtual Outbound model + # It is recommended to use tag first model for deployments with more than 2k services + # You can enable this flag on existing deployment. In order to downgrade cp with this flag enabled + # you need to first disable this flag and redeploy cp, after config is rewritten to default + # format you can downgrade your cp + useTagFirstVirtualOutboundModel: false # ENV: KUMA_EXPERIMENTAL_USE_TAG_FIRST_VIRTUAL_OUTBOUND_MODEL + # List of prefixes that will be used to filter out tags by keys from ingress' available services section. + # This can trim the size of the ZoneIngress object significantly. + # The drawback is that you cannot use filtered out tags for traffic routing. + # If empty, no filter is applied. + ingressTagFilters: [] # ENV: KUMA_EXPERIMENTAL_INGRESS_TAG_FILTERS + # KDS event based watchdog settings. It is a more optimal way to generate KDS snapshot config. + kdsEventBasedWatchdog: + # If true, then experimental event based watchdog to generate KDS snapshot is used. + enabled: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_ENABLED + # How often we flush changes when experimental event based watchdog is used. + flushInterval: 5s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FLUSH_INTERVAL + # How often we schedule full KDS resync when experimental event based watchdog is used. + fullResyncInterval: 60s # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_FULL_RESYNC_INTERVAL + # If true, then initial full resync is going to be delayed by 0 to FullResyncInterval. + delayFullResync: false # ENV: KUMA_EXPERIMENTAL_KDS_EVENT_BASED_WATCHDOG_DELAY_FULL_RESYNC + # If true then control plane computes reachable services automatically based on MeshTrafficPermission. + # Lack of MeshTrafficPermission is treated as Deny the traffic. + autoReachableServices: false # ENV: KUMA_EXPERIMENTAL_AUTO_REACHABLE_SERVICES + # Enables sidecar containers in Kubernetes if supported by the Kubernetes + # environment. + sidecarContainers: true # ENV: KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS + # If true uses Delta xDS to deliver changes to sidecars. + deltaXds: false # ENV: KUMA_EXPERIMENTAL_DELTA_XDS +proxy: + gateway: + # Sets the envoy runtime value to limit maximum number of incoming + # connections to a builtin gateway data plane proxy + globalDownstreamMaxConnections: 50000 # ENV: KUMA_PROXY_GATEWAY_GLOBAL_DOWNSTREAM_MAX_CONNECTIONS +tracing: + openTelemetry: + endpoint: "" # e.g. otel-collector:4317 +# Configuration of the event bus which is local to one instance of CP +eventBus: + # BufferSize controls the buffer for every single event listener. + # If we go over buffer, additional delay may happen to various operation like insight recomputation or KDS. + bufferSize: 100 # ENV: KUMA_EVENT_BUS_BUFFER_SIZE +policies: + # PluginPoliciesEnabled controls which policy plugins are enabled + pluginPoliciesEnabled: # ENV: KUMA_PLUGIN_POLICIES_ENABLED + - meshaccesslogs + - meshcircuitbreakers + - meshfaultinjections + - meshglobalratelimits + - meshhealthchecks + - meshhttproutes + - meshloadbalancingstrategies + - meshmetrics + - meshopas + - meshpassthroughs + - meshproxypatches + - meshratelimits + - meshretries + - meshtcproutes + - meshtimeouts + - meshtlses + - meshtraces + - meshtrafficpermissions +coreResources: + status: + # How often we compute status of MeshMultiZoneService + meshMultiZoneServiceInterval: 5s # ENV: KUMA_CORE_RESOURCES_STATUS_MESH_MULTI_ZONE_SERVICE_INTERVAL + # How often we compute status of MeshService + meshServiceInterval: 5s # ENV: KUMA_CORE_RESOURCES_STATUS_MESH_SERVICE_INTERVAL + # How often we compute status of MeshIdentity + meshIdentityInterval: 5s # ENV: KUMA_CORE_RESOURCES_STATUS_MESH_IDENTITY_INTERVAL + # How often we compute status of Workload + workloadInterval: 5s # ENV: KUMA_CORE_RESOURCES_STATUS_WORKLOAD_INTERVAL + # How often we compute status of MeshOpenTelemetryBackend + meshOpenTelemetryBackendInterval: 5s # ENV: KUMA_CORE_RESOURCES_STATUS_MESH_OPEN_TELEMETRY_BACKEND_INTERVAL + enabled: # ENV: KUMA_CORE_RESOURCES_ENABLED + - hostnamegenerators + - meshexternalservices + - meshidentities + - meshmultizoneservices + - meshopentelemetrybackends + - meshservices + - meshtrusts + - meshzoneaddresses + - workloads +# IP address management configuration +ipam: + # MeshService address management + meshService: + # CIDR for MeshService IPs + cidr: 241.0.0.0/8 # ENV: KUMA_IPAM_MESH_SERVICE_CIDR + meshExternalService: + # CIDR for MeshExternalService IPs + cidr: 242.0.0.0/8 # ENV: KUMA_IPAM_MESH_EXTERNAL_SERVICE_CIDR + meshMultiZoneService: + # CIDR for MeshMultiZoneService IPs + cidr: 243.0.0.0/8 # ENV: KUMA_IPAM_MESH_MULTI_ZONE_SERVICE_CIDR + # Interval on which Kuma will allocate new IPs for MeshServices and MeshExternalServices + allocationInterval: 5s # ENV: KUMA_IPAM_ALLOCATION_INTERVAL + # Contains a list of CIDRs which are considered internal and trusted, Envoy attaches internal only headers to requests from these clients when forwarding HTTP requests + knownInternalCIDRs: # ENV: KUMA_IPAM_KNOWN_INTERNAL_CIDRS + - 10.0.0.0/8 + - 192.168.0.0/16 + - 172.16.0.0/12 + - fc00::/7 + - fd00::/8 + - 127.0.0.1/32 + - ::1/128 +meshService: + # How often we check whether MeshServices need to be generated from Dataplanes + generationInterval: 2s # ENV: KUMA_MESH_SERVICE_GENERATION_INTERVAL + # How long we wait before deleting a MeshService if all Dataplanes are gone + deletionGracePeriod: 1h # ENV: KUMA_MESH_SERVICE_DELETION_GRACE_PERIOD + # Controls propagation of user-defined labels from MeshService to generated resources. + labelPropagation: + # If true, propagate allowed user-defined labels from MeshService to generated resources. + enabled: false # ENV: KUMA_MESH_SERVICE_LABEL_PROPAGATION_ENABLED + # List of non-reserved label keys eligible for propagation. When empty and enabled is true, all non-reserved labels are propagated. Reserved kuma.io/ and k8s.kuma.io/ keys are rejected. + allowedLabelKeys: [] # ENV: KUMA_MESH_SERVICE_LABEL_PROPAGATION_ALLOWED_LABEL_KEYS +kmesh: + # License of Kong Mesh + license: + # Inline string of the Kong Mesh license + # inline: "" # ENV: KMESH_LICENSE_INLINE + # Path to a file with the Kong Mesh license + path: "" # ENV: KMESH_LICENSE_PATH + opa: + # Interval for re-generating OPA configuration for Dataplanes connected to the Control Plane + configurationRefreshInterval: 1s # ENV: KMESH_OPA_CONFIGURATION_REFRESH_INTERVAL + # Backoff that is executed when Control Plane is sending the response that was previously rejected by OPA + nackBackoff: 5s # ENV: KMESH_OPA_CONFIGURATION_NACK_BACKOFF + multizone: + global: + kds: + auth: + # The way how Global Control Plane authenticates the Zone Control Planes. Available values ("none", "cpToken") + type: none # KMESH_MULTIZONE_GLOBAL_KDS_AUTH_TYPE + # CpToken configuration for the "cpToken" auth type. Only used when Type is "cpToken" + cpToken: + # If false, the Global CP refuses to issue cp-scoped zone tokens via the API. + # Set to false when tokens are signed offline with the private key. + enableIssuer: true # KMESH_MULTIZONE_GLOBAL_KDS_AUTH_CP_TOKEN_ENABLE_ISSUER + # Validator configuration used to verify KDS CP tokens presented by Zone CPs. + validator: + # If true, Kuma secrets with prefix "zone-token-signing-key" are accepted as signing keys. + useSecrets: true # KMESH_MULTIZONE_GLOBAL_KDS_AUTH_CP_TOKEN_VALIDATOR_USE_SECRETS + # List of public keys used to validate KDS CP tokens offline. Example: + # - kid: 1 + # key: | + # -----BEGIN RSA PUBLIC KEY----- + # MIIBCgKCAQEAq.... + # -----END RSA PUBLIC KEY----- + # - kid: 2 + # keyFile: /keys/public.pem + publicKeys: [] + zone: + kds: + auth: + # Control Plane Token provided as a string + cpTokenInline: "" # KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_INLINE + # Control Plane Token provided as a file + cpTokenPath: "" # KMESH_MULTIZONE_ZONE_KDS_AUTH_CP_TOKEN_PATH + konnect: + cpId: "" # KMESH_MULTIZONE_ZONE_KONNECT_CP_ID + access: + static: + generateCpToken: + # List of users that are allowed to generate control plane token + users: ["mesh-system:admin"] # ENV: KMESH_RBAC_STATIC_GENERATE_CP_TOKEN_USERS + # List of groups that are allowed to generate control plane token + groups: ["mesh-system:admin"] # ENV: KMESH_RBAC_STATIC_GENERATE_CP_TOKEN_GROUPS + rbac: + # LogActions defines actions that will be logged when RBAC is resolved. Allowed values: "allowed", "denied" + logActions: ["allowed", "denied"] # ENV: KMESH_ACCESS_RBAC_LOG_ACTIONS + # DefaultAdminRoleGroups defines a list of groups to be added to the default admin role + defaultAdminRoleGroups: ["mesh-system:authenticated", "mesh-system:unauthenticated"] # ENV: KMESH_ACCESS_RBAC_DEFAULT_ADMIN_ROLE_GROUPS + # DefaultAdminRoleUsers defines a list of users to be added to the default list of admins. + defaultAdminRoleUsers: [] # ENV: KMESH_ACCESS_RBAC_DEFAULT_ADMIN_ROLE_USERS + # SkipAdminRoleCreation set whether skip creating the default admin role + skipAdminRoleCreation: false # ENV: KMESH_ACCESS_RBAC_SKIP_ADMIN_ROLE_CREATION + # Configuration for recording all the actions in the system. + audit: + # Types that are skipped by default when `types` list in AccessAudit resource is empty + skipDefaultTypes: ["DataplaneInsight", "ZoneIngressInsight", "ZoneEgressInsight", "ZoneInsight", "ServiceInsight", "MeshInsight"] + # List of backends for auditing. If empty, no audit is recorded. + backends: [] + # - # type of logging backend. Available values: "file" + # type: file + # # Settings of a file backend used when the type is set to "file" + # file: + # # Path to the file that will be filled with logs + # path: /tmp/access.logs + # rotation: + # # If true, rotation is enabled. + # # Example: if we set path to /tmp/kuma.log then after the file is rotated we will have /tmp/kuma-2021-06-07T09-15-18.265.log + # enabled: true + # # Maximum number of the old log files to retain + # maxRetainedFiles: 10 + # # Maximum size in megabytes of a log file before it gets rotated + # maxSizeMb: 100 + # # Maximum number of days to retain old log files based on the timestamp encoded in their filename + # maxAgeDays: 30 + globalRateLimit: + # Interval for re-generating global rate limit configuration for ratelimit service connected to the Control Plane + configurationRefreshInterval: 1s # ENV: KMESH_GLOBAL_RATE_LIMIT_CONFIGURATION_REFRESH_INTERVAL + # Service account name of rate limit service which will be used in + # authentication process of communication between rate limit service and + # control plane. + # The value can take two forms: + # - "system:serviceaccount:[namespace]:[service_account_name]" (example: + # system:serviceaccount:kong-mesh-system:default) + # - "[service_account_name]" - in this form, the namespace of the service + # account will be implicitly assumed as the same as control plane's system + # namespace (example: default) + serviceAccountName: system:serviceaccount:kong-mesh-system:default # ENV: KMESH_GLOBAL_RATE_LIMIT_CONFIGURATION_SERVICE_ACCOUNT_NAME + ca: + vault: + # Interval for checking whether any referenced Vault tokens have changed. + # A value of 0 disables the check. + # This check is necessary to detect updates to a Vault token stored in a secret. + # Keep this interval shorter than the value of the Vault token's TTL. + # The default is 30s, which works well for tokens with a TTL longer than 60s. + # If the token TTL is shorter than 60s, you may need to decrease this value. + # When only tokens with `inline` or `inlineString` are set, you can disable this. + tokenChangeCheckInterval: 30s # ENV: KMESH_CA_VAULT_TOKEN_CHANGE_CHECK_INTERVAL + awsIAM: + # AuthorizedAccountIDs is a list of accounts that are authorized + # to authenticate with this CP. This is optional if + # RolesToAssumeForAccounts is set. + authorizedAccountIds: [] + # RolesToAssumeForAccounts is a map of AWS account IDs to role names + # that the CP should use to verify dataplane identity in cross-account + # setups. + rolesToAssumeForAccounts: {} + limits: + # Default limits configuration + default: + # Maximum number of Dataplane resources that a user can create. Set to 0 to disable the limit. + dataplanes: 0 # ENV: KMESH_LIMITS_DEFAULT_DATAPLANES + # Maximum number of policy resources that a user can create. Set to 0 to disable the limit. + policies: 0 # ENV: KMESH_LIMITS_DEFAULT_POLICIES + # Maximum number of Zone control plane resources that a user can create. Set to 0 to disable the limit. + zones: 0 # ENV: KMESH_LIMITS_DEFAULT_ZONES + runtime: + # AWS integrations configuration + aws: + # Route53 integration configuration + route53: + # Enabled indicates whether the component responsible for creating Route53 DNS entries is enabled. + enabled: false # ENV: KMESH_RUNTIME_AWS_ROUTE53_ENABLED + # HostedZoneId is the AWS Zone ID where `kuma.io/service` DNS entries are created. + # The hosted zone domain must match the configuration of `KUMA_DNS_SERVER_DOMAIN`. + hostedZoneId: "" # ENV: KMESH_RUNTIME_AWS_ROUTE53_HOSTED_ZONE_ID + # RefreshInterval defines how often the component should check for new VIPs and create them in AWS. + # Be cautious with the value, as AWS has a rate limit of 5 requests per second. + # Default: 10s + refreshInterval: 10s # ENV: KMESH_RUNTIME_AWS_ROUTE53_REFRESH_INTERVAL + # Base time for exponential backoff on an error. + retryBaseBackoff: 1s # ENV: KMESH_RUNTIME_AWS_ROUTE53_RETRY_BASE_BACKOFF + # Max retries on an error. + retryMaxTimes: 2 # ENV: KMESH_RUNTIME_AWS_ROUTE53_RETRY_MAX_TIMES + # Percentage of jitter. For example: if backoff is 20s, and this value 10, the backoff will be between 18s and 22s. + retryJitterPercent: 20 # ENV: KMESH_RUNTIME_AWS_ROUTE53_RETRY_JITTER_PERCENT diff --git a/app/assets/mesh/2.14.x/raw/protos/OPAPolicy.json b/app/assets/mesh/2.14.x/raw/protos/OPAPolicy.json new file mode 100644 index 0000000000..5a721aa903 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/protos/OPAPolicy.json @@ -0,0 +1,132 @@ +{ + "$schema": "http://json-schema.org/draft-04/schema#", + "$ref": "#/definitions/OPAPolicy", + "definitions": { + "OPAPolicy": { + "properties": { + "selectors": { + "items": { + "$ref": "#/definitions/kuma.mesh.v1alpha1.Selector" + }, + "type": "array", + "description": "List of selectors to match dataplanes." + }, + "conf": { + "$ref": "#/definitions/kuma.plugins.policies.OPAPolicy.Conf", + "additionalProperties": true, + "description": "Configuration of the policy." + } + }, + "additionalProperties": true, + "type": "object", + "title": "OPA Policy", + "description": "OPAPolicy defines OpenPolicyAgent policy for selected Dataplanes" + }, + "kuma.mesh.v1alpha1.Selector": { + "properties": { + "match": { + "additionalProperties": { + "type": "string" + }, + "type": "object", + "description": "Tags to match, can be used for both source and destinations" + } + }, + "additionalProperties": true, + "type": "object", + "title": "Selector", + "description": "Selector defines structure for selecting tags for given dataplane" + }, + "kuma.plugins.policies.OPAPolicy.Conf": { + "properties": { + "agentConfig": { + "$ref": "#/definitions/kuma.system.v1alpha1.DataSource", + "additionalProperties": true, + "description": "AgentConfig defines bootstrap OPA agent configuration." + }, + "policies": { + "items": { + "$ref": "#/definitions/kuma.system.v1alpha1.DataSource" + }, + "type": "array", + "description": "Policies define data source for a policies. Available values: secret, inline, inlineString." + }, + "authConfig": { + "$ref": "#/definitions/kuma.plugins.policies.OPAPolicy.Conf.AuthConf", + "additionalProperties": true, + "description": "AuthConfig are configurations specific to the filter." + } + }, + "additionalProperties": true, + "type": "object", + "title": "Conf", + "description": "Conf defines settings of the policy." + }, + "kuma.plugins.policies.OPAPolicy.Conf.AuthConf": { + "properties": { + "statusOnError": { + "type": "integer", + "description": "statusOnError is the http status to return when there's a connection failure between the dataplane and the authorization agent" + }, + "onAgentFailure": { + "type": "string", + "description": "onAgentFailure either 'allow' or 'deny' (default to deny) whether or not to allow requests when the authorization agent failed." + }, + "requestBody": { + "$ref": "#/definitions/kuma.plugins.policies.OPAPolicy.Conf.AuthConf.RequestBodyConf", + "additionalProperties": true, + "description": "requestBody configuration to apply on the request body sent to the authorization agent (if absent, the body is not sent)." + }, + "timeout": { + "pattern": "^([0-9]+\\.?[0-9]*|\\.[0-9]+)s$", + "type": "string", + "description": "The timeout for the single gRPC request from Envoy to OPA Agent.", + "format": "regex" + } + }, + "additionalProperties": true, + "type": "object", + "title": "Auth Conf" + }, + "kuma.plugins.policies.OPAPolicy.Conf.AuthConf.RequestBodyConf": { + "properties": { + "maxSize": { + "type": "integer", + "description": "The maximum payload size sent to authorization agent. If the payload is larger it will be truncated and there will be a header `x-envoy-auth-partial-body: true`. If it is set to 0 no body will be sent to the agent." + }, + "sendRawBody": { + "type": "boolean", + "description": "Send a raw body instead of the body encoded into UTF-8" + } + }, + "additionalProperties": true, + "type": "object", + "title": "Request Body Conf" + }, + "kuma.system.v1alpha1.DataSource": { + "properties": { + "secret": { + "type": "string", + "description": "Data source is a secret with given Secret key." + }, + "file": { + "type": "string", + "description": "Data source is a path to a file. Deprecated, use other sources of a data." + }, + "inline": { + "additionalProperties": true, + "type": "string", + "description": "Data source is inline bytes." + }, + "inlineString": { + "type": "string", + "description": "Data source is inline string" + } + }, + "additionalProperties": true, + "type": "object", + "title": "Data Source", + "description": "DataSource defines the source of bytes to use." + } + } +} \ No newline at end of file diff --git a/app/assets/mesh/2.14.x/raw/rbac.yaml b/app/assets/mesh/2.14.x/raw/rbac.yaml new file mode 100644 index 0000000000..f98da15a40 --- /dev/null +++ b/app/assets/mesh/2.14.x/raw/rbac.yaml @@ -0,0 +1,409 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kong-mesh-control-plane +rules: + - apiGroups: + - "" + resources: + - namespaces + - pods + - nodes + - services + verbs: + - get + - list + - watch + - apiGroups: + - "discovery.k8s.io" + resources: + - endpointslices + verbs: + - get + - list + - watch + - apiGroups: + - "apps" + resources: + - deployments + - replicasets + verbs: + - get + - list + - watch + - apiGroups: + - "batch" + resources: + - jobs + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - referencegrants + - httproutes + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - patch + - update + - apiGroups: + - kuma.io + resources: + - dataplanes + - dataplaneinsights + - meshes + - zones + - zoneinsights + - zoneingresses + - zoneingressinsights + - zoneegresses + - zoneegressinsights + - meshinsights + - serviceinsights + - proxytemplates + - ratelimits + - trafficpermissions + - trafficroutes + - timeouts + - retries + - circuitbreakers + - virtualoutbounds + - containerpatches + - externalservices + - faultinjections + - healthchecks + - trafficlogs + - traffictraces + - meshgateways + - meshgatewayroutes + - meshgatewayinstances + - meshgatewayconfigs + - meshaccesslogs + - meshcircuitbreakers + - meshfaultinjections + - meshglobalratelimits + - meshhealthchecks + - meshhttproutes + - meshloadbalancingstrategies + - meshmetrics + - meshopas + - meshpassthroughs + - meshproxypatches + - meshratelimits + - meshretries + - meshtcproutes + - meshtimeouts + - meshtlses + - meshtraces + - meshtrafficpermissions + - hostnamegenerators + - meshexternalservices + - meshidentities + - meshmultizoneservices + - meshopentelemetrybackends + - meshservices + - meshtrusts + - meshzoneaddresses + - workloads + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - kuma.io + resources: + - meshgatewayinstances/status + - meshgatewayinstances/finalizers + - meshes/finalizers + - dataplanes/finalizers + verbs: + - get + - patch + - update + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kong-mesh-control-plane-workloads +rules: + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "apps" + resources: + - deployments + - replicasets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "batch" + resources: + - jobs + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - delete + - list + - watch + - create + - update + - patch + - apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - get + - patch + - update + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - referencegrants + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - httproutes/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kong-mesh-control-plane-kmesh +rules: + - apiGroups: + - kuma.io + resources: + - opapolicies + - accessroles + - accessrolebindings + - accessaudits + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kong-mesh-control-plane +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kong-mesh-control-plane +subjects: + - kind: ServiceAccount + name: kong-mesh-control-plane + namespace: kong-mesh-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kong-mesh-control-plane-workloads +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kong-mesh-control-plane-workloads +subjects: + - kind: ServiceAccount + name: kong-mesh-control-plane + namespace: kong-mesh-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kong-mesh-control-plane-kmesh +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kong-mesh-control-plane-kmesh +subjects: + - kind: ServiceAccount + name: kong-mesh-control-plane + namespace: kong-mesh-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kong-mesh-control-plane + namespace: kong-mesh-system +rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - delete + - list + - watch + - create + - update + - patch + - apiGroups: + - "" + - events.k8s.io + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - pods + verbs: + - delete + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + - referencegrants + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + - httproutes/status + verbs: + - get + - patch + - update +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kong-mesh-control-plane-kmesh + namespace: kong-mesh-system +rules: + - apiGroups: + - cert-manager.io + resources: + - certificaterequests + verbs: + - create + - get + - list + - watch + - update + - delete + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kong-mesh-control-plane + namespace: kong-mesh-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kong-mesh-control-plane +subjects: + - kind: ServiceAccount + name: kong-mesh-control-plane + namespace: kong-mesh-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kong-mesh-control-plane-kmesh + namespace: kong-mesh-system +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kong-mesh-control-plane-kmesh +subjects: + - kind: ServiceAccount + name: kong-mesh-control-plane + namespace: kong-mesh-system diff --git a/app/assets/mesh/dev/raw/crds/kuma.io_meshaccesslogs.yaml b/app/assets/mesh/dev/raw/crds/kuma.io_meshaccesslogs.yaml index b4dd7b1bcd..20b18162d8 100644 --- a/app/assets/mesh/dev/raw/crds/kuma.io_meshaccesslogs.yaml +++ b/app/assets/mesh/dev/raw/crds/kuma.io_meshaccesslogs.yaml @@ -155,15 +155,9 @@ spec: additionalProperties: type: string description: |- - Labels to match the referenced resource. Use for cross-zone references - where KDS adds a hash suffix to metadata.name. Mutually exclusive with - Name. When multiple resources match, the oldest by creation time wins. + Labels to match the referenced resource. When multiple resources match, + the oldest by creation time wins. type: object - name: - description: |- - Name of the referenced resource (metadata.name). Use for same-cluster - references. Mutually exclusive with Labels. - type: string required: - kind type: object @@ -416,15 +410,9 @@ spec: additionalProperties: type: string description: |- - Labels to match the referenced resource. Use for cross-zone references - where KDS adds a hash suffix to metadata.name. Mutually exclusive with - Name. When multiple resources match, the oldest by creation time wins. + Labels to match the referenced resource. When multiple resources match, + the oldest by creation time wins. type: object - name: - description: |- - Name of the referenced resource (metadata.name). Use for same-cluster - references. Mutually exclusive with Labels. - type: string required: - kind type: object @@ -726,15 +714,9 @@ spec: additionalProperties: type: string description: |- - Labels to match the referenced resource. Use for cross-zone references - where KDS adds a hash suffix to metadata.name. Mutually exclusive with - Name. When multiple resources match, the oldest by creation time wins. + Labels to match the referenced resource. When multiple resources match, + the oldest by creation time wins. type: object - name: - description: |- - Name of the referenced resource (metadata.name). Use for same-cluster - references. Mutually exclusive with Labels. - type: string required: - kind type: object diff --git a/app/assets/mesh/dev/raw/crds/kuma.io_meshmetrics.yaml b/app/assets/mesh/dev/raw/crds/kuma.io_meshmetrics.yaml index 7a8072f4f2..bc15e2b7b1 100644 --- a/app/assets/mesh/dev/raw/crds/kuma.io_meshmetrics.yaml +++ b/app/assets/mesh/dev/raw/crds/kuma.io_meshmetrics.yaml @@ -103,15 +103,9 @@ spec: additionalProperties: type: string description: |- - Labels to match the referenced resource. Use for cross-zone references - where KDS adds a hash suffix to metadata.name. Mutually exclusive with - Name. When multiple resources match, the oldest by creation time wins. + Labels to match the referenced resource. When multiple resources match, + the oldest by creation time wins. type: object - name: - description: |- - Name of the referenced resource (metadata.name). Use for same-cluster - references. Mutually exclusive with Labels. - type: string required: - kind type: object diff --git a/app/assets/mesh/dev/raw/crds/kuma.io_meshtraces.yaml b/app/assets/mesh/dev/raw/crds/kuma.io_meshtraces.yaml index aefdef669e..a0e7db3860 100644 --- a/app/assets/mesh/dev/raw/crds/kuma.io_meshtraces.yaml +++ b/app/assets/mesh/dev/raw/crds/kuma.io_meshtraces.yaml @@ -105,15 +105,9 @@ spec: additionalProperties: type: string description: |- - Labels to match the referenced resource. Use for cross-zone references - where KDS adds a hash suffix to metadata.name. Mutually exclusive with - Name. When multiple resources match, the oldest by creation time wins. + Labels to match the referenced resource. When multiple resources match, + the oldest by creation time wins. type: object - name: - description: |- - Name of the referenced resource (metadata.name). Use for same-cluster - references. Mutually exclusive with Labels. - type: string required: - kind type: object diff --git a/app/assets/mesh/dev/raw/kuma-cp.yaml b/app/assets/mesh/dev/raw/kuma-cp.yaml index 457e2b63a0..12f7e3c91b 100644 --- a/app/assets/mesh/dev/raw/kuma-cp.yaml +++ b/app/assets/mesh/dev/raw/kuma-cp.yaml @@ -102,10 +102,10 @@ bootstrapServer: xdsConnectTimeout: 1s # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_CONNECT_TIMEOUT # Cap on the gRPC C-Core receive flow-control window for the kuma-dp xDS # client. Set as the GoogleGrpc channel arg `grpc.max_receive_message_length`. - # Default 16 MiB is large enough for gateway DPs with 450+ listeners; the + # Default 4 MiB is large enough for gateway DPs with 450+ listeners; the # gRPC C-Core default of 4 MiB sizes the per-stream HTTP/2 receive window # too small for the initial xDS push on those DPs and stalls the stream. - xdsGrpcMaxReceiveMessageBytes: 16777216 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_GRPC_MAX_RECEIVE_MESSAGE_BYTES + xdsGrpcMaxReceiveMessageBytes: 4194304 # ENV: KUMA_BOOTSTRAP_SERVER_PARAMS_XDS_GRPC_MAX_RECEIVE_MESSAGE_BYTES # Monitoring Assignment Discovery Service (MADS) server configuration monitoringAssignmentServer: # Whether the MADS server is enabled diff --git a/app/assets/mesh/raw/CHANGELOG.md b/app/assets/mesh/raw/CHANGELOG.md index 6907884b1d..77ce922914 100644 --- a/app/assets/mesh/raw/CHANGELOG.md +++ b/app/assets/mesh/raw/CHANGELOG.md @@ -1,6 +1,269 @@ # Changelog +## 2.14.0 +> Released on 2026/06/12 + +* chore(deps): bump aws-sdk-go-v2 monorepo [#8921](https://github.com/Kong/kong-mesh/pull/8921) [#8956](https://github.com/Kong/kong-mesh/pull/8956) [#8993](https://github.com/Kong/kong-mesh/pull/8993) [#9205](https://github.com/Kong/kong-mesh/pull/9205) [#9271](https://github.com/Kong/kong-mesh/pull/9271) [#9367](https://github.com/Kong/kong-mesh/pull/9367) [#9598](https://github.com/Kong/kong-mesh/pull/9598) [#9621](https://github.com/Kong/kong-mesh/pull/9621) [#9694](https://github.com/Kong/kong-mesh/pull/9694) [#9785](https://github.com/Kong/kong-mesh/pull/9785) @renovate +* chore(deps): bump ghcr.io/kumahq/ubuntu-netools:main from 5413786 to 487f66a [#8918](https://github.com/Kong/kong-mesh/pull/8918) [#8954](https://github.com/Kong/kong-mesh/pull/8954) [#9049](https://github.com/Kong/kong-mesh/pull/9049) [#9101](https://github.com/Kong/kong-mesh/pull/9101) [#9134](https://github.com/Kong/kong-mesh/pull/9134) [#9233](https://github.com/Kong/kong-mesh/pull/9233) [#9251](https://github.com/Kong/kong-mesh/pull/9251) [#9401](https://github.com/Kong/kong-mesh/pull/9401) @renovate +* chore(deps): bump github.com/Kong/kauth-api from 1.166.0 to 1.178.0 [#8959](https://github.com/Kong/kong-mesh/pull/8959) [#9642](https://github.com/Kong/kong-mesh/pull/9642) @renovate +* chore(deps): bump github.com/Kong/shared-go/identity from 1.39.1 to 1.48.0 [#8966](https://github.com/Kong/kong-mesh/pull/8966) [#9003](https://github.com/Kong/kong-mesh/pull/9003) [#9214](https://github.com/Kong/kong-mesh/pull/9214) [#9355](https://github.com/Kong/kong-mesh/pull/9355) [#9675](https://github.com/Kong/kong-mesh/pull/9675) [#9848](https://github.com/Kong/kong-mesh/pull/9848) [#9855](https://github.com/Kong/kong-mesh/pull/9855) [#9859](https://github.com/Kong/kong-mesh/pull/9859) [#9870](https://github.com/Kong/kong-mesh/pull/9870) @renovate +* chore(deps): bump github.com/Kong/shared-go/rest/v2 from 2.14.0 to 2.18.0 [#8914](https://github.com/Kong/kong-mesh/pull/8914) [#9019](https://github.com/Kong/kong-mesh/pull/9019) [#9258](https://github.com/Kong/kong-mesh/pull/9258) [#9344](https://github.com/Kong/kong-mesh/pull/9344) [#9809](https://github.com/Kong/kong-mesh/pull/9809) [#9844](https://github.com/Kong/kong-mesh/pull/9844) @renovate +* chore(deps): bump github.com/Kong/shared-go/slogdiscard from 1.1.0 to 1.2.0 [#9047](https://github.com/Kong/kong-mesh/pull/9047) @renovate +* chore(deps): bump github.com/Kong/shared-go/zap-utils/v2 from 2.3.0 to 2.4.2 [#9048](https://github.com/Kong/kong-mesh/pull/9048) [#9356](https://github.com/Kong/kong-mesh/pull/9356) @renovate +* chore(deps): bump github.com/aws/smithy-go from 1.24.2 to 1.25.0 [#9454](https://github.com/Kong/kong-mesh/pull/9454) [#9555](https://github.com/Kong/kong-mesh/pull/9555) @renovate +* chore(deps): bump github.com/cert-manager/cert-manager from 1.19.1 to 1.20.2 [#8923](https://github.com/Kong/kong-mesh/pull/8923) [#9064](https://github.com/Kong/kong-mesh/pull/9064) [#9234](https://github.com/Kong/kong-mesh/pull/9234) [#9280](https://github.com/Kong/kong-mesh/pull/9280) [#9402](https://github.com/Kong/kong-mesh/pull/9402) @renovate +* chore(deps): bump github.com/containerd/containerd/v2 from 2.2.3 to 2.2.4 [#9767](https://github.com/Kong/kong-mesh/pull/9767) @renovate +* chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 [#9444](https://github.com/Kong/kong-mesh/pull/9444) @renovate +* chore(deps): bump github.com/hashicorp/vault/api from 1.22.0 to 1.23.0 [#9406](https://github.com/Kong/kong-mesh/pull/9406) @renovate +* chore(deps): bump github.com/hashicorp/vault/api/auth/aws from 0.11.0 to 0.12.0 [#9407](https://github.com/Kong/kong-mesh/pull/9407) @renovate +* chore(deps): bump github.com/hashicorp/vault/sdk from 0.20.0 to 0.25.1 [#8997](https://github.com/Kong/kong-mesh/pull/8997) [#9105](https://github.com/Kong/kong-mesh/pull/9105) [#9375](https://github.com/Kong/kong-mesh/pull/9375) @renovate +* chore(deps): bump github.com/open-policy-agent/opa from 1.8.0 to 1.16.2 [#8455](https://github.com/Kong/kong-mesh/pull/8455) [#8995](https://github.com/Kong/kong-mesh/pull/8995) [#9054](https://github.com/Kong/kong-mesh/pull/9054) [#9207](https://github.com/Kong/kong-mesh/pull/9207) [#9281](https://github.com/Kong/kong-mesh/pull/9281) [#9369](https://github.com/Kong/kong-mesh/pull/9369) [#9457](https://github.com/Kong/kong-mesh/pull/9457) [#9624](https://github.com/Kong/kong-mesh/pull/9624) [#9695](https://github.com/Kong/kong-mesh/pull/9695) @renovate +* chore(deps): bump go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp from 0.63.0 to 0.68.0 [#8929](https://github.com/Kong/kong-mesh/pull/8929) [#9107](https://github.com/Kong/kong-mesh/pull/9107) [#9283](https://github.com/Kong/kong-mesh/pull/9283) [#9376](https://github.com/Kong/kong-mesh/pull/9376) @renovate +* chore(deps): bump kumahq/kuma from 43d7c1eed406 to v2.14.0 [#8939](https://github.com/Kong/kong-mesh/pull/8939) [#8941](https://github.com/Kong/kong-mesh/pull/8941) [#8951](https://github.com/Kong/kong-mesh/pull/8951) [#8953](https://github.com/Kong/kong-mesh/pull/8953) [#8965](https://github.com/Kong/kong-mesh/pull/8965) [#8986](https://github.com/Kong/kong-mesh/pull/8986) [#8990](https://github.com/Kong/kong-mesh/pull/8990) [#8991](https://github.com/Kong/kong-mesh/pull/8991) [#9006](https://github.com/Kong/kong-mesh/pull/9006) [#9027](https://github.com/Kong/kong-mesh/pull/9027) [#9033](https://github.com/Kong/kong-mesh/pull/9033) [#9067](https://github.com/Kong/kong-mesh/pull/9067) [#9079](https://github.com/Kong/kong-mesh/pull/9079) [#9087](https://github.com/Kong/kong-mesh/pull/9087) [#9110](https://github.com/Kong/kong-mesh/pull/9110) [#9126](https://github.com/Kong/kong-mesh/pull/9126) [#9127](https://github.com/Kong/kong-mesh/pull/9127) [#9152](https://github.com/Kong/kong-mesh/pull/9152) [#9153](https://github.com/Kong/kong-mesh/pull/9153) [#9181](https://github.com/Kong/kong-mesh/pull/9181) [#9213](https://github.com/Kong/kong-mesh/pull/9213) [#9221](https://github.com/Kong/kong-mesh/pull/9221) [#9225](https://github.com/Kong/kong-mesh/pull/9225) [#9228](https://github.com/Kong/kong-mesh/pull/9228) [#9242](https://github.com/Kong/kong-mesh/pull/9242) [#9244](https://github.com/Kong/kong-mesh/pull/9244) [#9245](https://github.com/Kong/kong-mesh/pull/9245) [#9247](https://github.com/Kong/kong-mesh/pull/9247) [#9257](https://github.com/Kong/kong-mesh/pull/9257) [#9262](https://github.com/Kong/kong-mesh/pull/9262) [#9294](https://github.com/Kong/kong-mesh/pull/9294) [#9300](https://github.com/Kong/kong-mesh/pull/9300) [#9321](https://github.com/Kong/kong-mesh/pull/9321) [#9330](https://github.com/Kong/kong-mesh/pull/9330) [#9340](https://github.com/Kong/kong-mesh/pull/9340) [#9352](https://github.com/Kong/kong-mesh/pull/9352) [#9353](https://github.com/Kong/kong-mesh/pull/9353) [#9362](https://github.com/Kong/kong-mesh/pull/9362) [#9364](https://github.com/Kong/kong-mesh/pull/9364) [#9365](https://github.com/Kong/kong-mesh/pull/9365) [#9382](https://github.com/Kong/kong-mesh/pull/9382) [#9390](https://github.com/Kong/kong-mesh/pull/9390) [#9393](https://github.com/Kong/kong-mesh/pull/9393) [#9399](https://github.com/Kong/kong-mesh/pull/9399) [#9400](https://github.com/Kong/kong-mesh/pull/9400) [#9423](https://github.com/Kong/kong-mesh/pull/9423) [#9425](https://github.com/Kong/kong-mesh/pull/9425) [#9431](https://github.com/Kong/kong-mesh/pull/9431) [#9440](https://github.com/Kong/kong-mesh/pull/9440) [#9445](https://github.com/Kong/kong-mesh/pull/9445) [#9462](https://github.com/Kong/kong-mesh/pull/9462) [#9473](https://github.com/Kong/kong-mesh/pull/9473) [#9482](https://github.com/Kong/kong-mesh/pull/9482) [#9506](https://github.com/Kong/kong-mesh/pull/9506) [#9510](https://github.com/Kong/kong-mesh/pull/9510) [#9528](https://github.com/Kong/kong-mesh/pull/9528) [#9545](https://github.com/Kong/kong-mesh/pull/9545) [#9563](https://github.com/Kong/kong-mesh/pull/9563) [#9569](https://github.com/Kong/kong-mesh/pull/9569) [#9576](https://github.com/Kong/kong-mesh/pull/9576) [#9588](https://github.com/Kong/kong-mesh/pull/9588) [#9591](https://github.com/Kong/kong-mesh/pull/9591) [#9594](https://github.com/Kong/kong-mesh/pull/9594) [#9604](https://github.com/Kong/kong-mesh/pull/9604) [#9612](https://github.com/Kong/kong-mesh/pull/9612) [#9628](https://github.com/Kong/kong-mesh/pull/9628) [#9631](https://github.com/Kong/kong-mesh/pull/9631) [#9653](https://github.com/Kong/kong-mesh/pull/9653) [#9668](https://github.com/Kong/kong-mesh/pull/9668) [#9677](https://github.com/Kong/kong-mesh/pull/9677) [#9689](https://github.com/Kong/kong-mesh/pull/9689) [#9693](https://github.com/Kong/kong-mesh/pull/9693) [#9712](https://github.com/Kong/kong-mesh/pull/9712) [#9719](https://github.com/Kong/kong-mesh/pull/9719) [#9723](https://github.com/Kong/kong-mesh/pull/9723) [#9747](https://github.com/Kong/kong-mesh/pull/9747) [#9763](https://github.com/Kong/kong-mesh/pull/9763) [#9766](https://github.com/Kong/kong-mesh/pull/9766) [#9768](https://github.com/Kong/kong-mesh/pull/9768) [#9808](https://github.com/Kong/kong-mesh/pull/9808) [#9811](https://github.com/Kong/kong-mesh/pull/9811) [#9814](https://github.com/Kong/kong-mesh/pull/9814) [#9815](https://github.com/Kong/kong-mesh/pull/9815) [#9822](https://github.com/Kong/kong-mesh/pull/9822) [#9833](https://github.com/Kong/kong-mesh/pull/9833) [#9850](https://github.com/Kong/kong-mesh/pull/9850) [#9857](https://github.com/Kong/kong-mesh/pull/9857) [#9860](https://github.com/Kong/kong-mesh/pull/9860) [#9916](https://github.com/Kong/kong-mesh/pull/9916) [#9922](https://github.com/Kong/kong-mesh/pull/9922) [#9931](https://github.com/Kong/kong-mesh/pull/9931) [#9932](https://github.com/Kong/kong-mesh/pull/9932) [#9933](https://github.com/Kong/kong-mesh/pull/9933) [#9935](https://github.com/Kong/kong-mesh/pull/9935) @kong-mesh +* chore(deps): bump registry.access.redhat.com/ubi9-minimal from 9.7-1764794109 to 9.8-1779777572 [#9021](https://github.com/Kong/kong-mesh/pull/9021) [#9102](https://github.com/Kong/kong-mesh/pull/9102) [#9208](https://github.com/Kong/kong-mesh/pull/9208) [#9275](https://github.com/Kong/kong-mesh/pull/9275) [#9373](https://github.com/Kong/kong-mesh/pull/9373) [#9622](https://github.com/Kong/kong-mesh/pull/9622) [#9788](https://github.com/Kong/kong-mesh/pull/9788) @renovate +* chore(deps): security update [#9042](https://github.com/Kong/kong-mesh/pull/9042) [#9175](https://github.com/Kong/kong-mesh/pull/9175) [#9865](https://github.com/Kong/kong-mesh/pull/9865) @kong-mesh +* chore(deps): use latest Kong/kong-mesh-gui [#8913](https://github.com/Kong/kong-mesh/pull/8913) [#8989](https://github.com/Kong/kong-mesh/pull/8989) [#9005](https://github.com/Kong/kong-mesh/pull/9005) [#9034](https://github.com/Kong/kong-mesh/pull/9034) [#9041](https://github.com/Kong/kong-mesh/pull/9041) [#9068](https://github.com/Kong/kong-mesh/pull/9068) [#9078](https://github.com/Kong/kong-mesh/pull/9078) [#9150](https://github.com/Kong/kong-mesh/pull/9150) [#9155](https://github.com/Kong/kong-mesh/pull/9155) [#9255](https://github.com/Kong/kong-mesh/pull/9255) [#9309](https://github.com/Kong/kong-mesh/pull/9309) [#9331](https://github.com/Kong/kong-mesh/pull/9331) [#9354](https://github.com/Kong/kong-mesh/pull/9354) [#9383](https://github.com/Kong/kong-mesh/pull/9383) [#9389](https://github.com/Kong/kong-mesh/pull/9389) [#9590](https://github.com/Kong/kong-mesh/pull/9590) [#9707](https://github.com/Kong/kong-mesh/pull/9707) [#9720](https://github.com/Kong/kong-mesh/pull/9720) [#9735](https://github.com/Kong/kong-mesh/pull/9735) [#9745](https://github.com/Kong/kong-mesh/pull/9745) [#9806](https://github.com/Kong/kong-mesh/pull/9806) [#9810](https://github.com/Kong/kong-mesh/pull/9810) [#9816](https://github.com/Kong/kong-mesh/pull/9816) [#9834](https://github.com/Kong/kong-mesh/pull/9834) [#9849](https://github.com/Kong/kong-mesh/pull/9849) [#9858](https://github.com/Kong/kong-mesh/pull/9858) [#9861](https://github.com/Kong/kong-mesh/pull/9861) [#9924](https://github.com/Kong/kong-mesh/pull/9924) @kong-mesh +* feat(kds): add offline signing support [#9730](https://github.com/Kong/kong-mesh/pull/9730) @lukidzi +* feat(meshidentity): add external CA integrations for MeshIdentity [#9122](https://github.com/Kong/kong-mesh/pull/9122) [#9442](https://github.com/Kong/kong-mesh/pull/9442) [#9632](https://github.com/Kong/kong-mesh/pull/9632) @lukidzi +* feat(route53): improve Route53 hostname handling and batching [#9629](https://github.com/Kong/kong-mesh/pull/9629) [#9709](https://github.com/Kong/kong-mesh/pull/9709) @lukidzi +* fix(license): stop quota refresher goroutine leak [#9559](https://github.com/Kong/kong-mesh/pull/9559) @bartsmykla +* fix(meshidentity): reduce cache time and introduce renwer test [#9744](https://github.com/Kong/kong-mesh/pull/9744) @lukidzi +* fix(oapi): add missing rbac resources to oapi [#9066](https://github.com/Kong/kong-mesh/pull/9066) @slonka +* fix(security): harden control-plane configuration [#9057](https://github.com/Kong/kong-mesh/pull/9057) [#9058](https://github.com/Kong/kong-mesh/pull/9058) [#9059](https://github.com/Kong/kong-mesh/pull/9059) [#9060](https://github.com/Kong/kong-mesh/pull/9060) [#9061](https://github.com/Kong/kong-mesh/pull/9061) [#9062](https://github.com/Kong/kong-mesh/pull/9062) [#9063](https://github.com/Kong/kong-mesh/pull/9063) [#9746](https://github.com/Kong/kong-mesh/pull/9746) [#9813](https://github.com/Kong/kong-mesh/pull/9813) @bartsmykla,@lobkovilya,@lukidzi + +### Includes [kumahq/kuma@2.14.0](https://github.com/kumahq/kuma/releases/tag/2.14.0) changelog + +* chore(deps): bump ci-tools/release-tool from 1.3.1 to 1.4.2 [#15314](https://github.com/kumahq/kuma/pull/15314) [#15315](https://github.com/kumahq/kuma/pull/15315) [#15332](https://github.com/kumahq/kuma/pull/15332) @lukidzi,@renovate +* chore(deps): bump coredns to v1.14.2 [#15975](https://github.com/kumahq/kuma/pull/15975) @bartsmykla +* chore(deps): bump debian from 13.2 to 13.5 [#15393](https://github.com/kumahq/kuma/pull/15393) [#15951](https://github.com/kumahq/kuma/pull/15951) [#16747](https://github.com/kumahq/kuma/pull/16747) @renovate +* chore(deps): bump debian:13.2 from 0d01188 to c71b05e [#15340](https://github.com/kumahq/kuma/pull/15340) @renovate +* chore(deps): bump debian:13.3 from 5cf544f to 3615a74 [#15550](https://github.com/kumahq/kuma/pull/15550) [#15725](https://github.com/kumahq/kuma/pull/15725) @renovate +* chore(deps): bump debian:13.4 from 55a15a1 to e2d08da [#16235](https://github.com/kumahq/kuma/pull/16235) [#16393](https://github.com/kumahq/kuma/pull/16393) [#16513](https://github.com/kumahq/kuma/pull/16513) @renovate +* chore(deps): bump envoy from 1.36.4 to 1.38.2 [#15446](https://github.com/kumahq/kuma/pull/15446) [#16262](https://github.com/kumahq/kuma/pull/16262) [#16446](https://github.com/kumahq/kuma/pull/16446) [#16900](https://github.com/kumahq/kuma/pull/16900) [#16927](https://github.com/kumahq/kuma/pull/16927) @lukidzi,@renovate,@slonka +* chore(deps): bump filippo.io/edwards25519 from 1.1.0 to 1.1.1 [#15643](https://github.com/kumahq/kuma/pull/15643) @renovate +* chore(deps): bump gcr.io/distroless/base-nossl-debian12:debug from 1321f45 to 35a3865 [#15354](https://github.com/kumahq/kuma/pull/15354) [#15588](https://github.com/kumahq/kuma/pull/15588) [#16648](https://github.com/kumahq/kuma/pull/16648) @renovate +* chore(deps): bump gcr.io/distroless/base-nossl-debian12:debug-nonroot from ef70836 to 6cec643 [#15355](https://github.com/kumahq/kuma/pull/15355) [#15589](https://github.com/kumahq/kuma/pull/15589) [#16649](https://github.com/kumahq/kuma/pull/16649) @renovate +* chore(deps): bump gcr.io/distroless/static-debian12:debug-nonroot from 53ced32 to f414196 [#15356](https://github.com/kumahq/kuma/pull/15356) [#15590](https://github.com/kumahq/kuma/pull/15590) [#16650](https://github.com/kumahq/kuma/pull/16650) @renovate +* chore(deps): bump gcr.io/k8s-staging-build-image/distroless-iptables from 0.8.6 to 0.9.2 [#15421](https://github.com/kumahq/kuma/pull/15421) [#15598](https://github.com/kumahq/kuma/pull/15598) [#15633](https://github.com/kumahq/kuma/pull/15633) [#16241](https://github.com/kumahq/kuma/pull/16241) [#16654](https://github.com/kumahq/kuma/pull/16654) @renovate +* chore(deps): bump gcr.io/k8s-staging-build-image/distroless-iptables:v0.8.6 from 4e0a77d to 8366c73 [#15357](https://github.com/kumahq/kuma/pull/15357) @renovate +* chore(deps): bump ghcr.io/kumahq/ubuntu-netools:main from 9c4e99b to 5a7b674 [#15316](https://github.com/kumahq/kuma/pull/15316) [#15485](https://github.com/kumahq/kuma/pull/15485) [#15551](https://github.com/kumahq/kuma/pull/15551) [#15592](https://github.com/kumahq/kuma/pull/15592) [#15726](https://github.com/kumahq/kuma/pull/15726) [#15763](https://github.com/kumahq/kuma/pull/15763) [#15936](https://github.com/kumahq/kuma/pull/15936) [#16035](https://github.com/kumahq/kuma/pull/16035) [#16111](https://github.com/kumahq/kuma/pull/16111) [#16236](https://github.com/kumahq/kuma/pull/16236) [#16811](https://github.com/kumahq/kuma/pull/16811) @renovate +* chore(deps): bump ghcr.io/spiffe/spire-agent from 1.13.3 to 1.15.1 [#15286](https://github.com/kumahq/kuma/pull/15286) [#15387](https://github.com/kumahq/kuma/pull/15387) [#15766](https://github.com/kumahq/kuma/pull/15766) [#15943](https://github.com/kumahq/kuma/pull/15943) [#16242](https://github.com/kumahq/kuma/pull/16242) [#16468](https://github.com/kumahq/kuma/pull/16468) [#16748](https://github.com/kumahq/kuma/pull/16748) [#16814](https://github.com/kumahq/kuma/pull/16814) @renovate +* chore(deps): bump ghcr.io/spiffe/spire-server from 1.14.0 to 1.15.1 [#15388](https://github.com/kumahq/kuma/pull/15388) [#15767](https://github.com/kumahq/kuma/pull/15767) [#15944](https://github.com/kumahq/kuma/pull/15944) [#16243](https://github.com/kumahq/kuma/pull/16243) [#16469](https://github.com/kumahq/kuma/pull/16469) [#16749](https://github.com/kumahq/kuma/pull/16749) [#16815](https://github.com/kumahq/kuma/pull/16815) @renovate +* chore(deps): bump ginkgo from 2.27.3 to 2.29.0 [#15360](https://github.com/kumahq/kuma/pull/15360) [#15494](https://github.com/kumahq/kuma/pull/15494) [#16445](https://github.com/kumahq/kuma/pull/16445) [#16470](https://github.com/kumahq/kuma/pull/16470) [#16665](https://github.com/kumahq/kuma/pull/16665) @renovate +* chore(deps): bump github.com/Masterminds/semver/v3 from 3.4.0 to 3.5.0 [#16474](https://github.com/kumahq/kuma/pull/16474) @renovate +* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs from 1.58.0 to 1.65.0 [#16145](https://github.com/kumahq/kuma/pull/16145) @renovate +* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/lambda from 1.77.4 to 1.88.5 [#16147](https://github.com/kumahq/kuma/pull/16147) @renovate +* chore(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.88.1 to 1.97.3 [#16148](https://github.com/kumahq/kuma/pull/16148) @renovate +* chore(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 [#15904](https://github.com/kumahq/kuma/pull/15904) @renovate +* chore(deps): bump github.com/cilium/ebpf from 0.20.0 to 0.21.0 [#15777](https://github.com/kumahq/kuma/pull/15777) @renovate +* chore(deps): bump github.com/cncf/xds/go from ee656c7 to dba9d58 [#15419](https://github.com/kumahq/kuma/pull/15419) [#15552](https://github.com/kumahq/kuma/pull/15552) @renovate +* chore(deps): bump github.com/containernetworking/plugins from 1.9.0 to 1.9.1 [#15945](https://github.com/kumahq/kuma/pull/15945) @renovate +* chore(deps): bump github.com/envoyproxy/go-control-plane* [#15930](https://github.com/kumahq/kuma/pull/15930) @renovate +* chore(deps): bump github.com/envoyproxy/protoc-gen-validate from 1.3.0 to 1.3.3 [#15664](https://github.com/kumahq/kuma/pull/15664) @renovate +* chore(deps): bump github.com/exaring/otelpgx from 0.9.4 to 0.11.1 [#15394](https://github.com/kumahq/kuma/pull/15394) [#16750](https://github.com/kumahq/kuma/pull/16750) @renovate +* chore(deps): bump github.com/golang-jwt/jwt/v5 from 5.3.0 to 5.3.1 [#15490](https://github.com/kumahq/kuma/pull/15490) @renovate +* chore(deps): bump github.com/gruntwork-io/terratest from 0.54.0 to 1.0.0 [#15395](https://github.com/kumahq/kuma/pull/15395) [#15610](https://github.com/kumahq/kuma/pull/15610) [#16670](https://github.com/kumahq/kuma/pull/16670) @renovate +* chore(deps): bump github.com/invopop/jsonschema from 0.13.0 to 0.14.0 [#16666](https://github.com/kumahq/kuma/pull/16666) @renovate +* chore(deps): bump github.com/jackc/pgx/v5 from 5.7.6 to 5.9.2 [#15338](https://github.com/kumahq/kuma/pull/15338) [#15952](https://github.com/kumahq/kuma/pull/15952) [#15965](https://github.com/kumahq/kuma/pull/15965) [#16305](https://github.com/kumahq/kuma/pull/16305) @renovate +* chore(deps): bump github.com/josephburnett/jd/v2 from 2.3.0 to 2.5.0 [#15336](https://github.com/kumahq/kuma/pull/15336) [#15396](https://github.com/kumahq/kuma/pull/15396) [#15733](https://github.com/kumahq/kuma/pull/15733) @renovate +* chore(deps): bump github.com/miekg/dns from 1.1.69 to 1.1.72 [#15361](https://github.com/kumahq/kuma/pull/15361) [#15422](https://github.com/kumahq/kuma/pull/15422) @renovate +* chore(deps): bump github.com/moby/spdystream from 0.5.0 to 0.5.1 [#16291](https://github.com/kumahq/kuma/pull/16291) @renovate +* chore(deps): bump github.com/onsi/gomega from 1.38.3 to 1.41.0 [#15366](https://github.com/kumahq/kuma/pull/15366) [#15491](https://github.com/kumahq/kuma/pull/15491) [#16475](https://github.com/kumahq/kuma/pull/16475) [#16667](https://github.com/kumahq/kuma/pull/16667) @renovate +* chore(deps): bump github.com/prometheus/common from 0.67.4 to 0.68.0 [#15362](https://github.com/kumahq/kuma/pull/15362) [#16817](https://github.com/kumahq/kuma/pull/16817) @renovate +* chore(deps): bump github.com/testcontainers/testcontainers-go from 0.40.0 to 0.42.0 [#15826](https://github.com/kumahq/kuma/pull/15826) [#16250](https://github.com/kumahq/kuma/pull/16250) @renovate +* chore(deps): bump go.opentelemetry.io/proto/otlp from 1.9.0 to 1.10.0 [#15827](https://github.com/kumahq/kuma/pull/15827) @renovate +* chore(deps): bump go.uber.org/zap from 1.27.1 to 1.28.0 [#16476](https://github.com/kumahq/kuma/pull/16476) @renovate +* chore(deps): bump golang.org/x/crypto from 0.47.0 to 0.52.0 [#15611](https://github.com/kumahq/kuma/pull/15611) [#16727](https://github.com/kumahq/kuma/pull/16727) @renovate +* chore(deps): bump golang.org/x/exp from 8475f28 to c761662 [#15317](https://github.com/kumahq/kuma/pull/15317) [#15381](https://github.com/kumahq/kuma/pull/15381) [#15593](https://github.com/kumahq/kuma/pull/15593) [#15661](https://github.com/kumahq/kuma/pull/15661) [#15814](https://github.com/kumahq/kuma/pull/15814) [#16237](https://github.com/kumahq/kuma/pull/16237) [#16514](https://github.com/kumahq/kuma/pull/16514) [#16812](https://github.com/kumahq/kuma/pull/16812) @renovate +* chore(deps): bump golang.org/x/net from 0.50.0 to 0.55.0 [#15740](https://github.com/kumahq/kuma/pull/15740) [#16738](https://github.com/kumahq/kuma/pull/16738) @renovate +* chore(deps): bump golang.org/x/sync from 0.19.0 to 0.20.0 [#15778](https://github.com/kumahq/kuma/pull/15778) @renovate +* chore(deps): bump golang.org/x/sys from 0.39.0 to 0.45.0 [#15367](https://github.com/kumahq/kuma/pull/15367) [#15559](https://github.com/kumahq/kuma/pull/15559) [#15779](https://github.com/kumahq/kuma/pull/15779) [#16252](https://github.com/kumahq/kuma/pull/16252) [#16752](https://github.com/kumahq/kuma/pull/16752) @renovate +* chore(deps): bump golang.org/x/text from 0.32.0 to 0.36.0 [#15368](https://github.com/kumahq/kuma/pull/15368) [#16253](https://github.com/kumahq/kuma/pull/16253) @renovate +* chore(deps): bump golang.org/x/tools from 0.40.0 to 0.45.0 [#15398](https://github.com/kumahq/kuma/pull/15398) [#15613](https://github.com/kumahq/kuma/pull/15613) [#15830](https://github.com/kumahq/kuma/pull/15830) [#16254](https://github.com/kumahq/kuma/pull/16254) [#16527](https://github.com/kumahq/kuma/pull/16527) @renovate +* chore(deps): bump golangci-lint from 2.7.2 to 2.12.2 [#15369](https://github.com/kumahq/kuma/pull/15369) [#15614](https://github.com/kumahq/kuma/pull/15614) [#15670](https://github.com/kumahq/kuma/pull/15670) [#15780](https://github.com/kumahq/kuma/pull/15780) [#15820](https://github.com/kumahq/kuma/pull/15820) [#15966](https://github.com/kumahq/kuma/pull/15966) [#16477](https://github.com/kumahq/kuma/pull/16477) [#16522](https://github.com/kumahq/kuma/pull/16522) @renovate +* chore(deps): bump gonum.org/v1/gonum from 0.16.0 to 0.17.0 [#15370](https://github.com/kumahq/kuma/pull/15370) @renovate +* chore(deps): bump google.golang.org/genproto/googleapis/* from 97cd9d5 to 0a33c5d [#15335](https://github.com/kumahq/kuma/pull/15335) [#15382](https://github.com/kumahq/kuma/pull/15382) [#15486](https://github.com/kumahq/kuma/pull/15486) [#15553](https://github.com/kumahq/kuma/pull/15553) [#15594](https://github.com/kumahq/kuma/pull/15594) [#15662](https://github.com/kumahq/kuma/pull/15662) [#15727](https://github.com/kumahq/kuma/pull/15727) [#15815](https://github.com/kumahq/kuma/pull/15815) [#15937](https://github.com/kumahq/kuma/pull/15937) [#16112](https://github.com/kumahq/kuma/pull/16112) [#16238](https://github.com/kumahq/kuma/pull/16238) [#16301](https://github.com/kumahq/kuma/pull/16301) [#16394](https://github.com/kumahq/kuma/pull/16394) [#16444](https://github.com/kumahq/kuma/pull/16444) [#16515](https://github.com/kumahq/kuma/pull/16515) [#16651](https://github.com/kumahq/kuma/pull/16651) [#16741](https://github.com/kumahq/kuma/pull/16741) @renovate +* chore(deps): bump google.golang.org/genproto/googleapis/api from 0a33c5d to 3dc84a4 [#16813](https://github.com/kumahq/kuma/pull/16813) @renovate +* chore(deps): bump google.golang.org/grpc from 1.77.0 to 1.81.1 [#15339](https://github.com/kumahq/kuma/pull/15339) [#15615](https://github.com/kumahq/kuma/pull/15615) [#16120](https://github.com/kumahq/kuma/pull/16120) [#16528](https://github.com/kumahq/kuma/pull/16528) [#16656](https://github.com/kumahq/kuma/pull/16656) @renovate +* chore(deps): bump helm from 4.0.4 to 4.2.0 [#15390](https://github.com/kumahq/kuma/pull/15390) [#15600](https://github.com/kumahq/kuma/pull/15600) [#15822](https://github.com/kumahq/kuma/pull/15822) [#16668](https://github.com/kumahq/kuma/pull/16668) @renovate +* chore(deps): bump helm.sh/helm/v4 from 4.1.3 to 4.1.4 [#16216](https://github.com/kumahq/kuma/pull/16216) @renovate +* chore(deps): bump k8s.io/klog/v2 from 2.130.1 to 2.140.0 [#15781](https://github.com/kumahq/kuma/pull/15781) @renovate +* chore(deps): bump k8s.io/kube-openapi from 4e65d59 to aa012df [#15487](https://github.com/kumahq/kuma/pull/15487) [#15764](https://github.com/kumahq/kuma/pull/15764) [#15938](https://github.com/kumahq/kuma/pull/15938) [#16113](https://github.com/kumahq/kuma/pull/16113) [#16302](https://github.com/kumahq/kuma/pull/16302) [#16467](https://github.com/kumahq/kuma/pull/16467) [#16516](https://github.com/kumahq/kuma/pull/16516) [#16652](https://github.com/kumahq/kuma/pull/16652) [#16742](https://github.com/kumahq/kuma/pull/16742) @renovate +* chore(deps): bump k8s.io/utils from bc988d5 to ff6756f [#15318](https://github.com/kumahq/kuma/pull/15318) [#15358](https://github.com/kumahq/kuma/pull/15358) [#15595](https://github.com/kumahq/kuma/pull/15595) [#15939](https://github.com/kumahq/kuma/pull/15939) [#16517](https://github.com/kumahq/kuma/pull/16517) @renovate +* chore(deps): bump kindest/node from 1.31.14 to 1.35.1 [#15954](https://github.com/kumahq/kuma/pull/15954) @renovate +* chore(deps): bump kubectl from 1.34.3 to 1.36.1 [#15371](https://github.com/kumahq/kuma/pull/15371) [#15601](https://github.com/kumahq/kuma/pull/15601) [#15730](https://github.com/kumahq/kuma/pull/15730) [#15946](https://github.com/kumahq/kuma/pull/15946) [#16307](https://github.com/kumahq/kuma/pull/16307) [#16400](https://github.com/kumahq/kuma/pull/16400) [#16657](https://github.com/kumahq/kuma/pull/16657) @renovate +* chore(deps): bump kubernetes monorepo from 0.35.2 to 0.35.3 [#15947](https://github.com/kumahq/kuma/pull/15947) @renovate +* chore(deps): bump kubernetes monorepo from 0.35.3 to 0.35.4 [#16308](https://github.com/kumahq/kuma/pull/16308) @renovate +* chore(deps): bump kubernetes monorepo from 0.35.4 to 0.36.0 [#16401](https://github.com/kumahq/kuma/pull/16401) @renovate +* chore(deps): bump kubernetes monorepo from 0.36.0 to 0.36.1 [#16658](https://github.com/kumahq/kuma/pull/16658) @renovate +* chore(deps): bump kubernetes packages from 0.34.3 to 0.35.0 [#15327](https://github.com/kumahq/kuma/pull/15327) @renovate +* chore(deps): bump kubernetes packages from 0.35.0 to 0.35.1 [#15602](https://github.com/kumahq/kuma/pull/15602) @renovate +* chore(deps): bump kubernetes packages from 0.35.1 to 0.35.2 [#15731](https://github.com/kumahq/kuma/pull/15731) @renovate +* chore(deps): bump kumahq/ci-tools from v1.4.3 to v1.4.6 [#15686](https://github.com/kumahq/kuma/pull/15686) [#15754](https://github.com/kumahq/kuma/pull/15754) [#16928](https://github.com/kumahq/kuma/pull/16928) @lukidzi +* chore(deps): bump metallb from 0.15.3 to 0.16.1 [#16753](https://github.com/kumahq/kuma/pull/16753) [#16816](https://github.com/kumahq/kuma/pull/16816) @renovate +* chore(deps): bump npm:@redocly/cli from 2.18.1 to 2.19.1 [#15647](https://github.com/kumahq/kuma/pull/15647) @lukidzi +* chore(deps): bump opentelemetry-go monorepo [#15257](https://github.com/kumahq/kuma/pull/15257) [#15893](https://github.com/kumahq/kuma/pull/15893) [#16121](https://github.com/kumahq/kuma/pull/16121) [#16819](https://github.com/kumahq/kuma/pull/16819) @renovate +* chore(deps): bump opentelemetry-go-contrib monorepo from 0.64.0 to 0.65.0 [#15560](https://github.com/kumahq/kuma/pull/15560) @renovate +* chore(deps): bump opentelemetry-go-contrib monorepo from 0.65.0 to 0.67.0 [#15783](https://github.com/kumahq/kuma/pull/15783) @renovate +* chore(deps): bump opentelemetry-go-contrib monorepo from 0.67.0 to 0.68.0 [#16255](https://github.com/kumahq/kuma/pull/16255) @renovate +* chore(deps): bump opentelemetry-go-contrib monorepo from 0.68.0 to 0.69.0 [#16820](https://github.com/kumahq/kuma/pull/16820) @renovate +* chore(deps): bump postgres:latest from 38d5c9d to 8ff36f3 [#15341](https://github.com/kumahq/kuma/pull/15341) [#15384](https://github.com/kumahq/kuma/pull/15384) [#15554](https://github.com/kumahq/kuma/pull/15554) [#15596](https://github.com/kumahq/kuma/pull/15596) [#15728](https://github.com/kumahq/kuma/pull/15728) [#15940](https://github.com/kumahq/kuma/pull/15940) [#16239](https://github.com/kumahq/kuma/pull/16239) [#16395](https://github.com/kumahq/kuma/pull/16395) [#16518](https://github.com/kumahq/kuma/pull/16518) [#16653](https://github.com/kumahq/kuma/pull/16653) [#16744](https://github.com/kumahq/kuma/pull/16744) @renovate +* chore(deps): bump projectcalico/tigera-operator from 3.31.2 to 3.32.0 [#15322](https://github.com/kumahq/kuma/pull/15322) [#15667](https://github.com/kumahq/kuma/pull/15667) [#16309](https://github.com/kumahq/kuma/pull/16309) [#16478](https://github.com/kumahq/kuma/pull/16478) @renovate +* chore(deps): bump registry.k8s.io/pause to ee6521f [#16110](https://github.com/kumahq/kuma/pull/16110) @renovate +* chore(deps): bump sigs.k8s.io/controller-runtime from 0.22.4 to 0.24.1 [#15427](https://github.com/kumahq/kuma/pull/15427) [#15492](https://github.com/kumahq/kuma/pull/15492) [#15771](https://github.com/kumahq/kuma/pull/15771) [#16660](https://github.com/kumahq/kuma/pull/16660) @renovate +* chore(deps): bump sigs.k8s.io/controller-tools from 0.19.0 to 0.21.0 [#15328](https://github.com/kumahq/kuma/pull/15328) [#15604](https://github.com/kumahq/kuma/pull/15604) [#16529](https://github.com/kumahq/kuma/pull/16529) @renovate +* chore(deps): bump sigs.k8s.io/gateway-api from 1.4.1 to 1.5.1 [#15734](https://github.com/kumahq/kuma/pull/15734) [#15948](https://github.com/kumahq/kuma/pull/15948) @renovate +* chore(deps): security update [#15480](https://github.com/kumahq/kuma/pull/15480) [#15546](https://github.com/kumahq/kuma/pull/15546) [#15638](https://github.com/kumahq/kuma/pull/15638) [#15788](https://github.com/kumahq/kuma/pull/15788) [#15874](https://github.com/kumahq/kuma/pull/15874) [#16506](https://github.com/kumahq/kuma/pull/16506) [#16865](https://github.com/kumahq/kuma/pull/16865) @kumahq +* chore(deps): upgrade coredns version from v1.13.1 to 1.14.1 [#15483](https://github.com/kumahq/kuma/pull/15483) @lukidzi +* chore(deps): upgrade envoy from v1.37.0 to 1.37.1 [#15905](https://github.com/kumahq/kuma/pull/15905) @lukidzi +* chore(deps): upgrade kumahq/ci-tools from v1.4.2 to v1.4.3 [#15539](https://github.com/kumahq/kuma/pull/15539) @lukidzi +* chore(deps): use latest kumahq/kuma-gui [#15313](https://github.com/kumahq/kuma/pull/15313) [#15346](https://github.com/kumahq/kuma/pull/15346) [#15349](https://github.com/kumahq/kuma/pull/15349) [#15351](https://github.com/kumahq/kuma/pull/15351) [#15373](https://github.com/kumahq/kuma/pull/15373) [#15374](https://github.com/kumahq/kuma/pull/15374) [#15375](https://github.com/kumahq/kuma/pull/15375) [#15444](https://github.com/kumahq/kuma/pull/15444) [#15459](https://github.com/kumahq/kuma/pull/15459) [#15509](https://github.com/kumahq/kuma/pull/15509) [#15514](https://github.com/kumahq/kuma/pull/15514) [#15521](https://github.com/kumahq/kuma/pull/15521) [#15531](https://github.com/kumahq/kuma/pull/15531) [#15533](https://github.com/kumahq/kuma/pull/15533) [#15536](https://github.com/kumahq/kuma/pull/15536) [#15618](https://github.com/kumahq/kuma/pull/15618) [#15622](https://github.com/kumahq/kuma/pull/15622) [#15624](https://github.com/kumahq/kuma/pull/15624) [#15626](https://github.com/kumahq/kuma/pull/15626) [#15630](https://github.com/kumahq/kuma/pull/15630) [#15636](https://github.com/kumahq/kuma/pull/15636) [#15645](https://github.com/kumahq/kuma/pull/15645) [#15658](https://github.com/kumahq/kuma/pull/15658) [#15702](https://github.com/kumahq/kuma/pull/15702) [#15705](https://github.com/kumahq/kuma/pull/15705) [#15707](https://github.com/kumahq/kuma/pull/15707) [#15721](https://github.com/kumahq/kuma/pull/15721) [#15739](https://github.com/kumahq/kuma/pull/15739) [#15742](https://github.com/kumahq/kuma/pull/15742) [#15746](https://github.com/kumahq/kuma/pull/15746) [#15747](https://github.com/kumahq/kuma/pull/15747) [#15749](https://github.com/kumahq/kuma/pull/15749) [#15792](https://github.com/kumahq/kuma/pull/15792) [#15804](https://github.com/kumahq/kuma/pull/15804) [#15810](https://github.com/kumahq/kuma/pull/15810) [#15842](https://github.com/kumahq/kuma/pull/15842) [#15869](https://github.com/kumahq/kuma/pull/15869) [#15871](https://github.com/kumahq/kuma/pull/15871) [#15886](https://github.com/kumahq/kuma/pull/15886) [#15925](https://github.com/kumahq/kuma/pull/15925) [#15971](https://github.com/kumahq/kuma/pull/15971) [#15992](https://github.com/kumahq/kuma/pull/15992) [#16026](https://github.com/kumahq/kuma/pull/16026) [#16045](https://github.com/kumahq/kuma/pull/16045) [#16079](https://github.com/kumahq/kuma/pull/16079) [#16103](https://github.com/kumahq/kuma/pull/16103) [#16125](https://github.com/kumahq/kuma/pull/16125) [#16181](https://github.com/kumahq/kuma/pull/16181) [#16211](https://github.com/kumahq/kuma/pull/16211) [#16259](https://github.com/kumahq/kuma/pull/16259) [#16292](https://github.com/kumahq/kuma/pull/16292) [#16295](https://github.com/kumahq/kuma/pull/16295) [#16316](https://github.com/kumahq/kuma/pull/16316) [#16317](https://github.com/kumahq/kuma/pull/16317) [#16344](https://github.com/kumahq/kuma/pull/16344) [#16352](https://github.com/kumahq/kuma/pull/16352) [#16370](https://github.com/kumahq/kuma/pull/16370) [#16372](https://github.com/kumahq/kuma/pull/16372) [#16453](https://github.com/kumahq/kuma/pull/16453) [#16491](https://github.com/kumahq/kuma/pull/16491) [#16495](https://github.com/kumahq/kuma/pull/16495) [#16500](https://github.com/kumahq/kuma/pull/16500) [#16504](https://github.com/kumahq/kuma/pull/16504) [#16561](https://github.com/kumahq/kuma/pull/16561) [#16585](https://github.com/kumahq/kuma/pull/16585) [#16598](https://github.com/kumahq/kuma/pull/16598) [#16674](https://github.com/kumahq/kuma/pull/16674) [#16678](https://github.com/kumahq/kuma/pull/16678) [#16691](https://github.com/kumahq/kuma/pull/16691) [#16704](https://github.com/kumahq/kuma/pull/16704) [#16708](https://github.com/kumahq/kuma/pull/16708) [#16712](https://github.com/kumahq/kuma/pull/16712) [#16761](https://github.com/kumahq/kuma/pull/16761) [#16767](https://github.com/kumahq/kuma/pull/16767) [#16780](https://github.com/kumahq/kuma/pull/16780) [#16825](https://github.com/kumahq/kuma/pull/16825) [#16845](https://github.com/kumahq/kuma/pull/16845) [#16851](https://github.com/kumahq/kuma/pull/16851) [#16853](https://github.com/kumahq/kuma/pull/16853) [#16854](https://github.com/kumahq/kuma/pull/16854) [#16855](https://github.com/kumahq/kuma/pull/16855) [#16862](https://github.com/kumahq/kuma/pull/16862) [#16863](https://github.com/kumahq/kuma/pull/16863) [#16872](https://github.com/kumahq/kuma/pull/16872) [#16905](https://github.com/kumahq/kuma/pull/16905) [#16918](https://github.com/kumahq/kuma/pull/16918) [#16922](https://github.com/kumahq/kuma/pull/16922) [#16931](https://github.com/kumahq/kuma/pull/16931) [#16938](https://github.com/kumahq/kuma/pull/16938) [#16942](https://github.com/kumahq/kuma/pull/16942) @kumahq +* feat(MeshMetric): use KRI format for workload metric attribute [#15508](https://github.com/kumahq/kuma/pull/15508) @Automaat +* feat(MeshTrafficPermission): use cliques instead of connected components as an optimization when building rules [#15412](https://github.com/kumahq/kuma/pull/15412) @lobkovilya +* feat(api): add spiffeId to dataplane layout endpoint [#16021](https://github.com/kumahq/kuma/pull/16021) @Automaat +* feat(bootstrap): add UDS support for Envoy admin API [#15795](https://github.com/kumahq/kuma/pull/15795) @Automaat +* feat(charts): expose CP HPA behavior [#16576](https://github.com/kumahq/kuma/pull/16576) @bartsmykla +* feat(distribution): extra files in tarball [#15996](https://github.com/kumahq/kuma/pull/15996) @Automaat +* feat(dns): add workload labels to DNS proxy metrics [#15918](https://github.com/kumahq/kuma/pull/15918) @Automaat +* feat(helm): add custom issuer support for cert-manager integration [#15377](https://github.com/kumahq/kuma/pull/15377) @slonka +* feat(helm): allow to customize san [#16282](https://github.com/kumahq/kuma/pull/16282) @lukidzi +* feat(helm): expose divisor for GOMAXPROCS/GOMEMLIMIT env vars [#15919](https://github.com/kumahq/kuma/pull/15919) @Automaat +* feat(hostnamegenerator): validate rendered template at creation [#16679](https://github.com/kumahq/kuma/pull/16679) @lukidzi +* feat(k8s): enable sidecar containers by default [#16502](https://github.com/kumahq/kuma/pull/16502) @lukidzi +* feat(k8s): remove CPU limit from init/sidecar container [#16207](https://github.com/kumahq/kuma/pull/16207) @lukidzi +* feat(k8s): remove cpu limit on validation container [#16263](https://github.com/kumahq/kuma/pull/16263) @lukidzi +* feat(kuma-cp): add MeshOpenTelemetryBackend for shared policy-based OpenTelemetry backends [#15863](https://github.com/kumahq/kuma/pull/15863) [#15865](https://github.com/kumahq/kuma/pull/15865) [#15868](https://github.com/kumahq/kuma/pull/15868) [#15872](https://github.com/kumahq/kuma/pull/15872) [#15898](https://github.com/kumahq/kuma/pull/15898) [#16022](https://github.com/kumahq/kuma/pull/16022) [#16673](https://github.com/kumahq/kuma/pull/16673) [#16909](https://github.com/kumahq/kuma/pull/16909) @bartsmykla,@lukidzi +* feat(kuma-cp): add mesh-scoped zone proxies [#15748](https://github.com/kumahq/kuma/pull/15748) [#15759](https://github.com/kumahq/kuma/pull/15759) [#15809](https://github.com/kumahq/kuma/pull/15809) [#15811](https://github.com/kumahq/kuma/pull/15811) [#15843](https://github.com/kumahq/kuma/pull/15843) [#15870](https://github.com/kumahq/kuma/pull/15870) [#16014](https://github.com/kumahq/kuma/pull/16014) [#16346](https://github.com/kumahq/kuma/pull/16346) [#16354](https://github.com/kumahq/kuma/pull/16354) [#16367](https://github.com/kumahq/kuma/pull/16367) [#16380](https://github.com/kumahq/kuma/pull/16380) [#16461](https://github.com/kumahq/kuma/pull/16461) [#16563](https://github.com/kumahq/kuma/pull/16563) [#16574](https://github.com/kumahq/kuma/pull/16574) [#16575](https://github.com/kumahq/kuma/pull/16575) [#16584](https://github.com/kumahq/kuma/pull/16584) [#16597](https://github.com/kumahq/kuma/pull/16597) [#16599](https://github.com/kumahq/kuma/pull/16599) [#16601](https://github.com/kumahq/kuma/pull/16601) [#16625](https://github.com/kumahq/kuma/pull/16625) [#16627](https://github.com/kumahq/kuma/pull/16627) [#16709](https://github.com/kumahq/kuma/pull/16709) [#16758](https://github.com/kumahq/kuma/pull/16758) [#16762](https://github.com/kumahq/kuma/pull/16762) [#16765](https://github.com/kumahq/kuma/pull/16765) [#16768](https://github.com/kumahq/kuma/pull/16768) [#16797](https://github.com/kumahq/kuma/pull/16797) [#16824](https://github.com/kumahq/kuma/pull/16824) [#16876](https://github.com/kumahq/kuma/pull/16876) @Automaat,@lobkovilya,@lukidzi,@slonka +* feat(kuma-cp): component based logging [#16097](https://github.com/kumahq/kuma/pull/16097) [#16499](https://github.com/kumahq/kuma/pull/16499) [#16586](https://github.com/kumahq/kuma/pull/16586) [#16616](https://github.com/kumahq/kuma/pull/16616) [#16617](https://github.com/kumahq/kuma/pull/16617) @Automaat,@bartsmykla +* feat(kuma-cp): improve control-plane observability with dashboards, histograms, and operational metrics [#15538](https://github.com/kumahq/kuma/pull/15538) [#15709](https://github.com/kumahq/kuma/pull/15709) [#15722](https://github.com/kumahq/kuma/pull/15722) [#15743](https://github.com/kumahq/kuma/pull/15743) [#15837](https://github.com/kumahq/kuma/pull/15837) [#15998](https://github.com/kumahq/kuma/pull/15998) [#16052](https://github.com/kumahq/kuma/pull/16052) [#16201](https://github.com/kumahq/kuma/pull/16201) [#16229](https://github.com/kumahq/kuma/pull/16229) [#16783](https://github.com/kumahq/kuma/pull/16783) @Automaat,@bartsmykla +* feat(kuma-cp): set `hasRulesTargetRef` in `/_resource` endpoint [#15524](https://github.com/kumahq/kuma/pull/15524) @lobkovilya +* feat(kuma-cp): support running without inbound tags [#15439](https://github.com/kumahq/kuma/pull/15439) [#15441](https://github.com/kumahq/kuma/pull/15441) [#15443](https://github.com/kumahq/kuma/pull/15443) [#15445](https://github.com/kumahq/kuma/pull/15445) [#15458](https://github.com/kumahq/kuma/pull/15458) [#15499](https://github.com/kumahq/kuma/pull/15499) [#15675](https://github.com/kumahq/kuma/pull/15675) [#15680](https://github.com/kumahq/kuma/pull/15680) [#15685](https://github.com/kumahq/kuma/pull/15685) [#15703](https://github.com/kumahq/kuma/pull/15703) [#16020](https://github.com/kumahq/kuma/pull/16020) [#16024](https://github.com/kumahq/kuma/pull/16024) [#16030](https://github.com/kumahq/kuma/pull/16030) [#16551](https://github.com/kumahq/kuma/pull/16551) [#16552](https://github.com/kumahq/kuma/pull/16552) [#16559](https://github.com/kumahq/kuma/pull/16559) [#16564](https://github.com/kumahq/kuma/pull/16564) [#16572](https://github.com/kumahq/kuma/pull/16572) [#16590](https://github.com/kumahq/kuma/pull/16590) [#16688](https://github.com/kumahq/kuma/pull/16688) @Automaat,@lahabana,@mail2sudheerobbu-oss +* feat(kuma-dp): auto-detect DNS proxy bind address [#15568](https://github.com/kumahq/kuma/pull/15568) @slonka +* feat(kuma-dp): gate /ready on DNS proxy config with 15s timeout [#16294](https://github.com/kumahq/kuma/pull/16294) @lukidzi +* feat(kumactl): add deprecation warning to install observability [#15706](https://github.com/kumahq/kuma/pull/15706) @Automaat +* feat(kumactl): allow applying entire directories [#15813](https://github.com/kumahq/kuma/pull/15813) @lahabana +* feat(mads): add flag to disable MADS server [#16042](https://github.com/kumahq/kuma/pull/16042) @Automaat +* feat(matches): add `matches` to shared `inbound.Rule` struct [#16647](https://github.com/kumahq/kuma/pull/16647) @lobkovilya +* feat(meshaccesslog): add %KUMA_ZONE%, %KUMA_WORKLOAD% vars and OTel resource attrs [#15692](https://github.com/kumahq/kuma/pull/15692) @Automaat +* feat(meshexternalservice): allow to define priority for endpoints [#15571](https://github.com/kumahq/kuma/pull/15571) @lukidzi +* feat(meshidentity): introduce an extension to the MeshIdentity [#15537](https://github.com/kumahq/kuma/pull/15537) @lukidzi +* feat(meshmetric): extend Basic profile metrics [#16044](https://github.com/kumahq/kuma/pull/16044) @Automaat +* feat(meshmetric): use plain workload name in extra labels [#15897](https://github.com/kumahq/kuma/pull/15897) @Automaat +* feat(meshtrace): add HTTP/HTTPS OTEL support [#15563](https://github.com/kumahq/kuma/pull/15563) @bartsmykla +* feat(meshtrace): inject kuma.mesh/zone/workload span tags [#15695](https://github.com/kumahq/kuma/pull/15695) @Automaat +* feat(meshtrafficpermission): deprecate 'from' field in favor of 'rules' [#16182](https://github.com/kumahq/kuma/pull/16182) @Automaat +* feat(metrics): deprecate metrics pod annotations [#15710](https://github.com/kumahq/kuma/pull/15710) @Automaat +* feat(mmzs): deprecate names longer than 63 chars [#16539](https://github.com/kumahq/kuma/pull/16539) @slonka +* feat(xds): enable reusePort for all platforms [#16501](https://github.com/kumahq/kuma/pull/16501) @lukidzi +* feat(xds): expose delta xDS via Helm and fix k8s injection [#16392](https://github.com/kumahq/kuma/pull/16392) @lukidzi +* fix(MADR): small inaccuracy in SNI format document [#16458](https://github.com/kumahq/kuma/pull/16458) @lobkovilya +* fix(MeshMetric): ensure all internal entities in Basic filter [#15418](https://github.com/kumahq/kuma/pull/15418) @lahabana +* fix(MeshTrafficPermission): don't fallback to legacy rules when using MeshIdentity [#16910](https://github.com/kumahq/kuma/pull/16910) @lobkovilya +* fix(ServiceInsight): don't compute when meshServices.mode is Exclusive [#16921](https://github.com/kumahq/kuma/pull/16921) @lobkovilya +* fix(ServiceInsights): resyncer produces ServiceInsights with empty name [#16912](https://github.com/kumahq/kuma/pull/16912) @lobkovilya +* fix(api): KRI 404 for cluster-scoped types [#16180](https://github.com/kumahq/kuma/pull/16180) @Automaat +* fix(api): add KRI support for Zone resource [#16101](https://github.com/kumahq/kuma/pull/16101) @Automaat +* fix(api): add better message for spiffe validator [#16919](https://github.com/kumahq/kuma/pull/16919) @lukidzi +* fix(api-server): add missing HTTP server timeouts to prevent slowloris DoS [#16166](https://github.com/kumahq/kuma/pull/16166) @Automaat +* fix(api-server): dedup origins in inbound MTP multi-rule response [#16126](https://github.com/kumahq/kuma/pull/16126) @Automaat +* fix(api-server): handle wrapped IssuerDisabled errors correctly [#16904](https://github.com/kumahq/kuma/pull/16904) @lukidzi +* fix(api-server): harden localhost admin auth [#16416](https://github.com/kumahq/kuma/pull/16416) @bartsmykla +* fix(api-server): include HostnameGenerator [#16108](https://github.com/kumahq/kuma/pull/16108) @aviralgarg05 +* fix(api-server): include insights when filtering dataplanes by labels [#15413](https://github.com/kumahq/kuma/pull/15413) @Automaat +* fix(api-server): nil panic in updateResource on store error [#16005](https://github.com/kumahq/kuma/pull/16005) @Automaat +* fix(api-server): simplify and fix hostname inspection for multi-zone … [#15227](https://github.com/kumahq/kuma/pull/15227) @lukidzi +* fix(api-server): validate auth in KRI endpoints [#15581](https://github.com/kumahq/kuma/pull/15581) @lahabana +* fix(api-server): validate origin label on resource delete [#16826](https://github.com/kumahq/kuma/pull/16826) @lobkovilya +* fix(config): check if domain starts with dot [#16278](https://github.com/kumahq/kuma/pull/16278) @lukidzi +* fix(defaults): compute labels on default policies [#16637](https://github.com/kumahq/kuma/pull/16637) @Automaat +* fix(dns): bind proxy to loopback [#16071](https://github.com/kumahq/kuma/pull/16071) @bartsmykla +* fix(dp): make readiness reporter dual-stack [#16174](https://github.com/kumahq/kuma/pull/16174) @Automaat +* fix(dp-server): bound shutdown, propagate appCtx [#16541](https://github.com/kumahq/kuma/pull/16541) @bartsmykla +* fix(e2e): update envoyconfig golden files [#16781](https://github.com/kumahq/kuma/pull/16781) @lobkovilya +* fix(gatewayapi): ensure statuses are deterministic [#15928](https://github.com/kumahq/kuma/pull/15928) @lahabana +* fix(gatewayapi): per-listener AttachedRoutes [#15960](https://github.com/kumahq/kuma/pull/15960) @bartsmykla +* fix(gatewayapi): reconcile gateways from class spec [#16624](https://github.com/kumahq/kuma/pull/16624) @Automaat +* fix(grafana): fix DNS panel duplicate series error [#16492](https://github.com/kumahq/kuma/pull/16492) @Automaat +* fix(grafana): fix success rate showing as red [#16540](https://github.com/kumahq/kuma/pull/16540) @Automaat +* fix(grafana): success rate stat shows red when no errors [#16493](https://github.com/kumahq/kuma/pull/16493) @Automaat +* fix(grafana): use correct response code metric name [#16498](https://github.com/kumahq/kuma/pull/16498) @Automaat +* fix(hds): interval fallback checks wrong field [#15839](https://github.com/kumahq/kuma/pull/15839) @Automaat +* fix(helm): allow to define annotation and disable ttl for prehook [#16084](https://github.com/kumahq/kuma/pull/16084) @lukidzi +* fix(inspect): show MeshHTTPRoutes using MMZS when using _rules endpoint [#15646](https://github.com/kumahq/kuma/pull/15646) @lukidzi +* fix(intercp): raise gRPC message size limits to match KDS [#16373](https://github.com/kumahq/kuma/pull/16373) @lukidzi +* fix(k8s): preserve status on cache hit in cachingConverter [#15437](https://github.com/kumahq/kuma/pull/15437) @Automaat +* fix(k8s): replace depracted mgr.GetEventRecorderFor() [#15506](https://github.com/kumahq/kuma/pull/15506) @lukidzi +* fix(kds): default usedonly when fetching stats [#16711](https://github.com/kumahq/kuma/pull/16711) @Automaat +* fix(kds): reconnect mux client when GlobalToZone stream is closed by … [#16326](https://github.com/kumahq/kuma/pull/16326) @lukidzi +* fix(kds): resource not found on KDS init [#15758](https://github.com/kumahq/kuma/pull/15758) @lobkovilya +* fix(kri): add KRI to overviews and OpenAPI items [#16925](https://github.com/kumahq/kuma/pull/16925) @Automaat +* fix(kri): apply default zone and namespace in KRI strings [#15921](https://github.com/kumahq/kuma/pull/15921) @Automaat +* fix(kri): match HashSuffixMapper hash [#16047](https://github.com/kumahq/kuma/pull/16047) @Automaat +* fix(kri): revert defaults injection [#16046](https://github.com/kumahq/kuma/pull/16046) @Automaat +* fix(kuma-cp): add events.k8s.io API group to RBAC [#15635](https://github.com/kumahq/kuma/pull/15635) @lukidzi +* fix(kuma-cp): k8s EnableReloadableTokens defaulting [#16017](https://github.com/kumahq/kuma/pull/16017) @Automaat +* fix(kuma-cp): use system trust when CA cert is not provided [#16777](https://github.com/kumahq/kuma/pull/16777) @lobkovilya +* fix(kuma-dp): add logging for MeshMetric application scraping failures [#15513](https://github.com/kumahq/kuma/pull/15513) @Automaat +* fix(kuma-dp): ship kuma-dp self metrics to OpenTelemetry backends [#16226](https://github.com/kumahq/kuma/pull/16226) @Automaat +* fix(kuma-init): properly validate ip family condition [#16810](https://github.com/kumahq/kuma/pull/16810) @lukidzi +* fix(lint): remove unused nolint gosec directives [#15862](https://github.com/kumahq/kuma/pull/15862) @Automaat +* fix(matchers): match delegated gw dpps [#15791](https://github.com/kumahq/kuma/pull/15791) @bartsmykla +* fix(mesh): reject listeners on gateway dataplanes [#16606](https://github.com/kumahq/kuma/pull/16606) @Automaat +* fix(meshaccesslog): deduplicate access logs for shared inbound port [#16374](https://github.com/kumahq/kuma/pull/16374) @lukidzi +* fix(meshaccesslog): skip dangling otel backendRef [#16106](https://github.com/kumahq/kuma/pull/16106) @bartsmykla +* fix(meshaccesslog): validate otel keys [#16623](https://github.com/kumahq/kuma/pull/16623) @bartsmykla +* fix(meshcircuitbreaker): set track remaining without policy match [#16757](https://github.com/kumahq/kuma/pull/16757) @slonka +* fix(meshfaultinjection): deprecate spec.from field [#16102](https://github.com/kumahq/kuma/pull/16102) @Automaat +* fix(meshhttproute): dedup duplicate routes on gateway virtual hosts [#16786](https://github.com/kumahq/kuma/pull/16786) @lukidzi +* fix(meshhttproute): skip routes with unresolvable backends [#16324](https://github.com/kumahq/kuma/pull/16324) @lukidzi +* fix(meshidentity): add a trailing slash to prefix matcher [#15438](https://github.com/kumahq/kuma/pull/15438) @lukidzi +* fix(meshidentity): env-aware UsesWorkloadLabel [#16356](https://github.com/kumahq/kuma/pull/16356) @bartsmykla +* fix(meshmetric): basic profile drops user metrics whose label values contain basicProfile substrings [#16612](https://github.com/kumahq/kuma/pull/16612) @Automaat +* fix(meshpassthrough): validate wildcard DNS domain names properly [#16570](https://github.com/kumahq/kuma/pull/16570) @mail2sudheerobbu-oss +* fix(meshroute): use kri sni for local meshservices [#16739](https://github.com/kumahq/kuma/pull/16739) @lobkovilya +* fix(meshservice): don't remove synced services [#16940](https://github.com/kumahq/kuma/pull/16940) @lukidzi +* fix(meshtrace): otel endpoint validation and IPv6 [#15682](https://github.com/kumahq/kuma/pull/15682) @bartsmykla +* fix(meshtrace): simplify OTel HTTP code [#15625](https://github.com/kumahq/kuma/pull/15625) @bartsmykla +* fix(plugins): dont panic on removed policy [#16215](https://github.com/kumahq/kuma/pull/16215) @lukidzi +* fix(policies): allow empty 'to' override [#16212](https://github.com/kumahq/kuma/pull/16212) @Automaat +* fix(policy): race condition when listener state is switched from `Ignored` to `Ready` [#16323](https://github.com/kumahq/kuma/pull/16323) @lobkovilya +* fix(policy-gen): don't set mesh label on Global-scoped k8s resources [#16930](https://github.com/kumahq/kuma/pull/16930) @lobkovilya +* fix(postgres): retry SafeToRetry errors on reads [#16210](https://github.com/kumahq/kuma/pull/16210) @Automaat +* fix(security): prevent file inclusion attacks [#15500](https://github.com/kumahq/kuma/pull/15500) @bartsmykla +* fix(sni): use old sni format and transport matches on mixed env [#16944](https://github.com/kumahq/kuma/pull/16944) @lukidzi +* fix(store): reject non-positive page size and negative offset [#16358](https://github.com/kumahq/kuma/pull/16358) @lukidzi +* fix(tokens): better error when valid_from is in the future [#16018](https://github.com/kumahq/kuma/pull/16018) @Automaat +* fix(tracing): prevent span.End() panic during OTel shutdown [#15570](https://github.com/kumahq/kuma/pull/15570) @Automaat +* fix(transparent-proxy): allow TCP DNS queries [#15401](https://github.com/kumahq/kuma/pull/15401) @bartsmykla +* fix(transparent-proxy): remove redundant TCP DNS port matchers [#16138](https://github.com/kumahq/kuma/pull/16138) @sardarmscs +* fix(upgrade): fix UPGRADE.md 2.9.x MeshTiemout format [#16027](https://github.com/kumahq/kuma/pull/16027) @gforns +* fix(validation): improve messages for targetRef validation [#16104](https://github.com/kumahq/kuma/pull/16104) @lobkovilya +* fix(xds): add a feature flag to enable reuse ports [#16677](https://github.com/kumahq/kuma/pull/16677) @lukidzi +* fix(xds): allow delta xDS auth to tolerate omitted node [#16459](https://github.com/kumahq/kuma/pull/16459) @lukidzi +* fix(xds): configure google_grpc xds max_receive_message_length [#16775](https://github.com/kumahq/kuma/pull/16775) @lukidzi +* fix(xds): deduplicate filter in inbound:passthrough filter chain [#16080](https://github.com/kumahq/kuma/pull/16080) @lukidzi +* fix(xds): don't create empty filter chain for a gateway [#15532](https://github.com/kumahq/kuma/pull/15532) @lukidzi +* fix(xds): enable reuse_port on inbound:passthrough listener [#16605](https://github.com/kumahq/kuma/pull/16605) @lahabana +* fix(xds): pass namespace in reachable backends ref lookup [#16086](https://github.com/kumahq/kuma/pull/16086) @Automaat +* fix(xds): prevent panic on send to closed channel during stream closure [#15511](https://github.com/kumahq/kuma/pull/15511) @Automaat +* fix(xds): reduce xds config size from 16mb to 4mb [#16906](https://github.com/kumahq/kuma/pull/16906) @lukidzi +* fix(xds): set listener stat_prefix [#15623](https://github.com/kumahq/kuma/pull/15623) @bartsmykla +* fix(xds): set unknown cluster name when no MS available [#16760](https://github.com/kumahq/kuma/pull/16760) @lukidzi +* fix(xds): skip SNI when BackendRef port not found [#16213](https://github.com/kumahq/kuma/pull/16213) @Automaat +* fix(xds): support wildcard cert for CP cert [#16053](https://github.com/kumahq/kuma/pull/16053) @lahabana +* fix(xds): use listener name as vhost fallback when kuma.io/service absent [#15997](https://github.com/kumahq/kuma/pull/15997) @Automaat +* fix(zoneingress): no public address causes DPP reconciliation failure [#15926](https://github.com/kumahq/kuma/pull/15926) @lobkovilya +* perf(gateway): drop redundant exact match for root path prefix [#16782](https://github.com/kumahq/kuma/pull/16782) @lahabana +* perf(k8s): cache labels + spec per resourceVersion [#16200](https://github.com/kumahq/kuma/pull/16200) @Automaat +* perf(meshmetric): precompile include/exclude selectors [#16611](https://github.com/kumahq/kuma/pull/16611) @Automaat +* perf(meshmetric): reduce per-scrape allocations on the merge and newline-dedup paths [#16613](https://github.com/kumahq/kuma/pull/16613) @Automaat +* perf(xds): skip redundant OTel status cache writes [#16198](https://github.com/kumahq/kuma/pull/16198) @bartsmykla +* refactor(kds): replace util.ZoneTag with core_model.ZoneOfResource [#16169](https://github.com/kumahq/kuma/pull/16169) @Automaat +* test(compatibility): compute versions from versions.yml [#16171](https://github.com/kumahq/kuma/pull/16171) @Automaat +* test(meshservice): universal e2e for label propagation [#16573](https://github.com/kumahq/kuma/pull/16573) @Automaat + + ## 2.13.8 > Released on 2026/06/05 diff --git a/app/assets/mesh/raw/UPGRADE.md b/app/assets/mesh/raw/UPGRADE.md index 945d82ec27..9104e0f136 100644 --- a/app/assets/mesh/raw/UPGRADE.md +++ b/app/assets/mesh/raw/UPGRADE.md @@ -77,7 +77,13 @@ The data plane now advertises the `feature-reuse-port` capability to the control **Action required:** -None for most users. If your environment has known issues with `SO_REUSEPORT` (e.g. certain Linux kernel versions or network configurations), disable the feature before upgrading using the instructions below. +If your environment has known issues with `SO_REUSEPORT` (e.g. certain Linux kernel versions or network configurations), disable the feature before upgrading using the instructions below. + +In a rolling CP upgrade, **disable reuse port for ZoneIngress/ZoneEgress before upgrading**. + +During the upgrade, a ZoneIngress/ZoneEgress can first receive `enable_reuse_port: false` from an old CP, +then `enable_reuse_port: true` from a new CP. +Envoy cannot change this setting on a live listener, so it NACKs the update and keeps serving the stale listener. **Kubernetes — injected sidecars**