andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added chart versions: 

btp/chronicle:
    - 0.1.27
  kuma/kuma:
    - 2.8.4
  speedscale/speedscale-operator:
    - 2.2.509
pull/1071/head
github-actions[bot] 2024-10-08 00:37:07 +00:00
parent 1ce16f5243
commit 5a5c1d3ab4
103 changed files with 15085 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/kuma/kuma-2.8.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/speedscale/speedscale-operator-2.2.509.tgz Normal file
View File

Binary file not shown.

1
charts/kuma/kuma/2.8.4/.helmdocsignore Normal file
View File

@ -0,0 +1 @@
# Charts to ignore from helm-docs

23
charts/kuma/kuma/2.8.4/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

26
charts/kuma/kuma/2.8.4/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Kuma
catalog.cattle.io/namespace: kuma-system
catalog.cattle.io/release-name: kuma
apiVersion: v2
appVersion: 2.8.4
description: A Helm chart for the Kuma Control Plane
home: https://github.com/kumahq/kuma
icon: file://assets/icons/kuma.svg
keywords:
- service mesh
- control plane
maintainers:
- email: jakub.dyszkiewicz@konghq.com
name: Jakub Dyszkiewicz
url: https://github.com/jakubdyszkiewicz
- email: charly.molter@konghq.com
name: Charly Molter
url: https://github.com/lahabana
- email: michael.beaumont@konghq.com
name: Mike Beaumont
url: https://github.com/michaelbeaumont
name: kuma
type: application
version: 2.8.4

256
charts/kuma/kuma/2.8.4/README.md Normal file
View File

@ -0,0 +1,256 @@
[![][kuma-logo]][kuma-url]
A Helm chart for the Kuma Control Plane
![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![Version: 2.8.4](https://img.shields.io/badge/Version-2.8.4-informational?style=flat-square) ![AppVersion: 2.8.4](https://img.shields.io/badge/AppVersion-2.8.4-informational?style=flat-square)
**Homepage:** <https://github.com/kumahq/kuma>
## Values
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| global.image.registry | string | `"docker.io/kumahq"` | Default registry for all Kuma Images |
| global.image.tag | string | `nil` | The default tag for all Kuma images, which itself defaults to .Chart.AppVersion |
| global.imagePullSecrets | list | `[]` | Add `imagePullSecrets` to all the service accounts used for Kuma components |
| patchSystemNamespace | bool | `true` | Whether to patch the target namespace with the system label |
| installCrdsOnUpgrade.enabled | bool | `true` | Whether install new CRDs before upgrade (if any were introduced with the new version of Kuma) |
| installCrdsOnUpgrade.imagePullSecrets | list | `[]` | The `imagePullSecrets` to attach to the Service Account running CRD installation. This field will be deprecated in a future release, please use .global.imagePullSecrets |
| noHelmHooks | bool | `false` | Whether to disable all helm hooks |
| restartOnSecretChange | bool | `true` | Whether to restart control-plane by calculating a new checksum for the secret |
| controlPlane.environment | string | `"kubernetes"` | Environment that control plane is run in, useful when running universal global control plane on k8s |
| controlPlane.extraLabels | object | `{}` | Labels to add to resources in addition to default labels |
| controlPlane.logLevel | string | `"info"` | Kuma CP log level: one of off,info,debug |
| controlPlane.logOutputPath | string | `""` | Kuma CP log output path: Defaults to /dev/stdout |
| controlPlane.mode | string | `"zone"` | Kuma CP modes: one of zone,global |
| controlPlane.zone | string | `nil` | Kuma CP zone, if running multizone |
| controlPlane.kdsGlobalAddress | string | `""` | Only used in `zone` mode |
| controlPlane.replicas | int | `1` | Number of replicas of the Kuma CP. Ignored when autoscaling is enabled |
| controlPlane.minReadySeconds | int | `0` | Minimum number of seconds for which a newly created pod should be ready for it to be considered available. |
| controlPlane.deploymentAnnotations | object | `{}` | Annotations applied only to the `Deployment` resource |
| controlPlane.podAnnotations | object | `{}` | Annotations applied only to the `Pod` resource |
| controlPlane.autoscaling.enabled | bool | `false` | Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster |
| controlPlane.autoscaling.minReplicas | int | `2` | The minimum CP pods to allow |
| controlPlane.autoscaling.maxReplicas | int | `5` | The max CP pods to scale to |
| controlPlane.autoscaling.targetCPUUtilizationPercentage | int | `80` | For clusters that don't support autoscaling/v2, autoscaling/v1 is used |
| controlPlane.autoscaling.metrics | list | `[{"resource":{"name":"cpu","target":{"averageUtilization":80,"type":"Utilization"}},"type":"Resource"}]` | For clusters that do support autoscaling/v2, use metrics |
| controlPlane.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for the Kuma Control Plane pods |
| controlPlane.tolerations | list | `[]` | Tolerations for the Kuma Control Plane pods |
| controlPlane.podDisruptionBudget.enabled | bool | `false` | Whether to create a pod disruption budget |
| controlPlane.podDisruptionBudget.maxUnavailable | int | `1` | The maximum number of unavailable pods allowed by the budget |
| controlPlane.affinity | object | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["{{ include \"kuma.name\" . }}"]},{"key":"app.kubernetes.io/instance","operator":"In","values":["{{ .Release.Name }}"]},{"key":"app","operator":"In","values":["{{ include \"kuma.name\" . }}-control-plane"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}}` | Affinity placement rule for the Kuma Control Plane pods. This is rendered as a template, so you can reference other helm variables or includes. |
| controlPlane.topologySpreadConstraints | string | `nil` | Topology spread constraints rule for the Kuma Control Plane pods. This is rendered as a template, so you can use variables to generate match labels. |
| controlPlane.injectorFailurePolicy | string | `"Fail"` | Failure policy of the mutating webhook implemented by the Kuma Injector component |
| controlPlane.service.apiServer.http.nodePort | int | `30681` | Port on which Http api server Service is exposed on Node for service of type NodePort |
| controlPlane.service.apiServer.https.nodePort | int | `30682` | Port on which Https api server Service is exposed on Node for service of type NodePort |
| controlPlane.service.enabled | bool | `true` | Whether to create a service resource. |
| controlPlane.service.name | string | `nil` | Optionally override of the Kuma Control Plane Service's name |
| controlPlane.service.type | string | `"ClusterIP"` | Service type of the Kuma Control Plane |
| controlPlane.service.annotations | object | `{"prometheus.io/port":"5680","prometheus.io/scrape":"true"}` | Annotations to put on the Kuma Control Plane |
| controlPlane.ingress.enabled | bool | `false` | Install K8s Ingress resource that exposes GUI and API |
| controlPlane.ingress.ingressClassName | string | `nil` | IngressClass defines which controller will implement the resource |
| controlPlane.ingress.hostname | string | `nil` | Ingress hostname |
| controlPlane.ingress.annotations | object | `{}` | Map of ingress annotations. |
| controlPlane.ingress.path | string | `"/"` | Ingress path. |
| controlPlane.ingress.pathType | string | `"ImplementationSpecific"` | Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) |
| controlPlane.ingress.servicePort | int | `5681` | Port from kuma-cp to use to expose API and GUI. Switch to 5682 to expose TLS port |
| controlPlane.globalZoneSyncService.enabled | bool | `true` | Whether to create a k8s service for the global zone sync service. It will only be created when enabled and deploying the global control plane. |
| controlPlane.globalZoneSyncService.type | string | `"LoadBalancer"` | Service type of the Global-zone sync |
| controlPlane.globalZoneSyncService.loadBalancerIP | string | `nil` | Optionally specify IP to be used by cloud provider when configuring load balancer |
| controlPlane.globalZoneSyncService.loadBalancerSourceRanges | list | `[]` | Optionally specify allowed source ranges that can access the load balancer |
| controlPlane.globalZoneSyncService.annotations | object | `{}` | Additional annotations to put on the Global Zone Sync Service |
| controlPlane.globalZoneSyncService.nodePort | int | `30685` | Port on which Global Zone Sync Service is exposed on Node for service of type NodePort |
| controlPlane.globalZoneSyncService.port | int | `5685` | Port on which Global Zone Sync Service is exposed |
| controlPlane.globalZoneSyncService.protocol | string | `"grpc"` | Protocol of the Global Zone Sync service port |
| controlPlane.defaults.skipMeshCreation | bool | `false` | Whether to skip creating the default Mesh |
| controlPlane.automountServiceAccountToken | bool | `true` | Whether to automountServiceAccountToken for cp. Optionally set to false |
| controlPlane.resources | object | `{"limits":{"memory":"256Mi"},"requests":{"cpu":"500m","memory":"256Mi"}}` | Optionally override the resource spec |
| controlPlane.lifecycle | object | `{}` | Pod lifecycle settings (useful for adding a preStop hook, when using AWS ALB or NLB) |
| controlPlane.terminationGracePeriodSeconds | int | `30` | Number of seconds to wait before force killing the pod. Make sure to update this if you add a preStop hook. |
| controlPlane.tls.general.secretName | string | `""` | Secret that contains tls.crt, tls.key [and ca.crt when no controlPlane.tls.general.caSecretName specified] for protecting Kuma in-cluster communication |
| controlPlane.tls.general.caSecretName | string | `""` | Secret that contains ca.crt that was used to sign cert for protecting Kuma in-cluster communication (ca.crt present in this secret have precedence over the one provided in the controlPlane.tls.general.secretName) |
| controlPlane.tls.general.caBundle | string | `""` | Base64 encoded CA certificate (the same as in controlPlane.tls.general.secret#ca.crt) |
| controlPlane.tls.apiServer.secretName | string | `""` | Secret that contains tls.crt, tls.key for protecting Kuma API on HTTPS |
| controlPlane.tls.apiServer.clientCertsSecretName | string | `""` | Secret that contains list of .pem certificates that can access admin endpoints of Kuma API on HTTPS |
| controlPlane.tls.kdsGlobalServer.secretName | string | `""` | Name of the K8s TLS Secret resource. If you set this and don't set create=true, you have to create the secret manually. |
| controlPlane.tls.kdsGlobalServer.create | bool | `false` | Whether to create the TLS secret in helm. |
| controlPlane.tls.kdsGlobalServer.cert | string | `""` | The TLS certificate to offer. |
| controlPlane.tls.kdsGlobalServer.key | string | `""` | The TLS key to use. |
| controlPlane.tls.kdsZoneClient.secretName | string | `""` | Name of the K8s Secret resource that contains ca.crt which was used to sign the certificate of KDS Global Server. If you set this and don't set create=true, you have to create the secret manually. |
| controlPlane.tls.kdsZoneClient.create | bool | `false` | Whether to create the TLS secret in helm. |
| controlPlane.tls.kdsZoneClient.cert | string | `""` | CA bundle that was used to sign the certificate of KDS Global Server. |
| controlPlane.tls.kdsZoneClient.skipVerify | bool | `false` | If true, TLS cert of the server is not verified. |
| controlPlane.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account |
| controlPlane.image.pullPolicy | string | `"IfNotPresent"` | Kuma CP ImagePullPolicy |
| controlPlane.image.repository | string | `"kuma-cp"` | Kuma CP image repository |
| controlPlane.image.tag | string | `nil` | Kuma CP Image tag. When not specified, the value is copied from global.tag |
| controlPlane.secrets | object with { Env: string, Secret: string, Key: string } | `nil` | Secrets to add as environment variables, where `Env` is the name of the env variable, `Secret` is the name of the Secret, and `Key` is the key of the Secret value to use |
| controlPlane.envVars | object | `{}` | Additional environment variables that will be passed to the control plane |
| controlPlane.extraConfigMaps | list | `[]` | Additional config maps to mount into the control plane, with optional inline values |
| controlPlane.extraSecrets | object with { name: string, mountPath: string, readOnly: string } | `nil` | Additional secrets to mount into the control plane, where `Env` is the name of the env variable, `Secret` is the name of the Secret, and `Key` is the key of the Secret value to use |
| controlPlane.webhooks.validator.additionalRules | string | `""` | Additional rules to apply on Kuma validator webhook. Useful when building custom policy on top of Kuma. |
| controlPlane.webhooks.ownerReference.additionalRules | string | `""` | Additional rules to apply on Kuma owner reference webhook. Useful when building custom policy on top of Kuma. |
| controlPlane.hostNetwork | bool | `false` | Specifies if the deployment should be started in hostNetwork mode. |
| controlPlane.admissionServerPort | int | `5443` | Define a new server port for the admission controller. Recommended to set in combination with hostNetwork to prevent multiple port bindings on the same port (like Calico in AWS EKS). |
| controlPlane.podSecurityContext | object | `{"runAsNonRoot":true}` | Security context at the pod level for control plane. |
| controlPlane.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for control plane. |
| controlPlane.supportGatewaySecretsInAllNamespaces | bool | `false` | If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace. The downside is that control plane requires permission to read Secrets in all namespaces. |
| cni.enabled | bool | `false` | Install Kuma with CNI instead of proxy init container |
| cni.chained | bool | `false` | Install CNI in chained mode |
| cni.netDir | string | `"/etc/cni/multus/net.d"` | Set the CNI install directory |
| cni.binDir | string | `"/var/lib/cni/bin"` | Set the CNI bin directory |
| cni.confName | string | `"kuma-cni.conf"` | Set the CNI configuration name |
| cni.logLevel | string | `"info"` | CNI log level: one of off,info,debug |
| cni.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node Selector for the CNI pods |
| cni.tolerations | list | `[]` | Tolerations for the CNI pods |
| cni.podAnnotations | object | `{}` | Additional pod annotations |
| cni.namespace | string | `"kube-system"` | Set the CNI namespace |
| cni.image.repository | string | `"kuma-cni"` | CNI image repository |
| cni.image.tag | string | `nil` | CNI image tag - defaults to .Chart.AppVersion |
| cni.image.imagePullPolicy | string | `"IfNotPresent"` | CNI image pull policy |
| cni.delayStartupSeconds | int | `0` | it's only useful in tests to trigger a possible race condition |
| cni.experimental | object | `{"imageEbpf":{"registry":"docker.io/kumahq","repository":"merbridge","tag":"0.8.5"}}` | use new CNI (experimental) |
| cni.experimental.imageEbpf.registry | string | `"docker.io/kumahq"` | CNI experimental eBPF image registry |
| cni.experimental.imageEbpf.repository | string | `"merbridge"` | CNI experimental eBPF image repository |
| cni.experimental.imageEbpf.tag | string | `"0.8.5"` | CNI experimental eBPF image tag |
| cni.resources.requests.cpu | string | `"100m"` | |
| cni.resources.requests.memory | string | `"100Mi"` | |
| cni.resources.limits.memory | string | `"100Mi"` | |
| cni.podSecurityContext | object | `{}` | Security context at the pod level for cni |
| cni.containerSecurityContext | object | `{"readOnlyRootFilesystem":true,"runAsGroup":0,"runAsNonRoot":false,"runAsUser":0}` | Security context at the container level for cni |
| dataPlane.dnsLogging | bool | `false` | If true, then turn on CoreDNS query logging |
| dataPlane.image.repository | string | `"kuma-dp"` | The Kuma DP image repository |
| dataPlane.image.pullPolicy | string | `"IfNotPresent"` | Kuma DP ImagePullPolicy |
| dataPlane.image.tag | string | `nil` | Kuma DP Image Tag. When not specified, the value is copied from global.tag |
| dataPlane.initImage.repository | string | `"kuma-init"` | The Kuma DP init image repository |
| dataPlane.initImage.tag | string | `nil` | Kuma DP init image tag When not specified, the value is copied from global.tag |
| ingress.enabled | bool | `false` | If true, it deploys Ingress for cross cluster communication |
| ingress.extraLabels | object | `{}` | Labels to add to resources, in addition to default labels |
| ingress.drainTime | string | `"30s"` | Time for which old listener will still be active as draining |
| ingress.replicas | int | `1` | Number of replicas of the Ingress. Ignored when autoscaling is enabled. |
| ingress.logLevel | string | `"info"` | Log level for ingress (available values: off|info|debug) |
| ingress.resources | object | `{"limits":{"cpu":"1000m","memory":"512Mi"},"requests":{"cpu":"50m","memory":"64Mi"}}` | Define the resources to allocate to mesh ingress |
| ingress.lifecycle | object | `{}` | Pod lifecycle settings (useful for adding a preStop hook, when using AWS ALB or NLB) |
| ingress.terminationGracePeriodSeconds | int | `40` | Number of seconds to wait before force killing the pod. Make sure to update this if you add a preStop hook. |
| ingress.autoscaling.enabled | bool | `false` | Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster |
| ingress.autoscaling.minReplicas | int | `2` | The minimum CP pods to allow |
| ingress.autoscaling.maxReplicas | int | `5` | The max CP pods to scale to |
| ingress.autoscaling.targetCPUUtilizationPercentage | int | `80` | For clusters that don't support autoscaling/v2, autoscaling/v1 is used |
| ingress.autoscaling.metrics | list | `[{"resource":{"name":"cpu","target":{"averageUtilization":80,"type":"Utilization"}},"type":"Resource"}]` | For clusters that do support autoscaling/v2, use metrics |
| ingress.service.enabled | bool | `true` | Whether to create a Service resource. |
| ingress.service.type | string | `"LoadBalancer"` | Service type of the Ingress |
| ingress.service.loadBalancerIP | string | `nil` | Optionally specify IP to be used by cloud provider when configuring load balancer |
| ingress.service.annotations | object | `{}` | Additional annotations to put on the Ingress service |
| ingress.service.port | int | `10001` | Port on which Ingress is exposed |
| ingress.service.nodePort | string | `nil` | Port on which service is exposed on Node for service of type NodePort |
| ingress.annotations | object | `{}` | Additional pod annotations (deprecated favor `podAnnotations`) |
| ingress.podAnnotations | object | `{}` | Additional pod annotations |
| ingress.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node Selector for the Ingress pods |
| ingress.tolerations | list | `[]` | Tolerations for the Ingress pods |
| ingress.podDisruptionBudget.enabled | bool | `false` | Whether to create a pod disruption budget |
| ingress.podDisruptionBudget.maxUnavailable | int | `1` | The maximum number of unavailable pods allowed by the budget |
| ingress.affinity | object | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["{{ include \"kuma.name\" . }}"]},{"key":"app.kubernetes.io/instance","operator":"In","values":["{{ .Release.Name }}"]},{"key":"app","operator":"In","values":["kuma-ingress"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}}` | Affinity placement rule for the Kuma Ingress pods This is rendered as a template, so you can reference other helm variables or includes. |
| ingress.topologySpreadConstraints | string | `nil` | Topology spread constraints rule for the Kuma Mesh Ingress pods. This is rendered as a template, so you can use variables to generate match labels. |
| ingress.podSecurityContext | object | `{"runAsGroup":5678,"runAsNonRoot":true,"runAsUser":5678}` | Security context at the pod level for ingress |
| ingress.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for ingress |
| ingress.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account |
| ingress.automountServiceAccountToken | bool | `true` | Whether to automountServiceAccountToken for cp. Optionally set to false |
| egress.enabled | bool | `false` | If true, it deploys Egress for cross cluster communication |
| egress.extraLabels | object | `{}` | Labels to add to resources, in addition to the default labels. |
| egress.drainTime | string | `"30s"` | Time for which old listener will still be active as draining |
| egress.replicas | int | `1` | Number of replicas of the Egress. Ignored when autoscaling is enabled. |
| egress.logLevel | string | `"info"` | Log level for egress (available values: off|info|debug) |
| egress.autoscaling.enabled | bool | `false` | Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster |
| egress.autoscaling.minReplicas | int | `2` | The minimum CP pods to allow |
| egress.autoscaling.maxReplicas | int | `5` | The max CP pods to scale to |
| egress.autoscaling.targetCPUUtilizationPercentage | int | `80` | For clusters that don't support autoscaling/v2, autoscaling/v1 is used |
| egress.autoscaling.metrics | list | `[{"resource":{"name":"cpu","target":{"averageUtilization":80,"type":"Utilization"}},"type":"Resource"}]` | For clusters that do support autoscaling/v2, use metrics |
| egress.resources.requests.cpu | string | `"50m"` | |
| egress.resources.requests.memory | string | `"64Mi"` | |
| egress.resources.limits.cpu | string | `"1000m"` | |
| egress.resources.limits.memory | string | `"512Mi"` | |
| egress.service.enabled | bool | `true` | Whether to create the service object |
| egress.service.type | string | `"ClusterIP"` | Service type of the Egress |
| egress.service.loadBalancerIP | string | `nil` | Optionally specify IP to be used by cloud provider when configuring load balancer |
| egress.service.annotations | object | `{}` | Additional annotations to put on the Egress service |
| egress.service.port | int | `10002` | Port on which Egress is exposed |
| egress.service.nodePort | string | `nil` | Port on which service is exposed on Node for service of type NodePort |
| egress.annotations | object | `{}` | Additional pod annotations (deprecated favor `podAnnotations`) |
| egress.podAnnotations | object | `{}` | Additional pod annotations |
| egress.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node Selector for the Egress pods |
| egress.tolerations | list | `[]` | Tolerations for the Egress pods |
| egress.podDisruptionBudget.enabled | bool | `false` | Whether to create a pod disruption budget |
| egress.podDisruptionBudget.maxUnavailable | int | `1` | The maximum number of unavailable pods allowed by the budget |
| egress.affinity | object | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["{{ include \"kuma.name\" . }}"]},{"key":"app.kubernetes.io/instance","operator":"In","values":["{{ .Release.Name }}"]},{"key":"app","operator":"In","values":["kuma-egress"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":100}]}}` | Affinity placement rule for the Kuma Egress pods. This is rendered as a template, so you can reference other helm variables or includes. |
| egress.topologySpreadConstraints | string | `nil` | Topology spread constraints rule for the Kuma Egress pods. This is rendered as a template, so you can use variables to generate match labels. |
| egress.podSecurityContext | object | `{"runAsGroup":5678,"runAsNonRoot":true,"runAsUser":5678}` | Security context at the pod level for egress |
| egress.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for egress |
| egress.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account |
| egress.automountServiceAccountToken | bool | `true` | Whether to automountServiceAccountToken for cp. Optionally set to false |
| kumactl.image.repository | string | `"kumactl"` | The kumactl image repository |
| kumactl.image.tag | string | `nil` | The kumactl image tag. When not specified, the value is copied from global.tag |
| kubectl.image.registry | string | `"docker.io"` | The kubectl image registry |
| kubectl.image.repository | string | `"bitnami/kubectl"` | The kubectl image repository |
| kubectl.image.tag | string | `"1.27.5"` | The kubectl image tag |
| hooks.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node selector for the HELM hooks |
| hooks.tolerations | list | `[]` | Tolerations for the HELM hooks |
| hooks.podSecurityContext | object | `{"runAsNonRoot":true}` | Security context at the pod level for crd/webhook/ns |
| hooks.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for crd/webhook/ns |
| hooks.ebpfCleanup | object | `{"containerSecurityContext":{"readOnlyRootFilesystem":false},"podSecurityContext":{"runAsNonRoot":false}}` | ebpf-cleanup hook needs write access to the root filesystem to clean ebpf programs Changing below values will potentially break ebpf cleanup completely, so be cautious when doing so. |
| hooks.ebpfCleanup.podSecurityContext | object | `{"runAsNonRoot":false}` | Security context at the pod level for crd/webhook/cleanup-ebpf |
| hooks.ebpfCleanup.containerSecurityContext | object | `{"readOnlyRootFilesystem":false}` | Security context at the container level for crd/webhook/cleanup-ebpf |
| experimental.ebpf.enabled | bool | `false` | If true, ebpf will be used instead of using iptables to install/configure transparent proxy |
| experimental.ebpf.instanceIPEnvVarName | string | `"INSTANCE_IP"` | Name of the environmental variable which will contain the IP address of a pod |
| experimental.ebpf.bpffsPath | string | `"/sys/fs/bpf"` | Path where BPF file system should be mounted |
| experimental.ebpf.cgroupPath | string | `"/sys/fs/cgroup"` | Host's cgroup2 path |
| experimental.ebpf.tcAttachIface | string | `""` | Name of the network interface which TC programs should be attached to, we'll try to automatically determine it if empty |
| experimental.ebpf.programsSourcePath | string | `"/tmp/kuma-ebpf"` | Path where compiled eBPF programs which will be installed can be found |
| experimental.deltaKds | bool | `true` | If false, it uses legacy API for resource synchronization |
| experimental.sidecarContainers | bool | `false` | If true, enable native Kubernetes sidecars. This requires at least Kubernetes v1.29 |
| postgres.port | string | `"5432"` | Postgres port, password should be provided as a secret reference in "controlPlane.secrets" with the Env value "KUMA_STORE_POSTGRES_PASSWORD". Example: controlPlane: secrets: - Secret: postgres-postgresql Key: postgresql-password Env: KUMA_STORE_POSTGRES_PASSWORD |
| postgres.tls.mode | string | `"disable"` | Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull" |
| postgres.tls.disableSSLSNI | bool | `false` | Whether to disable SNI the postgres `sslsni` option. |
| postgres.tls.caSecretName | string | `nil` | Secret name that contains the ca.crt |
| postgres.tls.secretName | string | `nil` | Secret name that contains the client tls.crt, tls.key |
## Custom Resource Definitions
All Kuma CRDs are loaded via the [`crds`](crds) directory. For more detailed information on CRDs and Helm,
please refer to [the Helm documentation][helm-crd].
## Deleting
As part of [Helm's limitations][helm-crd-limitations], CRDs will not be deleted when the `kuma` chart is deleted and
must be deleted manually. When a CRD is deleted Kubernetes deletes all resources of that kind as well, so this should
be done carefully.
To do this with `kubectl` on *nix platforms, run:
```shell
kubectl get crds | grep kuma.io | tr -s " " | cut -d " " -f1 | xargs kubectl delete crd
# or with jq
kubectl get crds -o json | jq '.items[].metadata.name | select(.|test(".*kuma\\.io"))' | xargs kubectl delete crd
```
## Autoscaling
In production, it is advisable to enable Control Plane autoscaling for High Availability. Autoscaling uses the
`HorizontalPodAutoscaler` resource to add redundancy and scale the CP pods based on CPU utilization, which requires
the [k8s metrics-server][kube-metrics-server] to be running on the cluster.
## Development
The charts are used internally in `kumactl install`, therefore the following rules apply when developing new chat features:
* all templates that start with `pre-` and `post-` are omitted when processing in `kumactl install`
### Installing Metrics Server for Autoscaling
If running on kind, or on a cluster with a similarly self-signed cert, the metrics server must be configured to allow
insecure kubelet TLS. The make task `kind/deploy/metrics-server` installs this patched version of the server.
[kuma-url]: https://kuma.io/
[kuma-logo]: https://kuma-public-assets.s3.amazonaws.com/kuma-logo-v2.png
[helm-crd]: https://helm.sh/docs/chart_best_practices/custom_resource_definitions/
[helm-crd-limitations]: https://helm.sh/docs/topics/charts/#limitations-on-crds
[kube-metrics-server]: https://github.com/kubernetes-sigs/metrics-server

52
charts/kuma/kuma/2.8.4/README.md.gotmpl Normal file
View File

@ -0,0 +1,52 @@
[![][kuma-logo]][kuma-url]
{{ template "chart.description" . }}
{{ template "chart.typeBadge" . }}{{ template "chart.versionBadge" . }}{{ template "chart.appVersionBadge" . }}
{{ template "chart.homepageLine" . }}
{{ template "chart.valuesSection" . }}
## Custom Resource Definitions
All Kuma CRDs are loaded via the [`crds`](crds) directory. For more detailed information on CRDs and Helm,
please refer to [the Helm documentation][helm-crd].
## Deleting
As part of [Helm's limitations][helm-crd-limitations], CRDs will not be deleted when the `kuma` chart is deleted and
must be deleted manually. When a CRD is deleted Kubernetes deletes all resources of that kind as well, so this should
be done carefully.
To do this with `kubectl` on *nix platforms, run:
```shell
kubectl get crds | grep kuma.io | tr -s " " | cut -d " " -f1 | xargs kubectl delete crd
# or with jq
kubectl get crds -o json | jq '.items[].metadata.name | select(.|test(".*kuma\\.io"))' | xargs kubectl delete crd
```
## Autoscaling
In production, it is advisable to enable Control Plane autoscaling for High Availability. Autoscaling uses the
`HorizontalPodAutoscaler` resource to add redundancy and scale the CP pods based on CPU utilization, which requires
the [k8s metrics-server][kube-metrics-server] to be running on the cluster.
## Development
The charts are used internally in `kumactl install`, therefore the following rules apply when developing new chat features:
* all templates that start with `pre-` and `post-` are omitted when processing in `kumactl install`
### Installing Metrics Server for Autoscaling
If running on kind, or on a cluster with a similarly self-signed cert, the metrics server must be configured to allow
insecure kubelet TLS. The make task `kind/deploy/metrics-server` installs this patched version of the server.
[kuma-url]: https://kuma.io/
[kuma-logo]: https://kuma-public-assets.s3.amazonaws.com/kuma-logo-v2.png
[helm-crd]: https://helm.sh/docs/chart_best_practices/custom_resource_definitions/
[helm-crd-limitations]: https://helm.sh/docs/topics/charts/#limitations-on-crds
[kube-metrics-server]: https://github.com/kubernetes-sigs/metrics-server

50
charts/kuma/kuma/2.8.4/crds/kuma.io_circuitbreakers.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: circuitbreakers.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: CircuitBreaker
listKind: CircuitBreakerList
plural: circuitbreakers
singular: circuitbreaker
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma CircuitBreaker resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

114
charts/kuma/kuma/2.8.4/crds/kuma.io_containerpatches.yaml Normal file
View File

@ -0,0 +1,114 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: containerpatches.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: ContainerPatch
listKind: ContainerPatchList
plural: containerpatches
singular: containerpatch
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: ContainerPatch stores a list of patches to apply to init and
sidecar containers.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
type: string
metadata:
type: object
spec:
description: ContainerPatchSpec specifies the options available for a
ContainerPatch
properties:
initPatch:
description: InitPatch specifies jsonpatch to apply to an init container.
items:
description: JsonPatchBlock is one json patch operation block.
properties:
from:
description: From is a jsonpatch from string, used by move and
copy operations.
type: string
op:
description: Op is a jsonpatch operation string.
enum:
- add
- remove
- replace
- move
- copy
type: string
path:
description: Path is a jsonpatch path string.
type: string
value:
description: |-
Value must be a string representing a valid json object used
by replace and add operations. String has to be escaped with " to be valid a json object.
type: string
required:
- op
- path
type: object
type: array
sidecarPatch:
description: SidecarPatch specifies jsonpatch to apply to a sidecar
container.
items:
description: JsonPatchBlock is one json patch operation block.
properties:
from:
description: From is a jsonpatch from string, used by move and
copy operations.
type: string
op:
description: Op is a jsonpatch operation string.
enum:
- add
- remove
- replace
- move
- copy
type: string
path:
description: Path is a jsonpatch path string.
type: string
value:
description: |-
Value must be a string representing a valid json object used
by replace and add operations. String has to be escaped with " to be valid a json object.
type: string
required:
- op
- path
type: object
type: array
type: object
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_dataplaneinsights.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: dataplaneinsights.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: DataplaneInsight
listKind: DataplaneInsightList
plural: dataplaneinsights
singular: dataplaneinsight
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
status:
description: Status is the status the Kuma resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

70
charts/kuma/kuma/2.8.4/crds/kuma.io_dataplanes.yaml Normal file
View File

@ -0,0 +1,70 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: dataplanes.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: Dataplane
listKind: DataplaneList
plural: dataplanes
singular: dataplane
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Service tag of the first inbound
jsonPath: .spec.networking.inbound[0].tags['kuma\.io/service']
name: kuma.io/service
type: string
- description: Service tag of the second inbound
jsonPath: .spec.networking.inbound[1].tags['kuma\.io/service']
name: kuma.io/service
type: string
- description: Service tag of the third inbound
jsonPath: .spec.networking.inbound[2].tags['kuma\.io/service']
name: kuma.io/service
priority: 1
type: string
- description: Service tag of the fourth inbound
jsonPath: .spec.networking.inbound[3].tags['kuma\.io/service']
name: kuma.io/service
priority: 1
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma Dataplane resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources: {}

50
charts/kuma/kuma/2.8.4/crds/kuma.io_externalservices.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: externalservices.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: ExternalService
listKind: ExternalServiceList
plural: externalservices
singular: externalservice
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma ExternalService resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_faultinjections.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: faultinjections.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: FaultInjection
listKind: FaultInjectionList
plural: faultinjections
singular: faultinjection
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma FaultInjection resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_healthchecks.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: healthchecks.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: HealthCheck
listKind: HealthCheckList
plural: healthchecks
singular: healthcheck
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma HealthCheck resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

65
charts/kuma/kuma/2.8.4/crds/kuma.io_hostnamegenerators.yaml Normal file
View File

@ -0,0 +1,65 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: hostnamegenerators.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: HostnameGenerator
listKind: HostnameGeneratorList
plural: hostnamegenerators
singular: hostnamegenerator
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma HostnameGenerator resource.
properties:
selector:
properties:
meshExternalService:
properties:
matchLabels:
additionalProperties:
type: string
type: object
type: object
meshService:
properties:
matchLabels:
additionalProperties:
type: string
type: object
type: object
type: object
template:
type: string
type: object
type: object
served: true
storage: true

556
charts/kuma/kuma/2.8.4/crds/kuma.io_meshaccesslogs.yaml Normal file
View File

@ -0,0 +1,556 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshaccesslogs.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshAccessLog
listKind: MeshAccessLogList
plural: meshaccesslogs
singular: meshaccesslog
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshAccessLog resource.
properties:
from:
description: From list makes a match between clients and corresponding
configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of clients referenced in
'targetRef'
properties:
backends:
items:
properties:
file:
description: FileBackend defines configuration for
file based access logs
properties:
format:
description: |-
Format of access logs. Placeholders available on
https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators
properties:
json:
example:
- key: start_time
value: '%START_TIME%'
- key: bytes_received
value: '%BYTES_RECEIVED%'
items:
properties:
key:
type: string
value:
type: string
type: object
type: array
omitEmptyValues:
default: false
type: boolean
plain:
example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%'
type: string
type:
enum:
- Plain
- Json
type: string
required:
- type
type: object
path:
description: Path to a file that logs will be
written to
example: /tmp/access.log
minLength: 1
type: string
required:
- path
type: object
openTelemetry:
description: Defines an OpenTelemetry logging backend.
properties:
attributes:
description: |-
Attributes can contain placeholders available on
https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators
example:
- key: mesh
value: '%KUMA_MESH%'
items:
properties:
key:
type: string
value:
type: string
type: object
type: array
body:
description: |-
Body is a raw string or an OTLP any value as described at
https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body
It can contain placeholders available on
https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators
example:
kvlistValue:
values:
- key: mesh
value:
stringValue: '%KUMA_MESH%'
x-kubernetes-preserve-unknown-fields: true
endpoint:
description: Endpoint of OpenTelemetry collector.
An empty port defaults to 4317.
example: otel-collector:4317
minLength: 1
type: string
required:
- endpoint
type: object
tcp:
description: TCPBackend defines a TCP logging backend.
properties:
address:
description: Address of the TCP logging backend
example: 127.0.0.1:5000
minLength: 1
type: string
format:
description: |-
Format of access logs. Placeholders available on
https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators
properties:
json:
example:
- key: start_time
value: '%START_TIME%'
- key: bytes_received
value: '%BYTES_RECEIVED%'
items:
properties:
key:
type: string
value:
type: string
type: object
type: array
omitEmptyValues:
default: false
type: boolean
plain:
example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%'
type: string
type:
enum:
- Plain
- Json
type: string
required:
- type
type: object
required:
- address
type: object
type:
enum:
- Tcp
- File
- OpenTelemetry
type: string
required:
- type
type: object
type: array
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
clients.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined in-place.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
to:
description: To list makes a match between the consumed services and
corresponding configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of destinations referenced in
'targetRef'
properties:
backends:
items:
properties:
file:
description: FileBackend defines configuration for
file based access logs
properties:
format:
description: |-
Format of access logs. Placeholders available on
https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators
properties:
json:
example:
- key: start_time
value: '%START_TIME%'
- key: bytes_received
value: '%BYTES_RECEIVED%'
items:
properties:
key:
type: string
value:
type: string
type: object
type: array
omitEmptyValues:
default: false
type: boolean
plain:
example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%'
type: string
type:
enum:
- Plain
- Json
type: string
required:
- type
type: object
path:
description: Path to a file that logs will be
written to
example: /tmp/access.log
minLength: 1
type: string
required:
- path
type: object
openTelemetry:
description: Defines an OpenTelemetry logging backend.
properties:
attributes:
description: |-
Attributes can contain placeholders available on
https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators
example:
- key: mesh
value: '%KUMA_MESH%'
items:
properties:
key:
type: string
value:
type: string
type: object
type: array
body:
description: |-
Body is a raw string or an OTLP any value as described at
https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/logs/data-model.md#field-body
It can contain placeholders available on
https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators
example:
kvlistValue:
values:
- key: mesh
value:
stringValue: '%KUMA_MESH%'
x-kubernetes-preserve-unknown-fields: true
endpoint:
description: Endpoint of OpenTelemetry collector.
An empty port defaults to 4317.
example: otel-collector:4317
minLength: 1
type: string
required:
- endpoint
type: object
tcp:
description: TCPBackend defines a TCP logging backend.
properties:
address:
description: Address of the TCP logging backend
example: 127.0.0.1:5000
minLength: 1
type: string
format:
description: |-
Format of access logs. Placeholders available on
https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators
properties:
json:
example:
- key: start_time
value: '%START_TIME%'
- key: bytes_received
value: '%BYTES_RECEIVED%'
items:
properties:
key:
type: string
value:
type: string
type: object
type: array
omitEmptyValues:
default: false
type: boolean
plain:
example: '[%START_TIME%] %KUMA_MESH% %UPSTREAM_HOST%'
type: string
type:
enum:
- Plain
- Json
type: string
required:
- type
type: object
required:
- address
type: object
type:
enum:
- Tcp
- File
- OpenTelemetry
type: string
required:
- type
type: object
type: array
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

738
charts/kuma/kuma/2.8.4/crds/kuma.io_meshcircuitbreakers.yaml Normal file
View File

@ -0,0 +1,738 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshcircuitbreakers.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshCircuitBreaker
listKind: MeshCircuitBreakerList
plural: meshcircuitbreakers
singular: meshcircuitbreaker
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshCircuitBreaker
resource.
properties:
from:
description: From list makes a match between clients and corresponding
configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of destinations
referenced in 'targetRef'
properties:
connectionLimits:
description: |-
ConnectionLimits contains configuration of each circuit breaking limit,
which when exceeded makes the circuit breaker to become open (no traffic
is allowed like no current is allowed in the circuits when physical
circuit breaker ir open)
properties:
maxConnectionPools:
description: |-
The maximum number of connection pools per cluster that are concurrently
supported at once. Set this for clusters which create a large number of
connection pools.
format: int32
type: integer
maxConnections:
description: |-
The maximum number of connections allowed to be made to the upstream
cluster.
format: int32
type: integer
maxPendingRequests:
description: |-
The maximum number of pending requests that are allowed to the upstream
cluster. This limit is applied as a connection limit for non-HTTP
traffic.
format: int32
type: integer
maxRequests:
description: |-
The maximum number of parallel requests that are allowed to be made
to the upstream cluster. This limit does not apply to non-HTTP traffic.
format: int32
type: integer
maxRetries:
description: |-
The maximum number of parallel retries that will be allowed to
the upstream cluster.
format: int32
type: integer
type: object
outlierDetection:
description: |-
OutlierDetection contains the configuration of the process of dynamically
determining whether some number of hosts in an upstream cluster are
performing unlike the others and removing them from the healthy load
balancing set. Performance might be along different axes such as
consecutive failures, temporal success rate, temporal latency, etc.
Outlier detection is a form of passive health checking.
properties:
baseEjectionTime:
description: |-
The base time that a host is ejected for. The real time is equal to
the base time multiplied by the number of times the host has been
ejected.
type: string
detectors:
description: Contains configuration for supported outlier
detectors
properties:
failurePercentage:
description: |-
Failure Percentage based outlier detection functions similarly to success
rate detection, in that it relies on success rate data from each host in
a cluster. However, rather than compare those values to the mean success
rate of the cluster as a whole, they are compared to a flat
user-configured threshold. This threshold is configured via the
outlierDetection.failurePercentageThreshold field.
The other configuration fields for failure percentage based detection are
similar to the fields for success rate detection. As with success rate
detection, detection will not be performed for a host if its request
volume over the aggregation interval is less than the
outlierDetection.detectors.failurePercentage.requestVolume value.
Detection also will not be performed for a cluster if the number of hosts
with the minimum required request volume in an interval is less than the
outlierDetection.detectors.failurePercentage.minimumHosts value.
properties:
minimumHosts:
description: |-
The minimum number of hosts in a cluster in order to perform failure
percentage-based ejection. If the total number of hosts in the cluster is
less than this value, failure percentage-based ejection will not be
performed.
format: int32
type: integer
requestVolume:
description: |-
The minimum number of total requests that must be collected in one
interval (as defined by the interval duration above) to perform failure
percentage-based ejection for this host. If the volume is lower than this
setting, failure percentage-based ejection will not be performed for this
host.
format: int32
type: integer
threshold:
description: |-
The failure percentage to use when determining failure percentage-based
outlier detection. If the failure percentage of a given host is greater
than or equal to this value, it will be ejected.
format: int32
type: integer
type: object
gatewayFailures:
description: |-
In the default mode (outlierDetection.splitExternalLocalOriginErrors is
false) this detection type takes into account a subset of 5xx errors,
called "gateway errors" (502, 503 or 504 status code) and local origin
failures, such as timeout, TCP reset etc.
In split mode (outlierDetection.splitExternalLocalOriginErrors is true)
this detection type takes into account a subset of 5xx errors, called
"gateway errors" (502, 503 or 504 status code) and is supported only by
the http router.
properties:
consecutive:
description: |-
The number of consecutive gateway failures (502, 503, 504 status codes)
before a consecutive gateway failure ejection occurs.
format: int32
type: integer
type: object
localOriginFailures:
description: |-
This detection type is enabled only when
outlierDetection.splitExternalLocalOriginErrors is true and takes into
account only locally originated errors (timeout, reset, etc).
If Envoy repeatedly cannot connect to an upstream host or communication
with the upstream host is repeatedly interrupted, it will be ejected.
Various locally originated problems are detected: timeout, TCP reset,
ICMP errors, etc. This detection type is supported by http router and
tcp proxy.
properties:
consecutive:
description: |-
The number of consecutive locally originated failures before ejection
occurs. Parameter takes effect only when splitExternalAndLocalErrors
is set to true.
format: int32
type: integer
type: object
successRate:
description: |-
Success Rate based outlier detection aggregates success rate data from
every host in a cluster. Then at given intervals ejects hosts based on
statistical outlier detection. Success Rate outlier detection will not be
calculated for a host if its request volume over the aggregation interval
is less than the outlierDetection.detectors.successRate.requestVolume
value.
Moreover, detection will not be performed for a cluster if the number of
hosts with the minimum required request volume in an interval is less
than the outlierDetection.detectors.successRate.minimumHosts value.
In the default configuration mode
(outlierDetection.splitExternalLocalOriginErrors is false) this detection
type takes into account all types of errors: locally and externally
originated.
In split mode (outlierDetection.splitExternalLocalOriginErrors is true),
locally originated errors and externally originated (transaction) errors
are counted and treated separately.
properties:
minimumHosts:
description: |-
The number of hosts in a cluster that must have enough request volume to
detect success rate outliers. If the number of hosts is less than this
setting, outlier detection via success rate statistics is not performed
for any host in the cluster.
format: int32
type: integer
requestVolume:
description: |-
The minimum number of total requests that must be collected in one
interval (as defined by the interval duration configured in
outlierDetection section) to include this host in success rate based
outlier detection. If the volume is lower than this setting, outlier
detection via success rate statistics is not performed for that host.
format: int32
type: integer
standardDeviationFactor:
anyOf:
- type: integer
- type: string
description: |-
This factor is used to determine the ejection threshold for success rate
outlier ejection. The ejection threshold is the difference between
the mean success rate, and the product of this factor and the standard
deviation of the mean success rate: mean - (standard_deviation *
success_rate_standard_deviation_factor).
Either int or decimal represented as string.
x-kubernetes-int-or-string: true
type: object
totalFailures:
description: |-
In the default mode (outlierDetection.splitExternalAndLocalErrors is
false) this detection type takes into account all generated errors:
locally originated and externally originated (transaction) errors.
In split mode (outlierDetection.splitExternalLocalOriginErrors is true)
this detection type takes into account only externally originated
(transaction) errors, ignoring locally originated errors.
If an upstream host is an HTTP-server, only 5xx types of error are taken
into account (see Consecutive Gateway Failure for exceptions).
Properly formatted responses, even when they carry an operational error
(like index not found, access denied) are not taken into account.
properties:
consecutive:
description: |-
The number of consecutive server-side error responses (for HTTP traffic,
5xx responses; for TCP traffic, connection failures; for Redis, failure
to respond PONG; etc.) before a consecutive total failure ejection
occurs.
format: int32
type: integer
type: object
type: object
disabled:
description: When set to true, outlierDetection configuration
won't take any effect
type: boolean
interval:
description: |-
The time interval between ejection analysis sweeps. This can result in
both new ejections and hosts being returned to service.
type: string
maxEjectionPercent:
description: |-
The maximum % of an upstream cluster that can be ejected due to outlier
detection. Defaults to 10% but will eject at least one host regardless of
the value.
format: int32
type: integer
splitExternalAndLocalErrors:
description: |-
Determines whether to distinguish local origin failures from external
errors. If set to true the following configuration parameters are taken
into account: detectors.localOriginFailures.consecutive
type: boolean
type: object
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined in place.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
to:
description: |-
To list makes a match between the consumed services and corresponding
configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of destinations
referenced in 'targetRef'
properties:
connectionLimits:
description: |-
ConnectionLimits contains configuration of each circuit breaking limit,
which when exceeded makes the circuit breaker to become open (no traffic
is allowed like no current is allowed in the circuits when physical
circuit breaker ir open)
properties:
maxConnectionPools:
description: |-
The maximum number of connection pools per cluster that are concurrently
supported at once. Set this for clusters which create a large number of
connection pools.
format: int32
type: integer
maxConnections:
description: |-
The maximum number of connections allowed to be made to the upstream
cluster.
format: int32
type: integer
maxPendingRequests:
description: |-
The maximum number of pending requests that are allowed to the upstream
cluster. This limit is applied as a connection limit for non-HTTP
traffic.
format: int32
type: integer
maxRequests:
description: |-
The maximum number of parallel requests that are allowed to be made
to the upstream cluster. This limit does not apply to non-HTTP traffic.
format: int32
type: integer
maxRetries:
description: |-
The maximum number of parallel retries that will be allowed to
the upstream cluster.
format: int32
type: integer
type: object
outlierDetection:
description: |-
OutlierDetection contains the configuration of the process of dynamically
determining whether some number of hosts in an upstream cluster are
performing unlike the others and removing them from the healthy load
balancing set. Performance might be along different axes such as
consecutive failures, temporal success rate, temporal latency, etc.
Outlier detection is a form of passive health checking.
properties:
baseEjectionTime:
description: |-
The base time that a host is ejected for. The real time is equal to
the base time multiplied by the number of times the host has been
ejected.
type: string
detectors:
description: Contains configuration for supported outlier
detectors
properties:
failurePercentage:
description: |-
Failure Percentage based outlier detection functions similarly to success
rate detection, in that it relies on success rate data from each host in
a cluster. However, rather than compare those values to the mean success
rate of the cluster as a whole, they are compared to a flat
user-configured threshold. This threshold is configured via the
outlierDetection.failurePercentageThreshold field.
The other configuration fields for failure percentage based detection are
similar to the fields for success rate detection. As with success rate
detection, detection will not be performed for a host if its request
volume over the aggregation interval is less than the
outlierDetection.detectors.failurePercentage.requestVolume value.
Detection also will not be performed for a cluster if the number of hosts
with the minimum required request volume in an interval is less than the
outlierDetection.detectors.failurePercentage.minimumHosts value.
properties:
minimumHosts:
description: |-
The minimum number of hosts in a cluster in order to perform failure
percentage-based ejection. If the total number of hosts in the cluster is
less than this value, failure percentage-based ejection will not be
performed.
format: int32
type: integer
requestVolume:
description: |-
The minimum number of total requests that must be collected in one
interval (as defined by the interval duration above) to perform failure
percentage-based ejection for this host. If the volume is lower than this
setting, failure percentage-based ejection will not be performed for this
host.
format: int32
type: integer
threshold:
description: |-
The failure percentage to use when determining failure percentage-based
outlier detection. If the failure percentage of a given host is greater
than or equal to this value, it will be ejected.
format: int32
type: integer
type: object
gatewayFailures:
description: |-
In the default mode (outlierDetection.splitExternalLocalOriginErrors is
false) this detection type takes into account a subset of 5xx errors,
called "gateway errors" (502, 503 or 504 status code) and local origin
failures, such as timeout, TCP reset etc.
In split mode (outlierDetection.splitExternalLocalOriginErrors is true)
this detection type takes into account a subset of 5xx errors, called
"gateway errors" (502, 503 or 504 status code) and is supported only by
the http router.
properties:
consecutive:
description: |-
The number of consecutive gateway failures (502, 503, 504 status codes)
before a consecutive gateway failure ejection occurs.
format: int32
type: integer
type: object
localOriginFailures:
description: |-
This detection type is enabled only when
outlierDetection.splitExternalLocalOriginErrors is true and takes into
account only locally originated errors (timeout, reset, etc).
If Envoy repeatedly cannot connect to an upstream host or communication
with the upstream host is repeatedly interrupted, it will be ejected.
Various locally originated problems are detected: timeout, TCP reset,
ICMP errors, etc. This detection type is supported by http router and
tcp proxy.
properties:
consecutive:
description: |-
The number of consecutive locally originated failures before ejection
occurs. Parameter takes effect only when splitExternalAndLocalErrors
is set to true.
format: int32
type: integer
type: object
successRate:
description: |-
Success Rate based outlier detection aggregates success rate data from
every host in a cluster. Then at given intervals ejects hosts based on
statistical outlier detection. Success Rate outlier detection will not be
calculated for a host if its request volume over the aggregation interval
is less than the outlierDetection.detectors.successRate.requestVolume
value.
Moreover, detection will not be performed for a cluster if the number of
hosts with the minimum required request volume in an interval is less
than the outlierDetection.detectors.successRate.minimumHosts value.
In the default configuration mode
(outlierDetection.splitExternalLocalOriginErrors is false) this detection
type takes into account all types of errors: locally and externally
originated.
In split mode (outlierDetection.splitExternalLocalOriginErrors is true),
locally originated errors and externally originated (transaction) errors
are counted and treated separately.
properties:
minimumHosts:
description: |-
The number of hosts in a cluster that must have enough request volume to
detect success rate outliers. If the number of hosts is less than this
setting, outlier detection via success rate statistics is not performed
for any host in the cluster.
format: int32
type: integer
requestVolume:
description: |-
The minimum number of total requests that must be collected in one
interval (as defined by the interval duration configured in
outlierDetection section) to include this host in success rate based
outlier detection. If the volume is lower than this setting, outlier
detection via success rate statistics is not performed for that host.
format: int32
type: integer
standardDeviationFactor:
anyOf:
- type: integer
- type: string
description: |-
This factor is used to determine the ejection threshold for success rate
outlier ejection. The ejection threshold is the difference between
the mean success rate, and the product of this factor and the standard
deviation of the mean success rate: mean - (standard_deviation *
success_rate_standard_deviation_factor).
Either int or decimal represented as string.
x-kubernetes-int-or-string: true
type: object
totalFailures:
description: |-
In the default mode (outlierDetection.splitExternalAndLocalErrors is
false) this detection type takes into account all generated errors:
locally originated and externally originated (transaction) errors.
In split mode (outlierDetection.splitExternalLocalOriginErrors is true)
this detection type takes into account only externally originated
(transaction) errors, ignoring locally originated errors.
If an upstream host is an HTTP-server, only 5xx types of error are taken
into account (see Consecutive Gateway Failure for exceptions).
Properly formatted responses, even when they carry an operational error
(like index not found, access denied) are not taken into account.
properties:
consecutive:
description: |-
The number of consecutive server-side error responses (for HTTP traffic,
5xx responses; for TCP traffic, connection failures; for Redis, failure
to respond PONG; etc.) before a consecutive total failure ejection
occurs.
format: int32
type: integer
type: object
type: object
disabled:
description: When set to true, outlierDetection configuration
won't take any effect
type: boolean
interval:
description: |-
The time interval between ejection analysis sweeps. This can result in
both new ejections and hosts being returned to service.
type: string
maxEjectionPercent:
description: |-
The maximum % of an upstream cluster that can be ejected due to outlier
detection. Defaults to 10% but will eject at least one host regardless of
the value.
format: int32
type: integer
splitExternalAndLocalErrors:
description: |-
Determines whether to distinguish local origin failures from external
errors. If set to true the following configuration parameters are taken
into account: detectors.localOriginFailures.consecutive
type: boolean
type: object
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

50
charts/kuma/kuma/2.8.4/crds/kuma.io_meshes.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshes.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: Mesh
listKind: MeshList
plural: meshes
singular: mesh
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma Mesh resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

333
charts/kuma/kuma/2.8.4/crds/kuma.io_meshexternalservices.yaml Normal file
View File

@ -0,0 +1,333 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshexternalservices.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshExternalService
listKind: MeshExternalServiceList
plural: meshexternalservices
singular: meshexternalservice
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshExternalService
resource.
properties:
endpoints:
description: Endpoints defines a list of destinations to send traffic
to.
items:
properties:
address:
description: Address defines an address to which a user want
to send a request. Is possible to provide `domain`, `ip` and
`unix` sockets.
example: unix:///tmp/example.sock
minLength: 1
type: string
port:
description: Port of the endpoint
maximum: 65535
minimum: 1
type: integer
required:
- address
type: object
type: array
extension:
description: Extension struct for a plugin configuration, in the presence
of an extension `endpoints` and `tls` are not required anymore -
it's up to the extension to validate them independently.
properties:
config:
description: Config freeform configuration for the extension.
x-kubernetes-preserve-unknown-fields: true
type:
description: Type of the extension.
type: string
required:
- config
- type
type: object
match:
description: Match defines traffic that should be routed through the
sidecar.
properties:
port:
description: Port defines a port to which a user does request.
maximum: 65535
minimum: 1
type: integer
protocol:
default: tcp
description: 'Protocol defines a protocol of the communication.
Possible values: `tcp`, `grpc`, `http`, `http2`.'
enum:
- tcp
- grpc
- http
- http2
type: string
type:
default: HostnameGenerator
description: Type of the match, only `HostnameGenerator` is available
at the moment.
enum:
- HostnameGenerator
type: string
required:
- port
type: object
tls:
description: Tls provides a TLS configuration when proxy is resposible
for a TLS origination
properties:
allowRenegotiation:
default: false
description: |-
AllowRenegotiation defines if TLS sessions will allow renegotiation.
Setting this to true is not recommended for security reasons.
type: boolean
enabled:
default: false
description: Enabled defines if proxy should originate TLS.
type: boolean
verification:
description: Verification section for providing TLS verification
details.
properties:
caCert:
description: CaCert defines a certificate of CA.
properties:
inline:
description: Data source is inline bytes.
format: byte
type: string
inlineString:
description: Data source is inline string`
type: string
secret:
description: Data source is a secret with given Secret
key.
type: string
type: object
clientCert:
description: ClientCert defines a certificate of a client.
properties:
inline:
description: Data source is inline bytes.
format: byte
type: string
inlineString:
description: Data source is inline string`
type: string
secret:
description: Data source is a secret with given Secret
key.
type: string
type: object
clientKey:
description: ClientKey defines a client private key.
properties:
inline:
description: Data source is inline bytes.
format: byte
type: string
inlineString:
description: Data source is inline string`
type: string
secret:
description: Data source is a secret with given Secret
key.
type: string
type: object
mode:
default: Secured
description: Mode defines if proxy should skip verification,
one of `SkipSAN`, `SkipCA`, `Secured`, `SkipAll`. Default
`Secured`.
enum:
- SkipSAN
- SkipCA
- Secured
- SkipAll
type: string
serverName:
description: ServerName overrides the default Server Name
Indicator set by Kuma.
type: string
subjectAltNames:
description: SubjectAltNames list of names to verify in the
certificate.
items:
properties:
type:
default: Exact
description: 'Type specifies matching type, one of `Exact`,
`Prefix`. Default: `Exact`'
enum:
- Exact
- Prefix
type: string
value:
description: Value to match.
type: string
required:
- value
type: object
type: array
type: object
version:
description: Version section for providing version specification.
properties:
max:
default: TLSAuto
description: Max defines maximum supported version. One of
`TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`.
enum:
- TLSAuto
- TLS10
- TLS11
- TLS12
- TLS13
type: string
min:
default: TLSAuto
description: Min defines minimum supported version. One of
`TLSAuto`, `TLS10`, `TLS11`, `TLS12`, `TLS13`.
enum:
- TLSAuto
- TLS10
- TLS11
- TLS12
- TLS13
type: string
type: object
type: object
required:
- match
type: object
status:
description: Status is the current status of the Kuma MeshExternalService
resource.
properties:
addresses:
description: Addresses section for generated domains
items:
properties:
hostname:
type: string
hostnameGeneratorRef:
properties:
coreName:
type: string
required:
- coreName
type: object
origin:
type: string
type: object
type: array
hostnameGenerators:
items:
properties:
conditions:
description: Conditions is an array of hostname generator conditions.
items:
properties:
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
hostnameGeneratorRef:
properties:
coreName:
type: string
required:
- coreName
type: object
required:
- hostnameGeneratorRef
type: object
type: array
vip:
description: Vip section for allocated IP
properties:
ip:
description: Value allocated IP for a provided domain with `HostnameGenerator`
type in a match section.
type: string
type: object
type: object
type: object
served: true
storage: true

419
charts/kuma/kuma/2.8.4/crds/kuma.io_meshfaultinjections.yaml Normal file
View File

@ -0,0 +1,419 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshfaultinjections.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshFaultInjection
listKind: MeshFaultInjectionList
plural: meshfaultinjections
singular: meshfaultinjection
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshFaultInjection
resource.
properties:
from:
description: From list makes a match between clients and corresponding
configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of destinations referenced in
'targetRef'
properties:
http:
description: Http allows to define list of Http faults between
dataplanes.
items:
description: FaultInjection defines the configuration
of faults between dataplanes.
properties:
abort:
description: |-
Abort defines a configuration of not delivering requests to destination
service and replacing the responses from destination dataplane by
predefined status code
properties:
httpStatus:
description: HTTP status code which will be returned
to source side
format: int32
type: integer
percentage:
anyOf:
- type: integer
- type: string
description: |-
Percentage of requests on which abort will be injected, has to be
either int or decimal represented as string.
x-kubernetes-int-or-string: true
required:
- httpStatus
- percentage
type: object
delay:
description: Delay defines configuration of delaying
a response from a destination
properties:
percentage:
anyOf:
- type: integer
- type: string
description: |-
Percentage of requests on which delay will be injected, has to be
either int or decimal represented as string.
x-kubernetes-int-or-string: true
value:
description: The duration during which the response
will be delayed
type: string
required:
- percentage
- value
type: object
responseBandwidth:
description: |-
ResponseBandwidth defines a configuration to limit the speed of
responding to the requests
properties:
limit:
description: |-
Limit is represented by value measure in Gbps, Mbps, kbps, e.g.
10kbps
type: string
percentage:
anyOf:
- type: integer
- type: string
description: |-
Percentage of requests on which response bandwidth limit will be
either int or decimal represented as string.
x-kubernetes-int-or-string: true
required:
- limit
- percentage
type: object
type: object
type: array
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined inplace.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
to:
description: To list makes a match between clients and corresponding
configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of destinations referenced in
'targetRef'
properties:
http:
description: Http allows to define list of Http faults between
dataplanes.
items:
description: FaultInjection defines the configuration
of faults between dataplanes.
properties:
abort:
description: |-
Abort defines a configuration of not delivering requests to destination
service and replacing the responses from destination dataplane by
predefined status code
properties:
httpStatus:
description: HTTP status code which will be returned
to source side
format: int32
type: integer
percentage:
anyOf:
- type: integer
- type: string
description: |-
Percentage of requests on which abort will be injected, has to be
either int or decimal represented as string.
x-kubernetes-int-or-string: true
required:
- httpStatus
- percentage
type: object
delay:
description: Delay defines configuration of delaying
a response from a destination
properties:
percentage:
anyOf:
- type: integer
- type: string
description: |-
Percentage of requests on which delay will be injected, has to be
either int or decimal represented as string.
x-kubernetes-int-or-string: true
value:
description: The duration during which the response
will be delayed
type: string
required:
- percentage
- value
type: object
responseBandwidth:
description: |-
ResponseBandwidth defines a configuration to limit the speed of
responding to the requests
properties:
limit:
description: |-
Limit is represented by value measure in Gbps, Mbps, kbps, e.g.
10kbps
type: string
percentage:
anyOf:
- type: integer
- type: string
description: |-
Percentage of requests on which response bandwidth limit will be
either int or decimal represented as string.
x-kubernetes-int-or-string: true
required:
- limit
- percentage
type: object
type: object
type: array
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

364
charts/kuma/kuma/2.8.4/crds/kuma.io_meshgatewayinstances.yaml Normal file
View File

@ -0,0 +1,364 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshgatewayinstances.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshGatewayInstance
listKind: MeshGatewayInstanceList
plural: meshgatewayinstances
singular: meshgatewayinstance
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
description: |-
MeshGatewayInstance represents a managed instance of a dataplane proxy for a Kuma
Gateway.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: MeshGatewayInstanceSpec specifies the options available for
a GatewayDataplane.
properties:
podTemplate:
description: PodTemplate configures the Pod owned by this config.
properties:
metadata:
description: Metadata holds metadata configuration for a Service.
properties:
annotations:
additionalProperties:
type: string
description: Annotations holds annotations to be set on an
object.
type: object
labels:
additionalProperties:
type: string
description: Labels holds labels to be set on an objects.
type: object
type: object
spec:
description: Spec holds some customizable fields of a Pod.
properties:
container:
description: Container corresponds to PodSpec.Container
properties:
securityContext:
description: ContainerSecurityContext corresponds to PodSpec.Container.SecurityContext
properties:
readOnlyRootFilesystem:
description: ReadOnlyRootFilesystem corresponds to
PodSpec.Container.SecurityContext.ReadOnlyRootFilesystem
type: boolean
type: object
type: object
securityContext:
description: PodSecurityContext corresponds to PodSpec.SecurityContext
properties:
fsGroup:
description: FSGroup corresponds to PodSpec.SecurityContext.FSGroup
format: int64
type: integer
type: object
serviceAccountName:
description: ServiceAccountName corresponds to PodSpec.ServiceAccountName.
type: string
type: object
type: object
replicas:
default: 1
description: |-
Replicas is the number of dataplane proxy replicas to create. For
now this is a fixed number, but in the future it could be
automatically scaled based on metrics.
format: int32
minimum: 1
type: integer
resources:
description: |-
Resources specifies the compute resources for the proxy container.
The default can be set in the control plane config.
properties:
claims:
description: |-
Claims lists the names of resources, defined in spec.resourceClaims,
that are used by this container.
This is an alpha field and requires enabling the
DynamicResourceAllocation feature gate.
This field is immutable. It can only be set for containers.
items:
description: ResourceClaim references one entry in PodSpec.ResourceClaims.
properties:
name:
description: |-
Name must match the name of one entry in pod.spec.resourceClaims of
the Pod where this field is used. It makes that resource available
inside a container.
type: string
required:
- name
type: object
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
limits:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Limits describes the maximum amount of compute resources allowed.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
requests:
additionalProperties:
anyOf:
- type: integer
- type: string
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
x-kubernetes-int-or-string: true
description: |-
Requests describes the minimum amount of compute resources required.
If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
otherwise to an implementation-defined value. Requests cannot exceed Limits.
More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
type: object
type: object
serviceTemplate:
description: ServiceTemplate configures the Service owned by this
config.
properties:
metadata:
description: Metadata holds metadata configuration for a Service.
properties:
annotations:
additionalProperties:
type: string
description: Annotations holds annotations to be set on an
object.
type: object
labels:
additionalProperties:
type: string
description: Labels holds labels to be set on an objects.
type: object
type: object
spec:
description: Spec holds some customizable fields of a Service.
properties:
loadBalancerIP:
description: LoadBalancerIP corresponds to ServiceSpec.LoadBalancerIP.
type: string
type: object
type: object
serviceType:
default: LoadBalancer
description: |-
ServiceType specifies the type of managed Service that will be
created to expose the dataplane proxies to traffic from outside
the cluster. The ports to expose will be taken from the matching Gateway
resource. If there is no matching Gateway, the managed Service will
be deleted.
enum:
- LoadBalancer
- ClusterIP
- NodePort
type: string
tags:
additionalProperties:
type: string
description: |-
Tags specifies the Kuma tags that are propagated to the managed
dataplane proxies. These tags should include exactly one
`kuma.io/service` tag, and should match exactly one Gateway
resource.
type: object
type: object
status:
description: |-
MeshGatewayInstanceStatus holds information about the status of the gateway
instance.
properties:
conditions:
description: Conditions is an array of gateway instance conditions.
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
loadBalancer:
description: |-
LoadBalancer contains the current status of the load-balancer,
if one is present.
properties:
ingress:
description: |-
Ingress is a list containing ingress points for the load-balancer.
Traffic intended for the service should be sent to these ingress points.
items:
description: |-
LoadBalancerIngress represents the status of a load-balancer ingress point:
traffic intended for the service should be sent to an ingress point.
properties:
hostname:
description: |-
Hostname is set for load-balancer ingress points that are DNS based
(typically AWS load-balancers)
type: string
ip:
description: |-
IP is set for load-balancer ingress points that are IP based
(typically GCE or OpenStack load-balancers)
type: string
ipMode:
description: |-
IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified.
Setting this to "VIP" indicates that traffic is delivered to the node with
the destination set to the load-balancer's IP and port.
Setting this to "Proxy" indicates that traffic is delivered to the node or pod with
the destination set to the node's IP and node port or the pod's IP and port.
Service implementations may use this information to adjust traffic routing.
type: string
ports:
description: |-
Ports is a list of records of service ports
If used, every port defined in the service should have an entry in it
items:
properties:
error:
description: |-
Error is to record the problem with the service port
The format of the error shall comply with the following rules:
- built-in error values shall be specified in this file and those shall use
CamelCase names
- cloud provider specific error values must have names that comply with the
format foo.example.com/CamelCase.
---
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
port:
description: Port is the port number of the service
port of which status is recorded here
format: int32
type: integer
protocol:
default: TCP
description: |-
Protocol is the protocol of the service port of which status is recorded here
The supported values are: "TCP", "UDP", "SCTP"
type: string
required:
- port
- protocol
type: object
type: array
x-kubernetes-list-type: atomic
type: object
type: array
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}

50
charts/kuma/kuma/2.8.4/crds/kuma.io_meshgatewayroutes.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshgatewayroutes.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshGatewayRoute
listKind: MeshGatewayRouteList
plural: meshgatewayroutes
singular: meshgatewayroute
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshGatewayRoute resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_meshgateways.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshgateways.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshGateway
listKind: MeshGatewayList
plural: meshgateways
singular: meshgateway
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshGateway resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

382
charts/kuma/kuma/2.8.4/crds/kuma.io_meshhealthchecks.yaml Normal file
View File

@ -0,0 +1,382 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshhealthchecks.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshHealthCheck
listKind: MeshHealthCheckList
plural: meshhealthchecks
singular: meshhealthcheck
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshHealthCheck resource.
properties:
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined inplace.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
to:
description: To list makes a match between the consumed services and
corresponding configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of destinations referenced in
'targetRef'
properties:
alwaysLogHealthCheckFailures:
description: |-
If set to true, health check failure events will always be logged. If set
to false, only the initial health check failure event will be logged. The
default value is false.
type: boolean
eventLogPath:
description: |-
Specifies the path to the file where Envoy can log health check events.
If empty, no event log will be written.
type: string
failTrafficOnPanic:
description: |-
If set to true, Envoy will not consider any hosts when the cluster is in
'panic mode'. Instead, the cluster will fail all requests as if all hosts
are unhealthy. This can help avoid potentially overwhelming a failing
service.
type: boolean
grpc:
description: |-
GrpcHealthCheck defines gRPC configuration which will instruct the service
the health check will be made for is a gRPC service.
properties:
authority:
description: |-
The value of the :authority header in the gRPC health check request,
by default name of the cluster this health check is associated with
type: string
disabled:
description: If true the GrpcHealthCheck is disabled
type: boolean
serviceName:
description: Service name parameter which will be sent
to gRPC service
type: string
type: object
healthyPanicThreshold:
anyOf:
- type: integer
- type: string
description: |-
Allows to configure panic threshold for Envoy cluster. If not specified,
the default is 50%. To disable panic mode, set to 0%.
Either int or decimal represented as string.
x-kubernetes-int-or-string: true
healthyThreshold:
default: 1
description: Number of consecutive healthy checks before
considering a host healthy.
format: int32
type: integer
http:
description: |-
HttpHealthCheck defines HTTP configuration which will instruct the service
the health check will be made for is an HTTP service.
properties:
disabled:
description: If true the HttpHealthCheck is disabled
type: boolean
expectedStatuses:
description: List of HTTP response statuses which are
considered healthy
items:
format: int32
type: integer
type: array
path:
default: /
description: |-
The HTTP path which will be requested during the health check
(ie. /health)
type: string
requestHeadersToAdd:
description: |-
The list of HTTP headers which should be added to each health check
request
properties:
add:
items:
properties:
name:
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
set:
items:
properties:
name:
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type: object
initialJitter:
description: |-
If specified, Envoy will start health checking after a random time in
ms between 0 and initialJitter. This only applies to the first health
check.
type: string
interval:
default: 1m
description: Interval between consecutive health checks.
type: string
intervalJitter:
description: |-
If specified, during every interval Envoy will add IntervalJitter to the
wait time.
type: string
intervalJitterPercent:
description: |-
If specified, during every interval Envoy will add IntervalJitter *
IntervalJitterPercent / 100 to the wait time. If IntervalJitter and
IntervalJitterPercent are both set, both of them will be used to
increase the wait time.
format: int32
type: integer
noTrafficInterval:
description: |-
The "no traffic interval" is a special health check interval that is used
when a cluster has never had traffic routed to it. This lower interval
allows cluster information to be kept up to date, without sending a
potentially large amount of active health checking traffic for no reason.
Once a cluster has been used for traffic routing, Envoy will shift back
to using the standard health check interval that is defined. Note that
this interval takes precedence over any other. The default value for "no
traffic interval" is 60 seconds.
type: string
reuseConnection:
description: Reuse health check connection between health
checks. Default is true.
type: boolean
tcp:
description: |-
TcpHealthCheck defines configuration for specifying bytes to send and
expected response during the health check
properties:
disabled:
description: If true the TcpHealthCheck is disabled
type: boolean
receive:
description: |-
List of Base64 encoded blocks of strings expected as a response. When checking the response,
"fuzzy" matching is performed such that each block must be found, and
in the order specified, but not necessarily contiguous.
If not provided or empty, checks will be performed as "connect only" and be marked as successful when TCP connection is successfully established.
items:
type: string
type: array
send:
description: Base64 encoded content of the message which
will be sent during the health check to the target
type: string
type: object
timeout:
default: 15s
description: Maximum time to wait for a health check response.
type: string
unhealthyThreshold:
default: 5
description: |-
Number of consecutive unhealthy checks before considering a host
unhealthy.
format: int32
type: integer
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

664
charts/kuma/kuma/2.8.4/crds/kuma.io_meshhttproutes.yaml Normal file
View File

@ -0,0 +1,664 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshhttproutes.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshHTTPRoute
listKind: MeshHTTPRouteList
plural: meshhttproutes
singular: meshhttproute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshHTTPRoute resource.
properties:
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined inplace.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
to:
description: To matches destination services of requests and holds
configuration.
items:
properties:
hostnames:
description: |-
Hostnames is only valid when targeting MeshGateway and limits the
effects of the rules to requests to this hostname.
Given hostnames must intersect with the hostname of the listeners the
route attaches to.
items:
type: string
type: array
rules:
description: |-
Rules contains the routing rules applies to a combination of top-level
targetRef and the targetRef in this entry.
items:
properties:
default:
description: |-
Default holds routing rules that can be merged with rules from other
policies.
properties:
backendRefs:
items:
description: BackendRef defines where to forward
traffic.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use
to identify cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
port:
description: Port is only supported when this
ref refers to a real MeshService object
format: int32
type: integer
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
weight:
default: 1
minimum: 0
type: integer
type: object
type: array
filters:
items:
properties:
requestHeaderModifier:
description: |-
Only one action is supported per header name.
Configuration to set or add multiple values for a header must use RFC 7230
header value formatting, separating each value with a comma.
properties:
add:
items:
properties:
name:
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
items:
type: string
maxItems: 16
type: array
set:
items:
properties:
name:
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
requestMirror:
properties:
backendRef:
description: TODO forbid weight
properties:
kind:
description: Kind of the referenced
resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future
use to identify cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
port:
description: Port is only supported
when this ref refers to a real MeshService
object
format: int32
type: integer
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
weight:
default: 1
minimum: 0
type: integer
type: object
percentage:
anyOf:
- type: integer
- type: string
description: |-
Percentage of requests to mirror. If not specified, all requests
to the target cluster will be mirrored.
x-kubernetes-int-or-string: true
required:
- backendRef
type: object
requestRedirect:
properties:
hostname:
description: |-
PreciseHostname is the fully qualified domain name of a network host. This
matches the RFC 1123 definition of a hostname with 1 notable exception that
numeric IP addresses are not allowed.
Note that as per RFC1035 and RFC1123, a *label* must consist of lower case
alphanumeric characters or '-', and must start and end with an alphanumeric
character. No other punctuation is allowed.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
description: |-
Path defines parameters used to modify the path of the incoming request.
The modified path is then used to construct the location header.
When empty, the request path is used as-is.
properties:
replaceFullPath:
type: string
replacePrefixMatch:
type: string
type:
enum:
- ReplaceFullPath
- ReplacePrefixMatch
type: string
required:
- type
type: object
port:
description: |-
Port is the port to be used in the value of the `Location`
header in the response.
When empty, port (if specified) of the request is used.
format: int32
maximum: 65535
minimum: 1
type: integer
scheme:
enum:
- http
- https
type: string
statusCode:
default: 302
description: StatusCode is the HTTP status
code to be used in response.
enum:
- 301
- 302
- 303
- 307
- 308
type: integer
type: object
responseHeaderModifier:
description: |-
Only one action is supported per header name.
Configuration to set or add multiple values for a header must use RFC 7230
header value formatting, separating each value with a comma.
properties:
add:
items:
properties:
name:
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
remove:
items:
type: string
maxItems: 16
type: array
set:
items:
properties:
name:
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
type:
enum:
- RequestHeaderModifier
- ResponseHeaderModifier
- RequestRedirect
- URLRewrite
- RequestMirror
type: string
urlRewrite:
properties:
hostToBackendHostname:
description: |-
HostToBackendHostname rewrites the hostname to the hostname of the
upstream host. This option is only available when targeting MeshGateways.
type: boolean
hostname:
description: Hostname is the value to be
used to replace the host header value
during forwarding.
maxLength: 253
minLength: 1
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
path:
description: Path defines a path rewrite.
properties:
replaceFullPath:
type: string
replacePrefixMatch:
type: string
type:
enum:
- ReplaceFullPath
- ReplacePrefixMatch
type: string
required:
- type
type: object
type: object
required:
- type
type: object
type: array
type: object
matches:
description: |-
Matches describes how to match HTTP requests this rule should be applied
to.
items:
properties:
headers:
items:
description: |-
HeaderMatch describes how to select an HTTP route by matching HTTP request
headers.
properties:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name MUST be lower case
as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2).
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
description: Type specifies how to match against
the value of the header.
enum:
- Exact
- Present
- RegularExpression
- Absent
- Prefix
type: string
value:
description: Value is the value of HTTP Header
to be matched.
type: string
required:
- name
type: object
type: array
method:
enum:
- CONNECT
- DELETE
- GET
- HEAD
- OPTIONS
- PATCH
- POST
- PUT
- TRACE
type: string
path:
properties:
type:
enum:
- Exact
- PathPrefix
- RegularExpression
type: string
value:
description: |-
Exact or prefix matches must be an absolute path. A prefix matches only
if separated by a slash or the entire path.
minLength: 1
type: string
required:
- type
- value
type: object
queryParams:
description: |-
QueryParams matches based on HTTP URL query parameters. Multiple matches
are ANDed together such that all listed matches must succeed.
items:
properties:
name:
minLength: 1
type: string
type:
enum:
- Exact
- RegularExpression
type: string
value:
type: string
required:
- name
- type
- value
type: object
type: array
type: object
minItems: 1
type: array
required:
- default
- matches
type: object
type: array
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
request destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
type: object
type: array
type: object
type: object
served: true
storage: true
subresources: {}

50
charts/kuma/kuma/2.8.4/crds/kuma.io_meshinsights.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshinsights.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshInsight
listKind: MeshInsightList
plural: meshinsights
singular: meshinsight
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshInsight resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

572
charts/kuma/kuma/2.8.4/crds/kuma.io_meshloadbalancingstrategies.yaml Normal file
View File

@ -0,0 +1,572 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshloadbalancingstrategies.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshLoadBalancingStrategy
listKind: MeshLoadBalancingStrategyList
plural: meshloadbalancingstrategies
singular: meshloadbalancingstrategy
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshLoadBalancingStrategy
resource.
properties:
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined inplace.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
to:
description: To list makes a match between the consumed services and
corresponding configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of destinations referenced in
'targetRef'
properties:
loadBalancer:
description: LoadBalancer allows to specify load balancing
algorithm.
properties:
leastRequest:
description: |-
LeastRequest selects N random available hosts as specified in 'choiceCount' (2 by default)
and picks the host which has the fewest active requests
properties:
activeRequestBias:
anyOf:
- type: integer
- type: string
description: |-
ActiveRequestBias refers to dynamic weights applied when hosts have varying load
balancing weights. A higher value here aggressively reduces the weight of endpoints
that are currently handling active requests. In essence, the higher the ActiveRequestBias
value, the more forcefully it reduces the load balancing weight of endpoints that are
actively serving requests.
x-kubernetes-int-or-string: true
choiceCount:
description: |-
ChoiceCount is the number of random healthy hosts from which the host with
the fewest active requests will be chosen. Defaults to 2 so that Envoy performs
two-choice selection if the field is not set.
format: int32
minimum: 2
type: integer
type: object
maglev:
description: |-
Maglev implements consistent hashing to upstream hosts. Maglev can be used as
a drop in replacement for the ring hash load balancer any place in which
consistent hashing is desired.
properties:
hashPolicies:
description: |-
HashPolicies specify a list of request/connection properties that are used to calculate a hash.
These hash policies are executed in the specified order. If a hash policy has the “terminal” attribute
set to true, and there is already a hash generated, the hash is returned immediately,
ignoring the rest of the hash policy list.
items:
properties:
connection:
properties:
sourceIP:
description: Hash on source IP address.
type: boolean
type: object
cookie:
properties:
name:
description: The name of the cookie that
will be used to obtain the hash key.
minLength: 1
type: string
path:
description: The name of the path for
the cookie.
type: string
ttl:
description: If specified, a cookie with
the TTL will be generated if the cookie
is not present.
type: string
required:
- name
type: object
filterState:
properties:
key:
description: |-
The name of the Object in the per-request filterState, which is
an Envoy::Hashable object. If there is no data associated with the key,
or the stored object is not Envoy::Hashable, no hash will be produced.
minLength: 1
type: string
required:
- key
type: object
header:
properties:
name:
description: The name of the request header
that will be used to obtain the hash
key.
minLength: 1
type: string
required:
- name
type: object
queryParameter:
properties:
name:
description: |-
The name of the URL query parameter that will be used to obtain the hash key.
If the parameter is not present, no hash will be produced. Query parameter names
are case-sensitive.
minLength: 1
type: string
required:
- name
type: object
terminal:
description: |-
Terminal is a flag that short-circuits the hash computing. This field provides
a fallback style of configuration: “if a terminal policy doesnt work, fallback
to rest of the policy list”, it saves time when the terminal policy works.
If true, and there is already a hash computed, ignore rest of the list of hash polices.
type: boolean
type:
enum:
- Header
- Cookie
- SourceIP
- QueryParameter
- FilterState
type: string
required:
- type
type: object
type: array
tableSize:
description: |-
The table size for Maglev hashing. Maglev aims for “minimal disruption”
rather than an absolute guarantee. Minimal disruption means that when
the set of upstream hosts change, a connection will likely be sent
to the same upstream as it was before. Increasing the table size reduces
the amount of disruption. The table size must be prime number limited to 5000011.
If it is not specified, the default is 65537.
format: int32
maximum: 5000011
minimum: 1
type: integer
type: object
random:
description: |-
Random selects a random available host. The random load balancer generally
performs better than round-robin if no health checking policy is configured.
Random selection avoids bias towards the host in the set that comes after a failed host.
type: object
ringHash:
description: |-
RingHash implements consistent hashing to upstream hosts. Each host is mapped
onto a circle (the “ring”) by hashing its address; each request is then routed
to a host by hashing some property of the request, and finding the nearest
corresponding host clockwise around the ring.
properties:
hashFunction:
description: |-
HashFunction is a function used to hash hosts onto the ketama ring.
The value defaults to XX_HASH. Available values XX_HASH, MURMUR_HASH_2.
enum:
- XXHash
- MurmurHash2
type: string
hashPolicies:
description: |-
HashPolicies specify a list of request/connection properties that are used to calculate a hash.
These hash policies are executed in the specified order. If a hash policy has the “terminal” attribute
set to true, and there is already a hash generated, the hash is returned immediately,
ignoring the rest of the hash policy list.
items:
properties:
connection:
properties:
sourceIP:
description: Hash on source IP address.
type: boolean
type: object
cookie:
properties:
name:
description: The name of the cookie that
will be used to obtain the hash key.
minLength: 1
type: string
path:
description: The name of the path for
the cookie.
type: string
ttl:
description: If specified, a cookie with
the TTL will be generated if the cookie
is not present.
type: string
required:
- name
type: object
filterState:
properties:
key:
description: |-
The name of the Object in the per-request filterState, which is
an Envoy::Hashable object. If there is no data associated with the key,
or the stored object is not Envoy::Hashable, no hash will be produced.
minLength: 1
type: string
required:
- key
type: object
header:
properties:
name:
description: The name of the request header
that will be used to obtain the hash
key.
minLength: 1
type: string
required:
- name
type: object
queryParameter:
properties:
name:
description: |-
The name of the URL query parameter that will be used to obtain the hash key.
If the parameter is not present, no hash will be produced. Query parameter names
are case-sensitive.
minLength: 1
type: string
required:
- name
type: object
terminal:
description: |-
Terminal is a flag that short-circuits the hash computing. This field provides
a fallback style of configuration: “if a terminal policy doesnt work, fallback
to rest of the policy list”, it saves time when the terminal policy works.
If true, and there is already a hash computed, ignore rest of the list of hash polices.
type: boolean
type:
enum:
- Header
- Cookie
- SourceIP
- QueryParameter
- FilterState
type: string
required:
- type
type: object
type: array
maxRingSize:
description: |-
Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries,
but can be lowered to further constrain resource use.
format: int32
maximum: 8000000
minimum: 1
type: integer
minRingSize:
description: |-
Minimum hash ring size. The larger the ring is (that is,
the more hashes there are for each provided host) the better the request distribution
will reflect the desired weights. Defaults to 1024 entries, and limited to 8M entries.
format: int32
maximum: 8000000
minimum: 1
type: integer
type: object
roundRobin:
description: |-
RoundRobin is a load balancing algorithm that distributes requests
across available upstream hosts in round-robin order.
type: object
type:
enum:
- RoundRobin
- LeastRequest
- RingHash
- Random
- Maglev
type: string
required:
- type
type: object
localityAwareness:
description: LocalityAwareness contains configuration for
locality aware load balancing.
properties:
crossZone:
description: |-
CrossZone defines locality aware load balancing priorities when dataplane proxies inside local zone
are unavailable
properties:
failover:
description: Failover defines list of load balancing
rules in order of priority
items:
properties:
from:
description: From defines the list of zones
to which the rule applies
properties:
zones:
items:
type: string
type: array
required:
- zones
type: object
to:
description: To defines to which zones the
traffic should be load balanced
properties:
type:
description: Type defines how target zones
will be picked from available zones
enum:
- None
- Only
- Any
- AnyExcept
type: string
zones:
items:
type: string
type: array
required:
- type
type: object
required:
- to
type: object
type: array
failoverThreshold:
description: |-
FailoverThreshold defines the percentage of live destination dataplane proxies below which load balancing to the
next priority starts.
Example: If you configure failoverThreshold to 70, and you have deployed 10 destination dataplane proxies.
Load balancing to next priority will start when number of live destination dataplane proxies drops below 7.
Default 50
properties:
percentage:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- percentage
type: object
type: object
disabled:
description: |-
Disabled allows to disable locality-aware load balancing.
When disabled requests are distributed across all endpoints regardless of locality.
type: boolean
localZone:
description: LocalZone defines locality aware load balancing
priorities between dataplane proxies inside a zone
properties:
affinityTags:
description: AffinityTags list of tags for local
zone load balancing.
items:
properties:
key:
description: Key defines tag for which affinity
is configured
type: string
weight:
description: |-
Weight of the tag used for load balancing. The bigger the weight the bigger the priority.
Percentage of local traffic load balanced to tag is computed by dividing weight by sum of weights from all tags.
For example with two affinity tags first with weight 80 and second with weight 20,
then 80% of traffic will be redirected to the first tag, and 20% of traffic will be redirected to second one.
Setting weights is not mandatory. When weights are not set control plane will compute default weight based on list order.
Default: If you do not specify weight we will adjust them so that 90% traffic goes to first tag, 9% to next, and 1% to third and so on.
format: int32
type: integer
required:
- key
type: object
type: array
type: object
type: object
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

293
charts/kuma/kuma/2.8.4/crds/kuma.io_meshmetrics.yaml Normal file
View File

@ -0,0 +1,293 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshmetrics.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshMetric
listKind: MeshMetricList
plural: meshmetrics
singular: meshmetric
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshMetric resource.
properties:
default:
description: MeshMetric configuration.
properties:
applications:
description: Applications is a list of application that Dataplane
Proxy will scrape
items:
properties:
address:
description: Address on which an application listens.
type: string
name:
description: Name of the application to scrape
type: string
path:
default: /metrics/prometheus
description: Path on which an application expose HTTP endpoint
with metrics.
type: string
port:
description: Port on which an application expose HTTP endpoint
with metrics.
format: int32
type: integer
required:
- port
type: object
type: array
backends:
description: Backends list that will be used to collect metrics.
items:
properties:
openTelemetry:
description: OpenTelemetry backend configuration
properties:
endpoint:
description: Endpoint for OpenTelemetry collector
type: string
refreshInterval:
description: RefreshInterval defines how frequent metrics
should be pushed to collector
type: string
required:
- endpoint
type: object
prometheus:
description: Prometheus backend configuration.
properties:
clientId:
description: ClientId of the Prometheus backend. Needed
when using MADS for DP discovery.
type: string
path:
default: /metrics
description: Path on which a dataplane should expose
HTTP endpoint with Prometheus metrics.
type: string
port:
default: 5670
description: Port on which a dataplane should expose
HTTP endpoint with Prometheus metrics.
format: int32
type: integer
tls:
description: Configuration of TLS for prometheus listener.
properties:
mode:
default: Disabled
description: Configuration of TLS for Prometheus
listener.
enum:
- Disabled
- ProvidedTLS
- ActiveMTLSBackend
type: string
required:
- mode
type: object
required:
- path
- port
type: object
type:
description: Type of the backend that will be used to collect
metrics. At the moment only Prometheus backend is available.
enum:
- Prometheus
- OpenTelemetry
type: string
required:
- type
type: object
type: array
sidecar:
description: Sidecar metrics collection configuration
properties:
includeUnused:
default: false
description: |-
IncludeUnused if false will scrape only metrics that has been by sidecar (counters incremented
at least once, gauges changed at least once, and histograms added to at
least once). If true will scrape all metrics (even the ones with zeros).
type: boolean
profiles:
description: Profiles allows to customize which metrics are
published.
properties:
appendProfiles:
description: AppendProfiles allows to combine the metrics
from multiple predefined profiles.
items:
properties:
name:
description: 'Name of the predefined profile, one
of: all, basic, none'
enum:
- All
- Basic
- None
type: string
required:
- name
type: object
type: array
exclude:
description: |-
Exclude makes it possible to exclude groups of metrics from a resulting profile.
Exclude is subordinate to Include.
items:
properties:
match:
description: Match is the value used to match using
particular Type
type: string
type:
description: 'Type defined the type of selector,
one of: prefix, regex, exact'
enum:
- Prefix
- Regex
- Exact
- Contains
type: string
required:
- match
- type
type: object
type: array
include:
description: |-
Include makes it possible to include additional metrics in a selected profiles.
Include takes precedence over Exclude.
items:
properties:
match:
description: Match is the value used to match using
particular Type
type: string
type:
description: 'Type defined the type of selector,
one of: prefix, regex, exact'
enum:
- Prefix
- Regex
- Exact
- Contains
type: string
required:
- match
- type
type: object
type: array
type: object
type: object
type: object
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined in-place.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

167
charts/kuma/kuma/2.8.4/crds/kuma.io_meshpassthroughs.yaml Normal file
View File

@ -0,0 +1,167 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshpassthroughs.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshPassthrough
listKind: MeshPassthroughList
plural: meshpassthroughs
singular: meshpassthrough
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshPassthrough resource.
properties:
default:
description: MeshPassthrough configuration.
properties:
appendMatch:
description: AppendMatch is a list of destinations that should
be allowed through the sidecar.
items:
properties:
port:
description: Port defines the port to which a user makes
a request.
type: integer
protocol:
default: tcp
description: 'Protocol defines the communication protocol.
Possible values: `tcp`, `tls`, `grpc`, `http`, `http2`.'
enum:
- tcp
- tls
- grpc
- http
- http2
type: string
type:
description: Type of the match, one of `Domain`, `IP` or
`CIDR` is available.
enum:
- Domain
- IP
- CIDR
type: string
value:
description: Value for the specified Type.
type: string
required:
- port
type: object
type: array
passthroughMode:
default: None
description: |-
Defines the passthrough behavior. Possible values: `All`, `None`, `Matched`
When `All` or `None` `appendMatch` has no effect.
enum:
- All
- Matched
- None
type: string
type: object
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined in-place.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

560
charts/kuma/kuma/2.8.4/crds/kuma.io_meshproxypatches.yaml Normal file
View File

@ -0,0 +1,560 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshproxypatches.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshProxyPatch
listKind: MeshProxyPatchList
plural: meshproxypatches
singular: meshproxypatch
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshProxyPatch resource.
properties:
default:
description: |-
Default is a configuration specific to the group of destinations
referenced in 'targetRef'.
properties:
appendModifications:
description: AppendModifications is a list of modifications applied
on the selected proxy.
items:
properties:
cluster:
description: Cluster is a modification of Envoy's Cluster
resource.
properties:
jsonPatches:
description: |-
JsonPatches specifies list of jsonpatches to apply to on Envoy's Cluster
resource
items:
description: JsonPatchBlock is one json patch operation
block.
properties:
from:
description: From is a jsonpatch from string,
used by move and copy operations.
type: string
op:
description: Op is a jsonpatch operation string.
enum:
- add
- remove
- replace
- move
- copy
type: string
path:
description: Path is a jsonpatch path string.
type: string
value:
description: Value must be a valid json value
used by replace and add operations.
x-kubernetes-preserve-unknown-fields: true
required:
- op
- path
type: object
type: array
match:
description: Match is a set of conditions that have
to be matched for modification operation to happen.
properties:
name:
description: Name of the cluster to match.
type: string
origin:
description: |-
Origin is the name of the component or plugin that generated the resource.
Here is the list of well-known origins:
inbound - resources generated for handling incoming traffic.
outbound - resources generated for handling outgoing traffic.
transparent - resources generated for transparent proxy functionality.
prometheus - resources generated when Prometheus metrics are enabled.
direct-access - resources generated for Direct Access functionality.
ingress - resources generated for Zone Ingress.
egress - resources generated for Zone Egress.
gateway - resources generated for MeshGateway.
The list is not complete, because policy plugins can introduce new resources.
For example MeshTrace plugin can create Cluster with "mesh-trace" origin.
type: string
type: object
operation:
description: Operation to execute on matched cluster.
enum:
- Add
- Remove
- Patch
type: string
value:
description: Value of xDS resource in YAML format to
add or patch.
type: string
required:
- operation
type: object
httpFilter:
description: |-
HTTPFilter is a modification of Envoy HTTP Filter
available in HTTP Connection Manager in a Listener resource.
properties:
jsonPatches:
description: |-
JsonPatches specifies list of jsonpatches to apply to on Envoy's
HTTP Filter available in HTTP Connection Manager in a Listener resource.
items:
description: JsonPatchBlock is one json patch operation
block.
properties:
from:
description: From is a jsonpatch from string,
used by move and copy operations.
type: string
op:
description: Op is a jsonpatch operation string.
enum:
- add
- remove
- replace
- move
- copy
type: string
path:
description: Path is a jsonpatch path string.
type: string
value:
description: Value must be a valid json value
used by replace and add operations.
x-kubernetes-preserve-unknown-fields: true
required:
- op
- path
type: object
type: array
match:
description: Match is a set of conditions that have
to be matched for modification operation to happen.
properties:
listenerName:
description: Name of the listener to match.
type: string
listenerTags:
additionalProperties:
type: string
description: Listener tags available in Listener#Metadata#FilterMetadata[io.kuma.tags]
type: object
name:
description: Name of the HTTP filter. For example
"envoy.filters.http.local_ratelimit"
type: string
origin:
description: |-
Origin is the name of the component or plugin that generated the resource.
Here is the list of well-known origins:
inbound - resources generated for handling incoming traffic.
outbound - resources generated for handling outgoing traffic.
transparent - resources generated for transparent proxy functionality.
prometheus - resources generated when Prometheus metrics are enabled.
direct-access - resources generated for Direct Access functionality.
ingress - resources generated for Zone Ingress.
egress - resources generated for Zone Egress.
gateway - resources generated for MeshGateway.
The list is not complete, because policy plugins can introduce new resources.
For example MeshTrace plugin can create Cluster with "mesh-trace" origin.
type: string
type: object
operation:
description: Operation to execute on matched listener.
enum:
- Remove
- Patch
- AddFirst
- AddBefore
- AddAfter
- AddLast
type: string
value:
description: Value of xDS resource in YAML format to
add or patch.
type: string
required:
- operation
type: object
listener:
description: Listener is a modification of Envoy's Listener
resource.
properties:
jsonPatches:
description: |-
JsonPatches specifies list of jsonpatches to apply to on Envoy's Listener
resource
items:
description: JsonPatchBlock is one json patch operation
block.
properties:
from:
description: From is a jsonpatch from string,
used by move and copy operations.
type: string
op:
description: Op is a jsonpatch operation string.
enum:
- add
- remove
- replace
- move
- copy
type: string
path:
description: Path is a jsonpatch path string.
type: string
value:
description: Value must be a valid json value
used by replace and add operations.
x-kubernetes-preserve-unknown-fields: true
required:
- op
- path
type: object
type: array
match:
description: Match is a set of conditions that have
to be matched for modification operation to happen.
properties:
name:
description: Name of the listener to match.
type: string
origin:
description: |-
Origin is the name of the component or plugin that generated the resource.
Here is the list of well-known origins:
inbound - resources generated for handling incoming traffic.
outbound - resources generated for handling outgoing traffic.
transparent - resources generated for transparent proxy functionality.
prometheus - resources generated when Prometheus metrics are enabled.
direct-access - resources generated for Direct Access functionality.
ingress - resources generated for Zone Ingress.
egress - resources generated for Zone Egress.
gateway - resources generated for MeshGateway.
The list is not complete, because policy plugins can introduce new resources.
For example MeshTrace plugin can create Cluster with "mesh-trace" origin.
type: string
tags:
additionalProperties:
type: string
description: Tags available in Listener#Metadata#FilterMetadata[io.kuma.tags]
type: object
type: object
operation:
description: Operation to execute on matched listener.
enum:
- Add
- Remove
- Patch
type: string
value:
description: Value of xDS resource in YAML format to
add or patch.
type: string
required:
- operation
type: object
networkFilter:
description: NetworkFilter is a modification of Envoy Listener's
filter.
properties:
jsonPatches:
description: |-
JsonPatches specifies list of jsonpatches to apply to on Envoy Listener's
filter.
items:
description: JsonPatchBlock is one json patch operation
block.
properties:
from:
description: From is a jsonpatch from string,
used by move and copy operations.
type: string
op:
description: Op is a jsonpatch operation string.
enum:
- add
- remove
- replace
- move
- copy
type: string
path:
description: Path is a jsonpatch path string.
type: string
value:
description: Value must be a valid json value
used by replace and add operations.
x-kubernetes-preserve-unknown-fields: true
required:
- op
- path
type: object
type: array
match:
description: Match is a set of conditions that have
to be matched for modification operation to happen.
properties:
listenerName:
description: Name of the listener to match.
type: string
listenerTags:
additionalProperties:
type: string
description: Listener tags available in Listener#Metadata#FilterMetadata[io.kuma.tags]
type: object
name:
description: Name of the network filter. For example
"envoy.filters.network.ratelimit"
type: string
origin:
description: |-
Origin is the name of the component or plugin that generated the resource.
Here is the list of well-known origins:
inbound - resources generated for handling incoming traffic.
outbound - resources generated for handling outgoing traffic.
transparent - resources generated for transparent proxy functionality.
prometheus - resources generated when Prometheus metrics are enabled.
direct-access - resources generated for Direct Access functionality.
ingress - resources generated for Zone Ingress.
egress - resources generated for Zone Egress.
gateway - resources generated for MeshGateway.
The list is not complete, because policy plugins can introduce new resources.
For example MeshTrace plugin can create Cluster with "mesh-trace" origin.
type: string
type: object
operation:
description: Operation to execute on matched listener.
enum:
- Remove
- Patch
- AddFirst
- AddBefore
- AddAfter
- AddLast
type: string
value:
description: Value of xDS resource in YAML format to
add or patch.
type: string
required:
- operation
type: object
virtualHost:
description: |-
VirtualHost is a modification of Envoy's VirtualHost
referenced in HTTP Connection Manager in a Listener resource.
properties:
jsonPatches:
description: |-
JsonPatches specifies list of jsonpatches to apply to on Envoy's
VirtualHost resource
items:
description: JsonPatchBlock is one json patch operation
block.
properties:
from:
description: From is a jsonpatch from string,
used by move and copy operations.
type: string
op:
description: Op is a jsonpatch operation string.
enum:
- add
- remove
- replace
- move
- copy
type: string
path:
description: Path is a jsonpatch path string.
type: string
value:
description: Value must be a valid json value
used by replace and add operations.
x-kubernetes-preserve-unknown-fields: true
required:
- op
- path
type: object
type: array
match:
description: Match is a set of conditions that have
to be matched for modification operation to happen.
properties:
name:
description: Name of the VirtualHost to match.
type: string
origin:
description: |-
Origin is the name of the component or plugin that generated the resource.
Here is the list of well-known origins:
inbound - resources generated for handling incoming traffic.
outbound - resources generated for handling outgoing traffic.
transparent - resources generated for transparent proxy functionality.
prometheus - resources generated when Prometheus metrics are enabled.
direct-access - resources generated for Direct Access functionality.
ingress - resources generated for Zone Ingress.
egress - resources generated for Zone Egress.
gateway - resources generated for MeshGateway.
The list is not complete, because policy plugins can introduce new resources.
For example MeshTrace plugin can create Cluster with "mesh-trace" origin.
type: string
routeConfigurationName:
description: Name of the RouteConfiguration resource
to match.
type: string
type: object
operation:
description: Operation to execute on matched listener.
enum:
- Add
- Remove
- Patch
type: string
value:
description: Value of xDS resource in YAML format to
add or patch.
type: string
required:
- match
- operation
type: object
type: object
type: array
required:
- appendModifications
type: object
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined inplace.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- default
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

498
charts/kuma/kuma/2.8.4/crds/kuma.io_meshratelimits.yaml Normal file
View File

@ -0,0 +1,498 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshratelimits.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshRateLimit
listKind: MeshRateLimitList
plural: meshratelimits
singular: meshratelimit
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshRateLimit resource.
properties:
from:
description: From list makes a match between clients and corresponding
configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of clients referenced in
'targetRef'
properties:
local:
description: LocalConf defines local http or/and tcp rate
limit configuration
properties:
http:
description: |-
LocalHTTP defines configuration of local HTTP rate limiting
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter
properties:
disabled:
description: Define if rate limiting should be disabled.
type: boolean
onRateLimit:
description: Describes the actions to take on a
rate limit event
properties:
headers:
description: The Headers to be added to the
HTTP response on a rate limit event
properties:
add:
items:
properties:
name:
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
set:
items:
properties:
name:
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
status:
description: The HTTP status code to be set
on a rate limit event
format: int32
type: integer
type: object
requestRate:
description: Defines how many requests are allowed
per interval.
properties:
interval:
description: The interval the number of units
is accounted for.
type: string
num:
description: |-
Number of units per interval (depending on usage it can be a number of requests,
or a number of connections).
format: int32
type: integer
required:
- interval
- num
type: object
type: object
tcp:
description: |-
LocalTCP defines confguration of local TCP rate limiting
https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter
properties:
connectionRate:
description: Defines how many connections are allowed
per interval.
properties:
interval:
description: The interval the number of units
is accounted for.
type: string
num:
description: |-
Number of units per interval (depending on usage it can be a number of requests,
or a number of connections).
format: int32
type: integer
required:
- interval
- num
type: object
disabled:
description: |-
Define if rate limiting should be disabled.
Default: false
type: boolean
type: object
type: object
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
clients.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined inplace.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
to:
description: To list makes a match between clients and corresponding
configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of clients referenced in
'targetRef'
properties:
local:
description: LocalConf defines local http or/and tcp rate
limit configuration
properties:
http:
description: |-
LocalHTTP defines configuration of local HTTP rate limiting
https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/local_rate_limit_filter
properties:
disabled:
description: Define if rate limiting should be disabled.
type: boolean
onRateLimit:
description: Describes the actions to take on a
rate limit event
properties:
headers:
description: The Headers to be added to the
HTTP response on a rate limit event
properties:
add:
items:
properties:
name:
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
set:
items:
properties:
name:
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
value:
type: string
required:
- name
- value
type: object
maxItems: 16
type: array
x-kubernetes-list-map-keys:
- name
x-kubernetes-list-type: map
type: object
status:
description: The HTTP status code to be set
on a rate limit event
format: int32
type: integer
type: object
requestRate:
description: Defines how many requests are allowed
per interval.
properties:
interval:
description: The interval the number of units
is accounted for.
type: string
num:
description: |-
Number of units per interval (depending on usage it can be a number of requests,
or a number of connections).
format: int32
type: integer
required:
- interval
- num
type: object
type: object
tcp:
description: |-
LocalTCP defines confguration of local TCP rate limiting
https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/network_filters/local_rate_limit_filter
properties:
connectionRate:
description: Defines how many connections are allowed
per interval.
properties:
interval:
description: The interval the number of units
is accounted for.
type: string
num:
description: |-
Number of units per interval (depending on usage it can be a number of requests,
or a number of connections).
format: int32
type: integer
required:
- interval
- num
type: object
disabled:
description: |-
Define if rate limiting should be disabled.
Default: false
type: boolean
type: object
type: object
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
clients.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

507
charts/kuma/kuma/2.8.4/crds/kuma.io_meshretries.yaml Normal file
View File

@ -0,0 +1,507 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshretries.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshRetry
listKind: MeshRetryList
plural: meshretries
singular: meshretry
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshRetry resource.
properties:
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined inplace.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
to:
description: To list makes a match between the consumed services and
corresponding configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of destinations referenced in
'targetRef'
properties:
grpc:
description: GRPC defines a configuration of retries for
GRPC traffic
properties:
backOff:
description: |-
BackOff is a configuration of durations which will be used in an exponential
backoff strategy between retries.
properties:
baseInterval:
default: 25ms
description: |-
BaseInterval is an amount of time which should be taken between retries.
Must be greater than zero. Values less than 1 ms are rounded up to 1 ms.
type: string
maxInterval:
description: |-
MaxInterval is a maximal amount of time which will be taken between retries.
Default is 10 times the "BaseInterval".
type: string
type: object
numRetries:
description: |-
NumRetries is the number of attempts that will be made on failed (and
retriable) requests. If not set, the default value is 1.
format: int32
type: integer
perTryTimeout:
description: |-
PerTryTimeout is the maximum amount of time each retry attempt can take
before it times out. If not set, the global request timeout for the route
will be used. Setting this value to 0 will disable the per-try timeout.
type: string
rateLimitedBackOff:
description: |-
RateLimitedBackOff is a configuration of backoff which will be used when
the upstream returns one of the headers configured.
properties:
maxInterval:
default: 300s
description: MaxInterval is a maximal amount of
time which will be taken between retries.
type: string
resetHeaders:
description: |-
ResetHeaders specifies the list of headers (like Retry-After or X-RateLimit-Reset)
to match against the response. Headers are tried in order, and matched
case-insensitive. The first header to be parsed successfully is used.
If no headers match the default exponential BackOff is used instead.
items:
properties:
format:
description: The format of the reset header.
enum:
- Seconds
- UnixTimestamp
type: string
name:
description: The Name of the reset header.
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
required:
- format
- name
type: object
type: array
type: object
retryOn:
description: RetryOn is a list of conditions which will
cause a retry.
example:
- Canceled
- DeadlineExceeded
- Internal
- ResourceExhausted
- Unavailable
items:
enum:
- Canceled
- DeadlineExceeded
- Internal
- ResourceExhausted
- Unavailable
type: string
type: array
type: object
http:
description: HTTP defines a configuration of retries for
HTTP traffic
properties:
backOff:
description: |-
BackOff is a configuration of durations which will be used in exponential
backoff strategy between retries.
properties:
baseInterval:
default: 25ms
description: |-
BaseInterval is an amount of time which should be taken between retries.
Must be greater than zero. Values less than 1 ms are rounded up to 1 ms.
type: string
maxInterval:
description: |-
MaxInterval is a maximal amount of time which will be taken between retries.
Default is 10 times the "BaseInterval".
type: string
type: object
hostSelection:
description: |-
HostSelection is a list of predicates that dictate how hosts should be selected
when requests are retried.
items:
properties:
predicate:
description: Type is requested predicate mode.
enum:
- OmitPreviousHosts
- OmitHostsWithTags
- OmitPreviousPriorities
type: string
tags:
additionalProperties:
type: string
description: |-
Tags is a map of metadata to match against for selecting the omitted hosts. Required if Type is
OmitHostsWithTags
type: object
updateFrequency:
default: 2
description: |-
UpdateFrequency is how often the priority load should be updated based on previously attempted priorities.
Used for OmitPreviousPriorities.
format: int32
type: integer
required:
- predicate
type: object
type: array
hostSelectionMaxAttempts:
description: |-
HostSelectionMaxAttempts is the maximum number of times host selection will be
reattempted before giving up, at which point the host that was last selected will
be routed to. If unspecified, this will default to retrying once.
format: int64
type: integer
numRetries:
description: |-
NumRetries is the number of attempts that will be made on failed (and
retriable) requests. If not set, the default value is 1.
format: int32
type: integer
perTryTimeout:
description: |-
PerTryTimeout is the amount of time after which retry attempt should time out.
If left unspecified, the global route timeout for the request will be used.
Consequently, when using a 5xx based retry policy, a request that times out
will not be retried as the total timeout budget would have been exhausted.
Setting this timeout to 0 will disable it.
type: string
rateLimitedBackOff:
description: |-
RateLimitedBackOff is a configuration of backoff which will be used
when the upstream returns one of the headers configured.
properties:
maxInterval:
default: 300s
description: MaxInterval is a maximal amount of
time which will be taken between retries.
type: string
resetHeaders:
description: |-
ResetHeaders specifies the list of headers (like Retry-After or X-RateLimit-Reset)
to match against the response. Headers are tried in order, and matched
case-insensitive. The first header to be parsed successfully is used.
If no headers match the default exponential BackOff is used instead.
items:
properties:
format:
description: The format of the reset header.
enum:
- Seconds
- UnixTimestamp
type: string
name:
description: The Name of the reset header.
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
required:
- format
- name
type: object
type: array
type: object
retriableRequestHeaders:
description: |-
RetriableRequestHeaders is an HTTP headers which must be present in the request
for retries to be attempted.
items:
description: |-
HeaderMatch describes how to select an HTTP route by matching HTTP request
headers.
properties:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name MUST be lower case
as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2).
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
description: Type specifies how to match against
the value of the header.
enum:
- Exact
- Present
- RegularExpression
- Absent
- Prefix
type: string
value:
description: Value is the value of HTTP Header
to be matched.
type: string
required:
- name
type: object
type: array
retriableResponseHeaders:
description: |-
RetriableResponseHeaders is an HTTP response headers that trigger a retry
if present in the response. A retry will be triggered if any of the header
matches the upstream response headers.
items:
description: |-
HeaderMatch describes how to select an HTTP route by matching HTTP request
headers.
properties:
name:
description: |-
Name is the name of the HTTP Header to be matched. Name MUST be lower case
as they will be handled with case insensitivity (See https://tools.ietf.org/html/rfc7230#section-3.2).
maxLength: 256
minLength: 1
pattern: ^[a-z0-9!#$%&'*+\-.^_\x60|~]+$
type: string
type:
default: Exact
description: Type specifies how to match against
the value of the header.
enum:
- Exact
- Present
- RegularExpression
- Absent
- Prefix
type: string
value:
description: Value is the value of HTTP Header
to be matched.
type: string
required:
- name
type: object
type: array
retryOn:
description: |-
RetryOn is a list of conditions which will cause a retry. Available values are:
[5XX, GatewayError, Reset, Retriable4xx, ConnectFailure, EnvoyRatelimited,
RefusedStream, Http3PostConnectFailure, HttpMethodConnect, HttpMethodDelete,
HttpMethodGet, HttpMethodHead, HttpMethodOptions, HttpMethodPatch,
HttpMethodPost, HttpMethodPut, HttpMethodTrace].
Also, any HTTP status code (500, 503, etc.).
example:
- 5XX
- GatewayError
- Reset
- Retriable4xx
- ConnectFailure
- EnvoyRatelimited
- RefusedStream
- Http3PostConnectFailure
- HttpMethodConnect
- HttpMethodDelete
- HttpMethodGet
- HttpMethodHead
- HttpMethodOptions
- HttpMethodPatch
- HttpMethodPost
- HttpMethodPut
- HttpMethodTrace
- "500"
- "503"
items:
type: string
type: array
type: object
tcp:
description: TCP defines a configuration of retries for
TCP traffic
properties:
maxConnectAttempt:
description: |-
MaxConnectAttempt is a maximal amount of TCP connection attempts
which will be made before giving up
format: int32
type: integer
type: object
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

195
charts/kuma/kuma/2.8.4/crds/kuma.io_meshservices.yaml Normal file
View File

@ -0,0 +1,195 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshservices.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshService
listKind: MeshServiceList
plural: meshservices
singular: meshservice
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshService resource.
properties:
identities:
items:
properties:
type:
enum:
- ServiceTag
type: string
value:
type: string
required:
- type
- value
type: object
type: array
ports:
items:
properties:
appProtocol:
default: tcp
description: Protocol identifies a protocol supported by a service.
type: string
name:
type: string
port:
format: int32
type: integer
targetPort:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
required:
- port
type: object
type: array
x-kubernetes-list-map-keys:
- port
- appProtocol
x-kubernetes-list-type: map
selector:
properties:
dataplaneRef:
properties:
name:
type: string
type: object
dataplaneTags:
additionalProperties:
type: string
type: object
type: object
type: object
status:
description: Status is the current status of the Kuma MeshService resource.
properties:
addresses:
items:
properties:
hostname:
type: string
hostnameGeneratorRef:
properties:
coreName:
type: string
required:
- coreName
type: object
origin:
type: string
type: object
type: array
hostnameGenerators:
items:
properties:
conditions:
description: Conditions is an array of hostname generator conditions.
items:
properties:
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False,
Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
hostnameGeneratorRef:
properties:
coreName:
type: string
required:
- coreName
type: object
required:
- hostnameGeneratorRef
type: object
type: array
tls:
properties:
status:
enum:
- Ready
- NotReady
type: string
type: object
vips:
items:
properties:
ip:
type: string
type: object
type: array
type: object
type: object
served: true
storage: true

281
charts/kuma/kuma/2.8.4/crds/kuma.io_meshtcproutes.yaml Normal file
View File

@ -0,0 +1,281 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshtcproutes.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshTCPRoute
listKind: MeshTCPRouteList
plural: meshtcproutes
singular: meshtcproute
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshTCPRoute resource.
properties:
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined in-place.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
to:
description: |-
To list makes a match between the consumed services and corresponding
configurations
items:
properties:
rules:
description: |-
Rules contains the routing rules applies to a combination of top-level
targetRef and the targetRef in this entry.
items:
properties:
default:
description: |-
Default holds routing rules that can be merged with rules from other
policies.
properties:
backendRefs:
items:
description: BackendRef defines where to forward
traffic.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use
to identify cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
port:
description: Port is only supported when this
ref refers to a real MeshService object
format: int32
type: integer
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
weight:
default: 1
minimum: 0
type: integer
type: object
minItems: 1
type: array
required:
- backendRefs
type: object
required:
- default
type: object
maxItems: 1
type: array
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
minItems: 1
type: array
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

362
charts/kuma/kuma/2.8.4/crds/kuma.io_meshtimeouts.yaml Normal file
View File

@ -0,0 +1,362 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshtimeouts.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshTimeout
listKind: MeshTimeoutList
plural: meshtimeouts
singular: meshtimeout
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshTimeout resource.
properties:
from:
description: From list makes a match between clients and corresponding
configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of clients referenced in
'targetRef'
properties:
connectionTimeout:
description: |-
ConnectionTimeout specifies the amount of time proxy will wait for an TCP connection to be established.
Default value is 5 seconds. Cannot be set to 0.
type: string
http:
description: Http provides configuration for HTTP specific
timeouts
properties:
maxConnectionDuration:
description: |-
MaxConnectionDuration is the time after which a connection will be drained and/or closed,
starting from when it was first established. Setting this timeout to 0 will disable it.
Disabled by default.
type: string
maxStreamDuration:
description: |-
MaxStreamDuration is the maximum time that a streams lifetime will span.
Setting this timeout to 0 will disable it. Disabled by default.
type: string
requestHeadersTimeout:
description: |-
RequestHeadersTimeout The amount of time that proxy will wait for the request headers to be received. The timer is
activated when the first byte of the headers is received, and is disarmed when the last byte of
the headers has been received. If not specified or set to 0, this timeout is disabled.
Disabled by default.
type: string
requestTimeout:
description: |-
RequestTimeout The amount of time that proxy will wait for the entire request to be received.
The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent,
OR when the response is initiated. Setting this timeout to 0 will disable it.
Default is 15s.
type: string
streamIdleTimeout:
description: |-
StreamIdleTimeout is the amount of time that proxy will allow a stream to exist with no activity.
Setting this timeout to 0 will disable it. Default is 30m
type: string
type: object
idleTimeout:
description: |-
IdleTimeout is defined as the period in which there are no bytes sent or received on connection
Setting this timeout to 0 will disable it. Be cautious when disabling it because
it can lead to connection leaking. Default value is 1h.
type: string
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
clients.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined inplace.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
to:
description: To list makes a match between the consumed services and
corresponding configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of destinations referenced in
'targetRef'
properties:
connectionTimeout:
description: |-
ConnectionTimeout specifies the amount of time proxy will wait for an TCP connection to be established.
Default value is 5 seconds. Cannot be set to 0.
type: string
http:
description: Http provides configuration for HTTP specific
timeouts
properties:
maxConnectionDuration:
description: |-
MaxConnectionDuration is the time after which a connection will be drained and/or closed,
starting from when it was first established. Setting this timeout to 0 will disable it.
Disabled by default.
type: string
maxStreamDuration:
description: |-
MaxStreamDuration is the maximum time that a streams lifetime will span.
Setting this timeout to 0 will disable it. Disabled by default.
type: string
requestHeadersTimeout:
description: |-
RequestHeadersTimeout The amount of time that proxy will wait for the request headers to be received. The timer is
activated when the first byte of the headers is received, and is disarmed when the last byte of
the headers has been received. If not specified or set to 0, this timeout is disabled.
Disabled by default.
type: string
requestTimeout:
description: |-
RequestTimeout The amount of time that proxy will wait for the entire request to be received.
The timer is activated when the request is initiated, and is disarmed when the last byte of the request is sent,
OR when the response is initiated. Setting this timeout to 0 will disable it.
Default is 15s.
type: string
streamIdleTimeout:
description: |-
StreamIdleTimeout is the amount of time that proxy will allow a stream to exist with no activity.
Setting this timeout to 0 will disable it. Default is 30m
type: string
type: object
idleTimeout:
description: |-
IdleTimeout is defined as the period in which there are no bytes sent or received on connection
Setting this timeout to 0 will disable it. Be cautious when disabling it because
it can lead to connection leaking. Default value is 1h.
type: string
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
destinations.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

284
charts/kuma/kuma/2.8.4/crds/kuma.io_meshtraces.yaml Normal file
View File

@ -0,0 +1,284 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshtraces.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshTrace
listKind: MeshTraceList
plural: meshtraces
singular: meshtrace
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshTrace resource.
properties:
default:
description: MeshTrace configuration.
properties:
backends:
description: |-
A one element array of backend definition.
Envoy allows configuring only 1 backend, so the natural way of
representing that would be just one object. Unfortunately due to the
reasons explained in MADR 009-tracing-policy this has to be a one element
array for now.
items:
description: Only one of zipkin, datadog or openTelemetry can
be used.
properties:
datadog:
description: Datadog backend configuration.
properties:
splitService:
default: false
description: |-
Determines if datadog service name should be split based on traffic
direction and destination. For example, with `splitService: true` and a
`backend` service that communicates with a couple of databases, you would
get service names like `backend_INBOUND`, `backend_OUTBOUND_db1`, and
`backend_OUTBOUND_db2` in Datadog.
type: boolean
url:
description: |-
Address of Datadog collector, only host and port are allowed (no paths,
fragments etc.)
type: string
required:
- url
type: object
openTelemetry:
description: OpenTelemetry backend configuration.
properties:
endpoint:
description: Address of OpenTelemetry collector.
example: otel-collector:4317
minLength: 1
type: string
required:
- endpoint
type: object
type:
enum:
- Zipkin
- Datadog
- OpenTelemetry
type: string
zipkin:
description: Zipkin backend configuration.
properties:
apiVersion:
default: httpJson
description: |-
Version of the API.
https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L66
enum:
- httpJson
- httpProto
type: string
sharedSpanContext:
default: true
description: |-
Determines whether client and server spans will share the same span
context.
https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/trace/v3/zipkin.proto#L63
type: boolean
traceId128bit:
default: false
description: Generate 128bit traces.
type: boolean
url:
description: Address of Zipkin collector.
type: string
required:
- url
type: object
required:
- type
type: object
maxItems: 1
type: array
sampling:
description: |-
Sampling configuration.
Sampling is the process by which a decision is made on whether to
process/export a span or not.
properties:
client:
anyOf:
- type: integer
- type: string
default: 100
description: |-
Target percentage of requests that will be force traced if the
'x-client-trace-id' header is set. Mirror of client_sampling in Envoy
https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L127-L133
Either int or decimal represented as string.
x-kubernetes-int-or-string: true
overall:
anyOf:
- type: integer
- type: string
default: 100
description: |-
Target percentage of requests will be traced
after all other sampling checks have been applied (client, force tracing,
random sampling). This field functions as an upper limit on the total
configured sampling rate. For instance, setting client to 100
but overall to 1 will result in only 1% of client requests with
the appropriate headers to be force traced. Mirror of
overall_sampling in Envoy
https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L142-L150
Either int or decimal represented as string.
x-kubernetes-int-or-string: true
random:
anyOf:
- type: integer
- type: string
default: 100
description: |-
Target percentage of requests that will be randomly selected for trace
generation, if not requested by the client or not forced.
Mirror of random_sampling in Envoy
https://github.com/envoyproxy/envoy/blob/v1.22.0/api/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto#L135-L140
Either int or decimal represented as string.
x-kubernetes-int-or-string: true
type: object
tags:
description: |-
Custom tags configuration. You can add custom tags to traces based on
headers or literal values.
items:
description: |-
Custom tags configuration.
Only one of literal or header can be used.
properties:
header:
description: Tag taken from a header.
properties:
default:
description: |-
Default value to use if header is missing.
If the default is missing and there is no value the tag will not be
included.
type: string
name:
description: Name of the header.
type: string
required:
- name
type: object
literal:
description: Tag taken from literal value.
type: string
name:
description: Name of the tag.
type: string
required:
- name
type: object
type: array
type: object
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined inplace.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

203
charts/kuma/kuma/2.8.4/crds/kuma.io_meshtrafficpermissions.yaml Normal file
View File

@ -0,0 +1,203 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: meshtrafficpermissions.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: MeshTrafficPermission
listKind: MeshTrafficPermissionList
plural: meshtrafficpermissions
singular: meshtrafficpermission
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .spec.targetRef.kind
name: TargetRef Kind
type: string
- jsonPath: .spec.targetRef.name
name: TargetRef Name
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma MeshTrafficPermission
resource.
properties:
from:
description: From list makes a match between clients and corresponding
configurations
items:
properties:
default:
description: |-
Default is a configuration specific to the group of clients referenced in
'targetRef'
properties:
action:
description: 'Action defines a behavior for the specified
group of clients:'
enum:
- Allow
- Deny
- AllowWithShadowDeny
type: string
type: object
targetRef:
description: |-
TargetRef is a reference to the resource that represents a group of
clients.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify
cross mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: array
targetRef:
description: |-
TargetRef is a reference to the resource the policy takes an effect on.
The resource could be either a real store object or virtual resource
defined inplace.
properties:
kind:
description: Kind of the referenced resource
enum:
- Mesh
- MeshSubset
- MeshGateway
- MeshService
- MeshExternalService
- MeshServiceSubset
- MeshHTTPRoute
type: string
labels:
additionalProperties:
type: string
description: |-
Labels are used to select group of MeshServices that match labels. Either Labels or
Name and Namespace can be used.
type: object
mesh:
description: Mesh is reserved for future use to identify cross
mesh resources.
type: string
name:
description: |-
Name of the referenced resource. Can only be used with kinds: `MeshService`,
`MeshServiceSubset` and `MeshGatewayRoute`
type: string
namespace:
description: |-
Namespace specifies the namespace of target resource. If empty only resources in policy namespace
will be targeted.
type: string
proxyTypes:
description: |-
ProxyTypes specifies the data plane types that are subject to the policy. When not specified,
all data plane types are targeted by the policy.
items:
enum:
- Sidecar
- Gateway
type: string
minItems: 1
type: array
sectionName:
description: |-
SectionName is used to target specific section of resource.
For example, you can target port from MeshService.ports[] by its name. Only traffic to this port will be affected.
type: string
tags:
additionalProperties:
type: string
description: |-
Tags used to select a subset of proxies by tags. Can only be used with kinds
`MeshSubset` and `MeshServiceSubset`
type: object
type: object
required:
- targetRef
type: object
type: object
served: true
storage: true
subresources: {}

50
charts/kuma/kuma/2.8.4/crds/kuma.io_proxytemplates.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: proxytemplates.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: ProxyTemplate
listKind: ProxyTemplateList
plural: proxytemplates
singular: proxytemplate
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma ProxyTemplate resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_ratelimits.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: ratelimits.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: RateLimit
listKind: RateLimitList
plural: ratelimits
singular: ratelimit
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma RateLimit resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_retries.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: retries.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: Retry
listKind: RetryList
plural: retries
singular: retry
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma Retry resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_serviceinsights.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: serviceinsights.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: ServiceInsight
listKind: ServiceInsightList
plural: serviceinsights
singular: serviceinsight
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma ServiceInsight resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_timeouts.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: timeouts.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: Timeout
listKind: TimeoutList
plural: timeouts
singular: timeout
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma Timeout resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_trafficlogs.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: trafficlogs.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: TrafficLog
listKind: TrafficLogList
plural: trafficlogs
singular: trafficlog
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma TrafficLog resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_trafficpermissions.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: trafficpermissions.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: TrafficPermission
listKind: TrafficPermissionList
plural: trafficpermissions
singular: trafficpermission
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma TrafficPermission resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_trafficroutes.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: trafficroutes.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: TrafficRoute
listKind: TrafficRouteList
plural: trafficroutes
singular: trafficroute
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma TrafficRoute resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_traffictraces.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: traffictraces.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: TrafficTrace
listKind: TrafficTraceList
plural: traffictraces
singular: traffictrace
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma TrafficTrace resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_virtualoutbounds.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: virtualoutbounds.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: VirtualOutbound
listKind: VirtualOutboundList
plural: virtualoutbounds
singular: virtualoutbound
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma VirtualOutbound resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

56
charts/kuma/kuma/2.8.4/crds/kuma.io_zoneegresses.yaml Normal file
View File

@ -0,0 +1,56 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: zoneegresses.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: ZoneEgress
listKind: ZoneEgressList
plural: zoneegresses
singular: zoneegress
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Zone name
jsonPath: .spec.zone
name: zone
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma ZoneEgress resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources: {}

50
charts/kuma/kuma/2.8.4/crds/kuma.io_zoneegressinsights.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: zoneegressinsights.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: ZoneEgressInsight
listKind: ZoneEgressInsightList
plural: zoneegressinsights
singular: zoneegressinsight
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma ZoneEgressInsight resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

56
charts/kuma/kuma/2.8.4/crds/kuma.io_zoneingresses.yaml Normal file
View File

@ -0,0 +1,56 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: zoneingresses.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: ZoneIngress
listKind: ZoneIngressList
plural: zoneingresses
singular: zoneingress
scope: Namespaced
versions:
- additionalPrinterColumns:
- description: Zone name
jsonPath: .spec.zone
name: zone
type: string
name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma ZoneIngress resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
subresources: {}

51
charts/kuma/kuma/2.8.4/crds/kuma.io_zoneingressinsights.yaml Normal file
View File

@ -0,0 +1,51 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: zoneingressinsights.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: ZoneIngressInsight
listKind: ZoneIngressInsightList
plural: zoneingressinsights
singular: zoneingressinsight
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma ZoneIngressInsight
resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_zoneinsights.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: zoneinsights.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: ZoneInsight
listKind: ZoneInsightList
plural: zoneinsights
singular: zoneinsight
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma ZoneInsight resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

50
charts/kuma/kuma/2.8.4/crds/kuma.io_zones.yaml Normal file
View File

@ -0,0 +1,50 @@
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.14.0
name: zones.kuma.io
spec:
group: kuma.io
names:
categories:
- kuma
kind: Zone
listKind: ZoneList
plural: zones
singular: zone
scope: Cluster
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
mesh:
description: |-
Mesh is the name of the Kuma mesh this resource belongs to.
It may be omitted for cluster-scoped resources.
type: string
metadata:
type: object
spec:
description: Spec is the specification of the Kuma Zone resource.
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true

42
charts/kuma/kuma/2.8.4/templates/NOTES.txt Normal file
View File

@ -0,0 +1,42 @@
{{ .Chart.Name }} has been installed!
Your release is named '{{ .Release.Name }}'.
You can access the control-plane via either the GUI, kubectl, the HTTP API, or the kumactl CLI.
{{- if .Values.noHelmHooks }}
-------------------------------------------------------------------------------
WARNING
When the "noHelmHooks" value is provided, you will need to manually delete
the "ValidatingWebhookConfiguration" responsible for validating {{ include "kuma.name" . }} resources
before you can uninstall Helm release. This is because the validation provided
by the webhook is not necessary during the release removal and might potentially
even prevent you from doing it. You can do this by running the following command:
kubectl delete ValidatingWebhookConfiguration {{ include "kuma.name" . }}-validating-webhook-configuration
WARNING
When the "noHelmHooks" value is set, Helm will not automatically update
the CustomResourceDefinitions (CRDs) when upgrading release. You must manually
update the CRDs if the new {{ include "kuma.name" . }} version has changes
to the CRDs. You can achieve this by calling the following command:
kumactl install crds --no-config | kubectl apply -f
{{- if and .Values.experimental.ebpf.enabled (not .Values.cni.enabled) }}
WARNING
When the "noHelmHooks" value is set, Helm will not automatically uninstall
the eBPF resources. You will need to manually uninstall these resources after
uninstalling Helm release. To do this, run the following command:
kumactl uninstall ebpf --cleanup-image-registry {{ .Values.global.image.registry }} --cleanup-image-repository {{ .Values.dataPlane.initImage.repository }}
{{- end }}
-------------------------------------------------------------------------------
{{- end }}

402
charts/kuma/kuma/2.8.4/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,402 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "kuma.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
This is the Kuma version the chart is intended to be used with.
*/}}
{{- define "kuma.appVersion" -}}
{{- .Chart.AppVersion -}}
{{- end }}
{{/*
This is only used in the `kuma.formatImage` function below.
*/}}
{{- define "kuma.defaultRegistry" -}}
docker.io/kumahq
{{- end }}
{{- define "kuma.product" -}}
Kuma
{{- end }}
{{- define "kuma.tagPrefix" -}}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "kuma.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "kuma.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- define "kuma.controlPlane.serviceName" -}}
{{- $defaultSvcName := printf "%s-control-plane" (include "kuma.name" .) -}}
{{ printf "%s" (default $defaultSvcName .Values.controlPlane.service.name) }}
{{- end }}
{{- define "kuma.controlPlane.globalZoneSync.serviceName" -}}
{{- $defaultSvcName := printf "%s-global-zone-sync" (include "kuma.name" .) -}}
{{ printf "%s" (default $defaultSvcName .Values.controlPlane.globalZoneSyncService.name) }}
{{- end }}
{{- define "kuma.ingress.serviceName" -}}
{{- $defaultSvcName := printf "%s-ingress" (include "kuma.name" .) -}}
{{ printf "%s" (default $defaultSvcName .Values.ingress.service.name) }}
{{- end }}
{{- define "kuma.egress.serviceName" -}}
{{- $defaultSvcName := printf "%s-egress" (include "kuma.name" .) -}}
{{ printf "%s" (default $defaultSvcName .Values.egress.service.name) }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "kuma.labels" -}}
helm.sh/chart: {{ include "kuma.chart" . }}
{{ include "kuma.selectorLabels" . }}
{{- if (include "kuma.appVersion" .) }}
app.kubernetes.io/version: {{ (include "kuma.appVersion" .) | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "kuma.selectorLabels" -}}
app.kubernetes.io/name: {{ include "kuma.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
CNI labels
*/}}
{{- define "kuma.cniLabels" -}}
app: {{ include "kuma.name" . }}-cni
{{ include "kuma.labels" . }}
{{- end }}
{{/*
control plane labels
*/}}
{{- define "kuma.cpLabels" -}}
app: {{ include "kuma.name" . }}-control-plane
{{- range $key, $value := $.Values.controlPlane.extraLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{ include "kuma.labels" . }}
{{- end }}
{{/*
control plane deployment annotations
*/}}
{{- define "kuma.cpDeploymentAnnotations" -}}
{{- range $key, $value := $.Values.controlPlane.deploymentAnnotations }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{/*
ingress labels
*/}}
{{- define "kuma.ingressLabels" -}}
app: {{ include "kuma.name" . }}-ingress
{{- range $key, $value := .Values.ingress.extraLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{- end }}
{{ include "kuma.labels" . }}
{{- end }}
{{/*
egress labels
*/}}
{{- define "kuma.egressLabels" -}}
app: {{ include "kuma.name" . }}-egress
{{ range $key, $value := .Values.egress.extraLabels }}
{{ $key | quote }}: {{ $value | quote }}
{{ end }}
{{- include "kuma.labels" . }}
{{- end }}
{{/*
CNI selector labels
*/}}
{{- define "kuma.cniSelectorLabels" -}}
app: {{ include "kuma.name" . }}-cni
{{ include "kuma.selectorLabels" . }}
{{- end }}
{{/*
params: { image: { registry?, repository, tag? }, root: $ }
returns: formatted image string
*/}}
{{- define "kuma.formatImage" -}}
{{- $img := .image }}
{{- $root := .root }}
{{- $registry := ($img.registry | default $root.Values.global.image.registry) -}}
{{- $repo := ($img.repository | required "Must specify image repository") -}}
{{- $product := (include "kuma.product" .) }}
{{- $tagPrefix := (include "kuma.tagPrefix" .) }}
{{- $expectedVersion := (include "kuma.appVersion" $root) }}
{{- if
and
$root.Values.global.image.tag
(ne $root.Values.global.image.tag (include "kuma.appVersion" $root))
(eq $root.Values.global.image.registry (include "kuma.defaultRegistry" .))
-}}
{{- fail (
printf "This chart only supports %s version %q but %sglobal.image.tag is set to %q. Set %sglobal.image.tag to %q or skip this check by setting %s*.image.tag for each individual component."
$product $expectedVersion $tagPrefix $root.Values.global.image.tag $tagPrefix $expectedVersion $tagPrefix
) -}}
{{- end -}}
{{- $defaultTag := ($root.Values.global.image.tag | default (include "kuma.appVersion" $root)) -}}
{{- $tag := ($img.tag | default $defaultTag) -}}
{{- printf "%s/%s:%s" $registry $repo $tag -}}
{{- end -}}
{{- define "kuma.parentEnv" -}}
{{- end -}}
{{- define "kuma.parentSecrets" -}}
{{- end -}}
{{- define "kuma.pluginPoliciesEnabled" -}}
{{- $list := list -}}
{{- range $k, $v := .Values.plugins.policies -}}
{{- if $v -}}
{{- $list = append $list (printf "%s" $k) -}}
{{- end -}}
{{- end -}}
{{ join "," $list }}
{{- end -}}
{{- define "kuma.defaultEnv" -}}
env:
{{ include "kuma.parentEnv" . }}
- name: KUMA_ENVIRONMENT
value: "kubernetes"
- name: KUMA_STORE_TYPE
value: "kubernetes"
- name: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
value: {{ .Release.Namespace | quote }}
- name: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME
value: {{ include "kuma.controlPlane.serviceName" . }}
- name: KUMA_GENERAL_TLS_CERT_FILE
value: /var/run/secrets/kuma.io/tls-cert/tls.crt
- name: KUMA_GENERAL_TLS_KEY_FILE
value: /var/run/secrets/kuma.io/tls-cert/tls.key
{{- if eq .Values.controlPlane.mode "zone" }}
- name: KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS
value: {{ .Values.controlPlane.kdsGlobalAddress }}
{{- end }}
- name: KUMA_DP_SERVER_HDS_ENABLED
value: "false"
- name: KUMA_API_SERVER_READ_ONLY
value: "true"
- name: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT
value: {{ .Values.controlPlane.admissionServerPort | default "5443" | quote }}
- name: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_CERT_DIR
value: /var/run/secrets/kuma.io/tls-cert
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED
value: {{ .Values.cni.enabled | quote }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
value: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.image "root" $) | quote }}
- name: KUMA_INJECTOR_INIT_CONTAINER_IMAGE
value: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.initImage "root" $) | quote }}
{{- if .Values.dataPlane.dnsLogging }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_BUILTIN_DNS_LOGGING
value: "true"
{{- end }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE
value: /var/run/secrets/kuma.io/tls-cert/ca.crt
- name: KUMA_DEFAULTS_SKIP_MESH_CREATION
value: {{ .Values.controlPlane.defaults.skipMeshCreation | quote }}
- name: KUMA_MODE
value: {{ .Values.controlPlane.mode | quote }}
{{- if .Values.controlPlane.zone }}
- name: KUMA_MULTIZONE_ZONE_NAME
value: {{ .Values.controlPlane.zone | quote }}
{{- end }}
{{- if .Values.controlPlane.tls.apiServer.secretName }}
- name: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE
value: /var/run/secrets/kuma.io/api-server-tls-cert/tls.crt
- name: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE
value: /var/run/secrets/kuma.io/api-server-tls-cert/tls.key
{{- end }}
{{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }}
- name: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR
value: /var/run/secrets/kuma.io/api-server-client-certs/
{{- end }}
{{- if and (eq .Values.controlPlane.mode "global") (or .Values.controlPlane.tls.kdsGlobalServer.secretName .Values.controlPlane.tls.kdsGlobalServer.create) }}
- name: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE
value: /var/run/secrets/kuma.io/kds-server-tls-cert/tls.crt
- name: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE
value: /var/run/secrets/kuma.io/kds-server-tls-cert/tls.key
{{- end }}
{{- if and (eq .Values.controlPlane.mode "zone") (or .Values.controlPlane.tls.kdsZoneClient.secretName .Values.controlPlane.tls.kdsZoneClient.create) }}
- name: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE
value: /var/run/secrets/kuma.io/kds-client-tls-cert/ca.crt
{{- end }}
- name: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN
value: "false"
- name: KUMA_RUNTIME_KUBERNETES_ALLOWED_USERS
value: "system:serviceaccount:{{ .Release.Namespace }}:{{ include "kuma.name" . }}-control-plane"
{{- if .Values.experimental.sidecarContainers }}
- name: KUMA_EXPERIMENTAL_SIDECAR_CONTAINERS
value: "true"
{{- end }}
{{- if .Values.cni.enabled }}
- name: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_ENABLED
value: "true"
- name: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_APP
value: "{{ include "kuma.name" . }}-cni"
- name: KUMA_RUNTIME_KUBERNETES_NODE_TAINT_CONTROLLER_CNI_NAMESPACE
value: {{ .Values.cni.namespace }}
{{- end }}
{{- if .Values.experimental.ebpf.enabled }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_ENABLED
value: "true"
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_INSTANCE_IP_ENV_VAR_NAME
value: {{ .Values.experimental.ebpf.instanceIPEnvVarName }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_BPFFS_PATH
value: {{ .Values.experimental.ebpf.bpffsPath }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_CGROUP_PATH
value: {{ .Values.experimental.ebpf.cgroupPath }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_TC_ATTACH_IFACE
value: {{ .Values.experimental.ebpf.tcAttachIface }}
- name: KUMA_RUNTIME_KUBERNETES_INJECTOR_EBPF_PROGRAMS_SOURCE_PATH
value: {{ .Values.experimental.ebpf.programsSourcePath }}
{{- end }}
{{- if not .Values.experimental.deltaKds }}
- name: KUMA_EXPERIMENTAL_KDS_DELTA_ENABLED
value: "false"
{{- end }}
{{- if .Values.controlPlane.tls.kdsZoneClient.skipVerify }}
- name: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY
value: "true"
{{- end }}
- name: KUMA_PLUGIN_POLICIES_ENABLED
value: {{ include "kuma.pluginPoliciesEnabled" . | quote }}
{{- if .Values.controlPlane.supportGatewaySecretsInAllNamespaces }}
- name: KUMA_RUNTIME_KUBERNETES_SUPPORT_GATEWAY_SECRETS_IN_ALL_NAMESPACES
value: true
{{- end }}
{{- end }}
{{- define "kuma.controlPlane.tls.general.caSecretName" -}}
{{ .Values.controlPlane.tls.general.caSecretName | default .Values.controlPlane.tls.general.secretName | default (printf "%s-tls-cert" (include "kuma.name" .)) | quote }}
{{- end }}
{{- define "kuma.universal.defaultEnv" -}}
{{ if eq .Values.controlPlane.mode "zone" }}
{{ if .Values.ingress.enabled }}
{{ fail "Can't have ingress.enabled when running controlPlane.mode=='universal'" }}
{{ end }}
{{ if .Values.egress.enabled }}
{{ fail "Can't have egress.enabled when running controlPlane.mode=='universal'" }}
{{ end }}
{{ end }}
env:
- name: KUMA_PLUGIN_POLICIES_ENABLED
value: {{ include "kuma.pluginPoliciesEnabled" . | quote }}
- name: KUMA_GENERAL_WORK_DIR
value: "/tmp/kuma"
- name: KUMA_ENVIRONMENT
value: "universal"
- name: KUMA_STORE_TYPE
value: "postgres"
- name: KUMA_STORE_POSTGRES_PORT
value: "{{ .Values.postgres.port }}"
- name: KUMA_DEFAULTS_SKIP_MESH_CREATION
value: {{ .Values.controlPlane.defaults.skipMeshCreation | quote }}
{{ if and (eq .Values.controlPlane.mode "zone") .Values.controlPlane.tls.general.secretName }}
- name: KUMA_GENERAL_TLS_CERT_FILE
value: /var/run/secrets/kuma.io/tls-cert/tls.crt
- name: KUMA_GENERAL_TLS_KEY_FILE
value: /var/run/secrets/kuma.io/tls-cert/tls.key
{{ end }}
- name: KUMA_MODE
value: {{ .Values.controlPlane.mode | quote }}
{{- if eq .Values.controlPlane.mode "zone" }}
- name: KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS
value: {{ .Values.controlPlane.kdsGlobalAddress }}
{{- end }}
{{- if .Values.controlPlane.zone }}
- name: KUMA_MULTIZONE_ZONE_NAME
value: {{ .Values.controlPlane.zone | quote }}
{{- end }}
{{- if and (eq .Values.controlPlane.mode "zone") (or .Values.controlPlane.tls.kdsZoneClient.secretName .Values.controlPlane.tls.kdsZoneClient.create) }}
- name: KUMA_MULTIZONE_ZONE_KDS_ROOT_CA_FILE
value: /var/run/secrets/kuma.io/kds-client-tls-cert/ca.crt
{{- end }}
{{- if not .Values.experimental.deltaKds }}
- name: KUMA_EXPERIMENTAL_KDS_DELTA_ENABLED
value: "false"
{{- end }}
{{- if .Values.controlPlane.tls.kdsZoneClient.skipVerify }}
- name: KUMA_MULTIZONE_ZONE_KDS_TLS_SKIP_VERIFY
value: "true"
{{- end }}
{{- if .Values.controlPlane.tls.apiServer.secretName }}
- name: KUMA_API_SERVER_HTTPS_TLS_CERT_FILE
value: /var/run/secrets/kuma.io/api-server-tls-cert/tls.crt
- name: KUMA_API_SERVER_HTTPS_TLS_KEY_FILE
value: /var/run/secrets/kuma.io/api-server-tls-cert/tls.key
{{- end }}
{{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }}
- name: KUMA_API_SERVER_AUTH_CLIENT_CERTS_DIR
value: /var/run/secrets/kuma.io/api-server-client-certs/
{{- end }}
{{- if .Values.controlPlane.tls.kdsGlobalServer.secretName }}
- name: KUMA_MULTIZONE_GLOBAL_KDS_TLS_CERT_FILE
value: /var/run/secrets/kuma.io/kds-server-tls-cert/tls.crt
- name: KUMA_MULTIZONE_GLOBAL_KDS_TLS_KEY_FILE
value: /var/run/secrets/kuma.io/kds-server-tls-cert/tls.key
{{- end }}
- name: KUMA_STORE_POSTGRES_TLS_MODE
value: {{ .Values.postgres.tls.mode }}
{{- if or (eq .Values.postgres.tls.mode "verifyCa") (eq .Values.postgres.tls.mode "verifyFull") }}
{{- if empty .Values.postgres.tls.caSecretName }}
{{ fail "if mode is 'verifyCa' or 'verifyFull' then you must provide .Values.postgres.tls.caSecretName" }}
{{- end }}
{{- if .Values.postgres.tls.secretName }}
- name: KUMA_STORE_POSTGRES_TLS_CERT_PATH
value: /var/run/secrets/kuma.io/postgres-tls-cert/tls.crt
- name: KUMA_STORE_POSTGRES_TLS_KEY_PATH
value: /var/run/secrets/kuma.io/postgres-tls-cert/tls.key
{{- end }}
{{- if .Values.postgres.tls.caSecretName }}
- name: KUMA_STORE_POSTGRES_TLS_CA_PATH
value: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt
{{- end }}
{{- if .Values.postgres.tls.disableSSLSNI }}
- name: KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI
value: {{ .Values.postgres.tls.disableSSLSNI }}
{{- end }}
{{- end }}
{{- end }}

22
charts/kuma/kuma/2.8.4/templates/cni-configmap.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if and .Values.cni.enabled (not .Values.experimental.ebpf.enabled) }}
kind: ConfigMap
apiVersion: v1
metadata:
name: {{ include "kuma.name" . }}-cni-config
namespace: {{ .Values.cni.namespace }}
labels: {{ include "kuma.cniLabels" . | nindent 4 }}
data:
# The CNI network configuration to add to the plugin chain on each node.
cni_network_config: |-
{
"cniVersion": "0.3.1",
"name": "kuma-cni",
"type": "kuma-cni",
"log_level": "{{ .Values.cni.logLevel }}",
"kubernetes": {
"kubeconfig": "__KUBECONFIG_FILEPATH__",
"cni_bin_dir": "{{ .Values.cni.binDir }}",
"exclude_namespaces": [ "kube-system" ]
}
}
{{- end }}

152
charts/kuma/kuma/2.8.4/templates/cni-daemonset.yaml Normal file
View File

@ -0,0 +1,152 @@
{{- if .Values.cni.enabled }}
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: {{ include "kuma.name" . }}-cni-node
namespace: {{ .Values.cni.namespace }}
annotations:
ignore-check.kube-linter.io/run-as-non-root: "The container installs a CNI plugin"
labels: {{- include "kuma.cniLabels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "kuma.cniSelectorLabels" . | nindent 6 }}
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
{{- include "kuma.cniSelectorLabels" . | nindent 8 }}
annotations:
checksum/config: {{ include (print $.Template.BasePath "/cni-configmap.yaml") . | sha256sum }}
{{- range $key, $value := .Values.cni.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
# This, along with the CriticalAddonsOnly toleration below,
# marks the pod as a critical add-on, ensuring it gets
# priority scheduling and that its resources are reserved
# if it ever gets evicted.
priorityClassName: system-node-critical
{{- with .Values.cni.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.cni.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{- end }}
tolerations:
# Make sure kuma-cni-node gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
serviceAccountName: {{ include "kuma.name" . }}-cni
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 5
securityContext:
{{- toYaml .Values.cni.podSecurityContext | trim | nindent 8 }}
containers:
- name: install-cni
imagePullPolicy: {{ .Values.cni.image.imagePullPolicy }}
{{- if not .Values.experimental.ebpf.enabled }}
image: {{ include "kuma.formatImage" (dict "image" .Values.cni.image "root" $) | quote }}
readinessProbe:
initialDelaySeconds: {{ .Values.cni.delayStartupSeconds }}
exec:
command:
- cat
- /tmp/ready
command: [ "sh", "-c", "--" ]
args: [ "sleep {{.Values.cni.delayStartupSeconds}} && exec /install-cni" ]
{{- else }}
{{- with .Values.cni.experimental.imageEbpf }}
image: {{ printf "%s/%s:%s" .registry .repository .tag | quote }}
{{- end }}
args:
- /app/mbctl
- --mode=kuma
- --use-reconnect=true
- --cni-mode=true
{{- if eq .Values.cni.logLevel "debug" }}
- --debug=true
{{- end }}
lifecycle:
preStop:
exec:
command:
- make
- --keep-going
- clean
{{- end }}
securityContext:
{{- toYaml .Values.cni.containerSecurityContext | trim | nindent 12 }}
{{- if .Values.experimental.ebpf.enabled }}
privileged: true
{{- end }}
{{- if not .Values.experimental.ebpf.enabled }}
env:
# Name of the CNI config file to create.
- name: CNI_CONF_NAME
value: "{{ .Values.cni.confName }}"
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: {{ include "kuma.name" . }}-cni-config
key: cni_network_config
- name: CNI_NET_DIR
value: "{{ .Values.cni.netDir }}"
# If true, deploy as a chained CNI plugin, otherwise deploy as a standalone CNI
- name: CHAINED_CNI_PLUGIN
value: "{{ .Values.cni.chained }}"
- name: CNI_LOG_LEVEL
value: "{{ .Values.cni.logLevel }}"
{{- end }}
resources:
{{- toYaml .Values.cni.resources | trim | nindent 12 }}
volumeMounts:
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
{{- if .Values.experimental.ebpf.enabled }}
- mountPath: /sys/fs/cgroup
name: sys-fs-cgroup
- mountPath: /host/proc
name: host-proc
- mountPath: /host/var/run
name: host-var-run
mountPropagation: Bidirectional
{{- end }}
- name: tmp
mountPath: /tmp
volumes:
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: {{ .Values.cni.binDir }}
- name: cni-net-dir
hostPath:
path: {{ .Values.cni.netDir }}
{{- if .Values.experimental.ebpf.enabled }}
- hostPath:
path: /var/run
name: host-var-run
- hostPath:
path: /sys/fs/cgroup
name: sys-fs-cgroup
- hostPath:
path: /proc
name: host-proc
{{- end }}
- name: tmp
emptyDir: {}
{{- end }}

51
charts/kuma/kuma/2.8.4/templates/cni-rbac.yaml Normal file
View File

@ -0,0 +1,51 @@
{{- if .Values.cni.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kuma.name" . }}-cni
namespace: {{ .Values.cni.namespace }}
labels: {{ include "kuma.cniLabels" . | nindent 4 }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kuma.name" . }}-cni
labels:
{{ include "kuma.cniLabels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources:
- nodes
verbs:
- get
- apiGroups: [""]
resources:
- pods
verbs:
- get
{{- if .Values.experimental.ebpf.enabled }}
- list
- watch
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kuma.name" . }}-cni
labels:
{{ include "kuma.cniLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kuma.name" . }}-cni
subjects:
- kind: ServiceAccount
name: {{ include "kuma.name" . }}-cni
namespace: {{ .Values.cni.namespace }}
{{- end }}

33
charts/kuma/kuma/2.8.4/templates/cp-configmap.yaml Normal file
View File

@ -0,0 +1,33 @@
{{ $kumaCpLabels := include "kuma.cpLabels" . }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kuma.name" . }}-control-plane-config
namespace: {{ .Release.Namespace }}
labels: {{ $kumaCpLabels | nindent 4 }}
data:
config.yaml: |
# use this file to override default configuration of `kuma-cp`
#
# see conf/kuma-cp.conf.yml for available settings
{{ if .Values.controlPlane.config }}
{{ .Values.controlPlane.config | nindent 4 }}
{{ end }}
{{- $releaseNamespace := .Release.Namespace}}
{{- range $extraConfigMap := .Values.controlPlane.extraConfigMaps }}
{{- if $extraConfigMap.values }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $extraConfigMap.name }}
namespace: {{ $releaseNamespace }}
labels: {{ $kumaCpLabels | nindent 4 }}
data:
{{- range $fileName, $fileContents := $extraConfigMap.values }}
{{- $fileName | nindent 2 }}: |
{{- $fileContents | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

398
charts/kuma/kuma/2.8.4/templates/cp-deployment.yaml Normal file
View File

@ -0,0 +1,398 @@
{{ $kdsGlobalServerTLSSecretName := "" }}
{{ if eq .Values.controlPlane.mode "global" }}
{{ $kdsGlobalServerTLSSecretName = .Values.controlPlane.tls.kdsGlobalServer.secretName }}
{{ if and .Values.controlPlane.tls.kdsGlobalServer.create (not $kdsGlobalServerTLSSecretName) }}
{{ $kdsGlobalServerTLSSecretName = print (include "kuma.name" .) "-kds-global-server-tls" }}
{{ end }}
{{ end }}
{{ $kdsZoneClientTLSSecretName := "" }}
{{ if eq .Values.controlPlane.mode "zone" }}
{{ $kdsZoneClientTLSSecretName = .Values.controlPlane.tls.kdsZoneClient.secretName }}
{{ if and .Values.controlPlane.tls.kdsZoneClient.create (not $kdsZoneClientTLSSecretName) }}
{{ $kdsZoneClientTLSSecretName = print (include "kuma.name" .) "-kds-zone-client-tls" }}
{{ end }}
{{ end }}
{{ if not (or (eq .Values.controlPlane.mode "zone") (eq .Values.controlPlane.mode "global") (eq .Values.controlPlane.mode "standalone")) }}
{{ $msg := printf "controlPlane.mode invalid got:'%s' supported values: global,zone,standalone" .Values.controlPlane.mode }}
{{ fail $msg }}
{{ end }}
{{ if eq .Values.controlPlane.mode "zone" }}
{{ if not (empty .Values.controlPlane.zone) }}
{{ if gt (len .Values.controlPlane.zone) 253 }}
{{ fail "controlPlane.zone must be no more than 253 characters" }}
{{ else }}
{{ if not (regexMatch "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" .Values.controlPlane.zone) }}
{{ fail "controlPlane.zone must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character" }}
{{ end }}
{{ end }}
{{ end }}
{{ if not (empty .Values.controlPlane.kdsGlobalAddress) }}
{{ $url := urlParse .Values.controlPlane.kdsGlobalAddress }}
{{ if not (or (eq $url.scheme "grpcs") (eq $url.scheme "grpc")) }}
{{ $msg := printf "controlPlane.kdsGlobalAddress must be a url with scheme grpcs:// or grpc:// got:'%s'" .Values.controlPlane.kdsGlobalAddress }}
{{ fail $msg }}
{{ end }}
{{ end }}
{{ else }}
{{ if not (empty .Values.controlPlane.zone) }}
{{ fail "Can't specify a controlPlane.zone when controlPlane.mode!='zone'" }}
{{ end }}
{{ if not (empty .Values.controlPlane.kdsGlobalAddress) }}
{{ fail "Can't specify a controlPlane.kdsGlobalAddress when controlPlane.mode!='zone'" }}
{{ end }}
{{ end }}
{{- $defaultEnv := include "kuma.defaultEnv" . | fromYaml | pluck "env" | first }}
{{- if eq .Values.controlPlane.environment "universal" }}
{{- $defaultEnv = include "kuma.universal.defaultEnv" . | fromYaml | pluck "env" | first }}
{{- end }}
{{- $defaultEnvDict := dict }}
{{- range $index, $item := $defaultEnv }}
{{- $name := $item.name | upper }}
{{- $defaultEnvDict := set $defaultEnvDict $name $item.value }}
{{- end }}
{{- $envVarsCopy := deepCopy .Values.controlPlane.envVars }}
{{- $mergedEnv := merge $envVarsCopy $defaultEnvDict }}
{{- $defaultSecrets := include "kuma.parentSecrets" . | fromYaml }}
{{- $extraSecrets := .Values.controlPlane.extraSecrets }}
{{- $mergedSecrets := merge $extraSecrets $defaultSecrets }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
annotations: {{ include "kuma.cpDeploymentAnnotations" . | nindent 4 }}
spec:
{{- if not .Values.controlPlane.autoscaling.enabled }}
replicas: {{ .Values.controlPlane.replicas }}
{{- end }}
minReadySeconds: {{ .Values.controlPlane.minReadySeconds }}
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
{{- include "kuma.selectorLabels" . | nindent 6 }}
app: {{ include "kuma.name" . }}-control-plane
template:
metadata:
annotations:
checksum/config: {{ include (print $.Template.BasePath "/cp-configmap.yaml") . | sha256sum }}
{{- if .Values.restartOnSecretChange }}
checksum/tls-secrets: {{ include (print $.Template.BasePath "/cp-webhooks-and-secrets.yaml") . | sha256sum }}
{{- end }}
{{- range $key, $value := $.Values.controlPlane.podAnnotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels: {{ include "kuma.cpLabels" . | nindent 8 }}
spec:
{{- with .Values.controlPlane.affinity }}
affinity: {{ tpl (toYaml . | nindent 8) $ }}
{{- end }}
{{- with .Values.controlPlane.topologySpreadConstraints }}
topologySpreadConstraints: {{ tpl (toYaml . | nindent 8) $ }}
{{- end }}
securityContext:
{{- toYaml .Values.controlPlane.podSecurityContext | trim | nindent 8 }}
serviceAccountName: {{ include "kuma.name" . }}-control-plane
automountServiceAccountToken: {{ .Values.controlPlane.automountServiceAccountToken }}
{{- with .Values.controlPlane.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.controlPlane.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{- end }}
hostNetwork: {{ .Values.controlPlane.hostNetwork }}
terminationGracePeriodSeconds: {{ .Values.controlPlane.terminationGracePeriodSeconds }}
{{- if (eq .Values.controlPlane.environment "universal") }}
initContainers:
- name: migration
image: {{ include "kuma.formatImage" (dict "image" .Values.controlPlane.image "root" $) | quote }}
imagePullPolicy: {{ .Values.controlPlane.image.pullPolicy }}
securityContext:
{{- toYaml .Values.controlPlane.containerSecurityContext | trim | nindent 12 }}
env:
{{- range $key, $value := $mergedEnv }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- range $element := .Values.controlPlane.secrets }}
- name: {{ $element.Env }}
valueFrom:
secretKeyRef:
name: {{ $element.Secret }}
key: {{ $element.Key }}
{{- end }}
args:
- migrate
- up
- --log-level=info
- --config-file=/etc/kuma.io/kuma-control-plane/config.yaml
resources:
{{- if .Values.controlPlane.resources }}
{{- .Values.controlPlane.resources | toYaml | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.postgres.tls.caSecretName }}
- name: postgres-tls-cert-ca
subPath: ca.crt
mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt
readOnly: true
{{- end }}
{{- if .Values.postgres.tls.secretName }}
- name: postgres-tls-cert
subPath: tls.crt
mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.crt
readOnly: true
- name: postgres-tls-cert
subPath: tls.key
mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.key
readOnly: true
{{- end }}
- name: {{ include "kuma.name" . }}-control-plane-config
mountPath: /etc/kuma.io/kuma-control-plane
readOnly: true
{{- end }}
containers:
- name: control-plane
image: {{ include "kuma.formatImage" (dict "image" .Values.controlPlane.image "root" $) | quote }}
imagePullPolicy: {{ .Values.controlPlane.image.pullPolicy }}
securityContext:
{{- toYaml .Values.controlPlane.containerSecurityContext | trim | nindent 12 }}
env:
{{- range $key, $value := $mergedEnv }}
- name: {{ $key }}
value: {{ $value | quote }}
{{- end }}
{{- range $element := .Values.controlPlane.secrets }}
- name: {{ $element.Env }}
valueFrom:
secretKeyRef:
name: {{ $element.Secret }}
key: {{ $element.Key }}
{{- end }}
- name: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS
valueFrom:
fieldRef:
fieldPath: status.podIP
args:
- run
- --log-level={{ .Values.controlPlane.logLevel }}
- --log-output-path={{ .Values.controlPlane.logOutputPath }}
- --config-file=/etc/kuma.io/kuma-control-plane/config.yaml
ports:
- containerPort: 5680
name: diagnostics
protocol: TCP
- containerPort: 5681
- containerPort: 5682
- containerPort: {{ .Values.controlPlane.admissionServerPort | default "5443" }}
{{- if ne .Values.controlPlane.mode "global" }}
- containerPort: 5678
{{- end }}
livenessProbe:
timeoutSeconds: 10
httpGet:
path: /healthy
port: 5680
readinessProbe:
timeoutSeconds: 10
httpGet:
path: /ready
port: 5680
resources:
{{- if .Values.controlPlane.resources }}
{{- .Values.controlPlane.resources | toYaml | nindent 12 }}
{{- end }}
{{ with .Values.controlPlane.lifecycle }}
lifecycle: {{ . | toYaml | nindent 14 }}
{{ end }}
volumeMounts:
{{- if eq .Values.controlPlane.environment "kubernetes" }}
{{- if not .Values.controlPlane.automountServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: serviceaccount-token
readOnly: true
{{- end }}
- name: general-tls-cert
mountPath: /var/run/secrets/kuma.io/tls-cert/tls.crt
subPath: tls.crt
readOnly: true
- name: general-tls-cert
mountPath: /var/run/secrets/kuma.io/tls-cert/tls.key
subPath: tls.key
readOnly: true
- name: general-tls-cert{{- if .Values.controlPlane.tls.general.caSecretName }}-ca{{- end }}
mountPath: /var/run/secrets/kuma.io/tls-cert/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
{{- if and (eq .Values.controlPlane.environment "universal") (eq .Values.controlPlane.mode "zone") }}
{{- if .Values.controlPlane.tls.general.secretName }}
- name: general-tls-cert
mountPath: /var/run/secrets/kuma.io/tls-cert/tls.crt
subPath: tls.crt
readOnly: true
- name: general-tls-cert
mountPath: /var/run/secrets/kuma.io/tls-cert/tls.key
subPath: tls.key
readOnly: true
- name: general-tls-cert{{- if .Values.controlPlane.tls.general.caSecretName }}-ca{{- end }}
mountPath: /var/run/secrets/kuma.io/tls-cert/ca.crt
subPath: ca.crt
readOnly: true
{{- end }}
{{- end }}
- name: {{ include "kuma.name" . }}-control-plane-config
mountPath: /etc/kuma.io/kuma-control-plane
readOnly: true
{{- if .Values.controlPlane.tls.apiServer.secretName }}
- name: api-server-tls-cert
mountPath: /var/run/secrets/kuma.io/api-server-tls-cert
readOnly: true
{{- end }}
{{- if .Values.postgres.tls.caSecretName }}
- name: postgres-tls-cert-ca
subPath: ca.crt
mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt
readOnly: true
{{- end }}
{{- if .Values.postgres.tls.secretName }}
- name: postgres-tls-cert
subPath: tls.crt
mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.crt
readOnly: true
- name: postgres-tls-cert
subPath: tls.key
mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/tls.key
readOnly: true
{{- end }}
{{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }}
- name: api-server-client-certs
mountPath: /var/run/secrets/kuma.io/api-server-client-certs
readOnly: true
{{- end }}
{{- if $kdsGlobalServerTLSSecretName }}
- name: kds-server-tls-cert
mountPath: /var/run/secrets/kuma.io/kds-server-tls-cert
readOnly: true
{{- end }}
{{- if $kdsZoneClientTLSSecretName }}
- name: kds-client-tls-cert
mountPath: /var/run/secrets/kuma.io/kds-client-tls-cert
readOnly: true
{{- end }}
{{- range $extraConfigMap := .Values.controlPlane.extraConfigMaps }}
- name: {{ $extraConfigMap.name }}
mountPath: {{ $extraConfigMap.mountPath }}
readOnly: {{ $extraConfigMap.readOnly }}
{{- end }}
{{- range $mergedSecret := $mergedSecrets }}
- name: {{ $mergedSecret.name }}
mountPath: {{ $mergedSecret.mountPath }}
subPath: {{ $mergedSecret.subPath }}
readOnly: {{ $mergedSecret.readOnly }}
{{- end }}
- name: tmp
mountPath: /tmp
volumes:
{{- if eq .Values.controlPlane.environment "kubernetes" }}
{{- if not .Values.controlPlane.automountServiceAccountToken }}
- name: serviceaccount-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3600
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- end }}
{{- if .Values.controlPlane.tls.general.secretName }}
- name: general-tls-cert
secret:
secretName: {{ .Values.controlPlane.tls.general.secretName }}
{{- else }}
- name: general-tls-cert
secret:
secretName: {{ include "kuma.name" . }}-tls-cert
{{- end }}
{{- if .Values.controlPlane.tls.general.caSecretName }}
- name: general-tls-cert-ca
secret:
secretName: {{ .Values.controlPlane.tls.general.caSecretName }}
{{- end }}
{{- end }}
{{- if and (eq .Values.controlPlane.environment "universal") (eq .Values.controlPlane.mode "zone") }}
{{- if .Values.controlPlane.tls.general.secretName }}
- name: general-tls-cert
secret:
secretName: {{ .Values.controlPlane.tls.general.secretName }}
{{- end }}
{{- if .Values.controlPlane.tls.general.caSecretName }}
- name: general-tls-cert-ca
secret:
secretName: {{ .Values.controlPlane.tls.general.caSecretName }}
{{- end }}
{{- end }}
{{- if .Values.controlPlane.tls.apiServer.secretName }}
- name: api-server-tls-cert
secret:
secretName: {{ .Values.controlPlane.tls.apiServer.secretName }}
{{- end }}
{{- if .Values.postgres.tls.caSecretName }}
- name: postgres-tls-cert-ca
secret:
secretName: {{ .Values.postgres.tls.caSecretName }}
{{- end }}
{{- if .Values.postgres.tls.secretName }}
- name: postgres-tls-cert
secret:
secretName: {{ .Values.postgres.tls.secretName }}
{{- end }}
{{- if .Values.controlPlane.tls.apiServer.clientCertsSecretName }}
- name: api-server-client-certs
secret:
secretName: {{ .Values.controlPlane.tls.apiServer.clientCertsSecretName }}
{{- end }}
{{- if $kdsGlobalServerTLSSecretName }}
- name: kds-server-tls-cert
secret:
secretName: {{ $kdsGlobalServerTLSSecretName }}
{{- end }}
{{- if $kdsZoneClientTLSSecretName }}
- name: kds-client-tls-cert
secret:
secretName: {{ $kdsZoneClientTLSSecretName }}
{{- end }}
- name: {{ include "kuma.name" . }}-control-plane-config
configMap:
name: {{ include "kuma.name" . }}-control-plane-config
{{- range $extraConfigMap := .Values.controlPlane.extraConfigMaps }}
- name: {{ $extraConfigMap.name }}
configMap:
name: {{ $extraConfigMap.name }}
{{- end }}
{{- range $mergedSecret := $mergedSecrets }}
- name: {{ $mergedSecret.name }}
secret:
secretName: {{ $mergedSecret.name }}
{{- end }}
- name: tmp
emptyDir: {}

33
charts/kuma/kuma/2.8.4/templates/cp-global-sync-service.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if and (eq .Values.controlPlane.mode "global") .Values.controlPlane.globalZoneSyncService.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kuma.controlPlane.globalZoneSync.serviceName" . }}
namespace: {{ .Release.Namespace }}
annotations:
{{- range $key, $value := .Values.controlPlane.globalZoneSyncService.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
spec:
type: {{ .Values.controlPlane.globalZoneSyncService.type }}
{{- if .Values.controlPlane.globalZoneSyncService.loadBalancerIP }}
loadBalancerIP: {{ .Values.controlPlane.globalZoneSyncService.loadBalancerIP }}
{{- end }}
{{- if .Values.controlPlane.globalZoneSyncService.loadBalancerSourceRanges }}
loadBalancerSourceRanges:
{{- range .Values.controlPlane.globalZoneSyncService.loadBalancerSourceRanges }}
- {{.}}
{{- end }}
{{- end }}
ports:
- port: {{ .Values.controlPlane.globalZoneSyncService.port }}
appProtocol: {{ .Values.controlPlane.globalZoneSyncService.protocol }}
{{- if and (eq .Values.controlPlane.globalZoneSyncService.type "NodePort") .Values.controlPlane.globalZoneSyncService.nodePort }}
nodePort: {{ .Values.controlPlane.globalZoneSyncService.nodePort }}
{{- end }}
name: global-zone-sync
selector:
app: {{ include "kuma.name" . }}-control-plane
{{ include "kuma.selectorLabels" . | nindent 4 }}
{{- end }}

24
charts/kuma/kuma/2.8.4/templates/cp-hpa.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.controlPlane.autoscaling.enabled }}
{{ if .Capabilities.APIVersions.Has "autoscaling/v2" }}
apiVersion: "autoscaling/v2"
{{ else }}
apiVersion: "autoscaling/v1"
{{ end }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "kuma.name" . }}-control-plane
minReplicas: {{ .Values.controlPlane.autoscaling.minReplicas }}
maxReplicas: {{ .Values.controlPlane.autoscaling.maxReplicas }}
{{ if .Capabilities.APIVersions.Has "autoscaling/v2" }}
metrics: {{- toYaml .Values.controlPlane.autoscaling.metrics | nindent 4 }}
{{ else }}
targetCPUUtilizationPercentage: {{ .Values.controlPlane.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- end }}

25
charts/kuma/kuma/2.8.4/templates/cp-ingress.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.controlPlane.ingress.enabled }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "kuma.controlPlane.serviceName" . }}
namespace: {{ .Release.Namespace }}
{{- with .Values.controlPlane.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
spec:
ingressClassName: {{ .Values.controlPlane.ingress.ingressClassName }}
rules:
- host: {{ .Values.controlPlane.ingress.hostname }}
http:
paths:
- path: {{ .Values.controlPlane.ingress.path }}
pathType: {{ .Values.controlPlane.ingress.pathType }}
backend:
service:
name: {{ include "kuma.controlPlane.serviceName" . }}
port:
number: {{ .Values.controlPlane.ingress.servicePort }}
{{- end }}

15
charts/kuma/kuma/2.8.4/templates/cp-kds-global-server-secret.yaml Normal file
View File

@ -0,0 +1,15 @@
{{ if and (eq .Values.controlPlane.mode "global") .Values.controlPlane.tls.kdsGlobalServer.create }}
apiVersion: v1
kind: Secret
metadata:
{{ with .Values.controlPlane.tls.kdsGlobalServer.secretName }}
name: {{ . }}
{{ else }}
name: {{ include "kuma.name" . }}-kds-global-server-tls
{{ end }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
type: kubernetes.io/tls
stringData:
tls.crt: {{ required "you must provide a kds tls cert" .Values.controlPlane.tls.kdsGlobalServer.cert | quote }}
tls.key: {{ required "you must provide a kds tls key" .Values.controlPlane.tls.kdsGlobalServer.key | quote }}
{{ end }}

13
charts/kuma/kuma/2.8.4/templates/cp-kds-zone-client-tls-secret.yaml Normal file
View File

@ -0,0 +1,13 @@
{{ if and (eq .Values.controlPlane.mode "zone") .Values.controlPlane.tls.kdsZoneClient.create }}
apiVersion: v1
kind: Secret
metadata:
{{ with .Values.controlPlane.tls.kdsZoneClient.secretName }}
name: {{ . }}
{{ else }}
name: {{ include "kuma.name" . }}-kds-zone-client-tls
{{ end }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
stringData:
ca.crt: {{ required "you must provide a kds cert" .Values.controlPlane.tls.kdsZoneClient.cert | quote }}
{{ end }}

20
charts/kuma/kuma/2.8.4/templates/cp-pdb.yaml Normal file
View File

@ -0,0 +1,20 @@
{{ if $.Values.controlPlane.podDisruptionBudget.enabled }}
{{ if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{ else if .Capabilities.APIVersions.Has "policy/v1beta1" }}
apiVersion: policy/v1beta1
{{ else }}
{{ fail "pod disruption budgets are not supported by this version of kubernetes" }}
{{ end }}
kind: PodDisruptionBudget
metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
spec:
maxUnavailable: {{ .Values.controlPlane.podDisruptionBudget.maxUnavailable }}
selector:
matchLabels:
{{- include "kuma.selectorLabels" . | nindent 6 }}
app: {{ include "kuma.name" . }}-control-plane
{{ end }}

315
charts/kuma/kuma/2.8.4/templates/cp-rbac.yaml Normal file
View File

@ -0,0 +1,315 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
{{- with .Values.controlPlane.serviceAccountAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
{{- if (eq .Values.controlPlane.environment "kubernetes") }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kuma.name" . }}-control-plane
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
- configmaps
- nodes
{{- if .Values.controlPlane.supportGatewaySecretsInAllNamespaces }}
- secrets
{{- end }}
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- list
- watch
- apiGroups:
- "discovery.k8s.io"
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- "apps"
resources:
- deployments
- replicasets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- "batch"
resources:
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses
- gateways
- referencegrants
- httproutes
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- gateway.networking.k8s.io
resources:
- gatewayclasses/status
- gateways/status
- httproutes/status
verbs:
- get
- patch
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- delete
- list
- watch
- create
- update
- patch
- apiGroups:
- "discovery.k8s.io"
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- kuma.io
resources:
- dataplanes
- dataplaneinsights
- meshes
- zones
- zoneinsights
- zoneingresses
- zoneingressinsights
- zoneegresses
- zoneegressinsights
- meshinsights
- serviceinsights
- proxytemplates
- ratelimits
- trafficpermissions
- trafficroutes
- timeouts
- retries
- circuitbreakers
- virtualoutbounds
- containerpatches
- externalservices
- faultinjections
- healthchecks
- trafficlogs
- traffictraces
- meshgateways
- meshgatewayroutes
- meshgatewayinstances
- meshgatewayconfigs
{{- range $policy, $v := .Values.plugins.policies }}
{{- if $v }}
- {{ $policy }}
{{- end}}
{{- end}}
{{- range $policy, $v := .Values.plugins.resources }}
{{- if $v }}
- {{ $policy }}
{{- end}}
{{- end}}
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- kuma.io
resources:
- meshgatewayinstances/status
- meshgatewayinstances/finalizers
- meshes/finalizers
- dataplanes/finalizers
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- pods/finalizers
verbs:
- get
- patch
- update
{{- if .Values.cni.enabled }}
- apiGroups:
- k8s.cni.cncf.io
resources:
- network-attachment-definitions
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- update
- apiGroups:
- "pods"
resources:
- pods
verbs:
- list
{{- end }}
# validate k8s token before issuing mTLS cert
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kuma.name" . }}-control-plane
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kuma.name" . }}-control-plane
subjects:
- kind: ServiceAccount
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
# leader-for-life election deletes Pods in some circumstances
- apiGroups:
- ""
resources:
- pods
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ include "kuma.name" . }}-control-plane
subjects:
- kind: ServiceAccount
name: {{ include "kuma.name" . }}-control-plane
namespace: {{ .Release.Namespace }}
{{- end }}

49
charts/kuma/kuma/2.8.4/templates/cp-service.yaml Normal file
View File

@ -0,0 +1,49 @@
{{ if .Values.controlPlane.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kuma.controlPlane.serviceName" . }}
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
annotations:
{{- range $key, $value := .Values.controlPlane.service.annotations }}
{{- if $value }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- end }}
spec:
type: {{ .Values.controlPlane.service.type }}
ports:
- port: 5680
name: diagnostics
appProtocol: http
- port: 5681
name: http-api-server
appProtocol: http
{{- if and (eq .Values.controlPlane.service.type "NodePort") .Values.controlPlane.service.apiServer.http.nodePort }}
nodePort: {{ .Values.controlPlane.service.apiServer.http.nodePort }}
{{- end }}
- port: 5682
name: https-api-server
appProtocol: https
{{- if and (eq .Values.controlPlane.service.type "NodePort") .Values.controlPlane.service.apiServer.https.nodePort }}
nodePort: {{ .Values.controlPlane.service.apiServer.https.nodePort }}
{{- end }}
{{- if ne .Values.controlPlane.environment "universal" }}
- port: 443
name: https-admission-server
targetPort: {{ .Values.controlPlane.admissionServerPort | default "5443" }}
appProtocol: https
{{- end }}
{{- if ne .Values.controlPlane.mode "global" }}
- port: 5676
name: mads-server
appProtocol: https
- port: 5678
name: dp-server
appProtocol: https
{{- end }}
selector:
app: {{ include "kuma.name" . }}-control-plane
{{- include "kuma.selectorLabels" . | nindent 4 }}
{{ end }}

337
charts/kuma/kuma/2.8.4/templates/cp-webhooks-and-secrets.yaml Normal file
View File

@ -0,0 +1,337 @@
{{- if not (eq (empty .Values.controlPlane.tls.general.caBundle) (empty .Values.controlPlane.tls.general.secretName)) }}
{{ fail "You need to send both or neither of controlPlane.tls.general.caBundle and controlPlane.tls.general.secretName"}}
{{- end }}
{{- $caBundle := .Values.controlPlane.tls.general.caBundle }}
{{/*
Generate certificates
see: https://masterminds.github.io/sprig/crypto.html
see: https://medium.com/nuvo-group-tech/move-your-certs-to-helm-4f5f61338aca
see: https://github.com/networkservicemesh/networkservicemesh/blob/804ad5026bb5dbd285c220f15395fe25e46f5edb/deployments/helm/nsm/charts/admission-webhook/templates/admission-webhook-secret.tpl
We only autogenerate certs if user did not chose their own secret.
We only autogenerate certs if the cert is not yet generated. This way we keep the secrets between HELM upgrades.
*/}}
{{- if eq .Values.controlPlane.tls.general.secretName "" -}}
{{- $cert := "" }}
{{- $key := "" }}
{{- $secretName := print (include "kuma.name" .) "-tls-cert" }}
{{- $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{- if $secret -}}
{{- $cert = index $secret.data "tls.crt" -}}
{{- $key = index $secret.data "tls.key" -}}
{{- $caBundle = index $secret.data "ca.crt" -}}
{{- else -}}
{{- $commonName := (include "kuma.controlPlane.serviceName" .) -}}
{{- $altNames := list (printf "%s.%s" $commonName .Release.Namespace) (printf "%s.%s.svc" $commonName .Release.Namespace) -}}
{{- $certTTL := 3650 -}}
{{- $ca := genCA "kuma-ca" $certTTL -}}
{{- $genCert := genSignedCert $commonName nil $altNames $certTTL $ca -}}
{{- $cert = $genCert.Cert | b64enc -}}
{{- $key = $genCert.Key | b64enc -}}
{{ $caBundle = $ca.Cert | b64enc }}
{{- end -}}
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: {{ $secretName }}
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
data:
tls.crt: {{ $cert }}
tls.key: {{ $key }}
ca.crt: {{ $caBundle }}
{{- end }}
{{- if (eq .Values.controlPlane.environment "kubernetes") }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: {{ include "kuma.name" . }}-admission-mutating-webhook-configuration
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
webhooks:
- name: mesh.defaulter.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Fail
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:
namespace: {{ .Release.Namespace }}
name: {{ include "kuma.controlPlane.serviceName" . }}
path: /default-kuma-io-v1alpha1-mesh
rules:
- apiGroups:
- kuma.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
resources:
- meshes
- meshgateways
{{- range $policy, $v := .Values.plugins.policies }}
{{- if $v }}
- {{ $policy }}
{{- end}}
{{- end}}
{{- range $policy, $v := .Values.plugins.resources }}
{{- if $v }}
- {{ $policy }}
{{- end}}
{{- end}}
sideEffects: None
- name: owner-reference.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Fail
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:
namespace: {{ .Release.Namespace }}
name: {{ include "kuma.controlPlane.serviceName" . }}
path: /owner-reference-kuma-io-v1alpha1
rules:
- apiGroups:
- kuma.io
apiVersions:
- v1alpha1
operations:
- CREATE
resources:
- circuitbreakers
- externalservices
- faultinjections
- healthchecks
- meshgateways
- meshgatewayroutes
- proxytemplates
- ratelimits
- retries
- timeouts
- trafficlogs
- trafficpermissions
- trafficroutes
- traffictraces
- virtualoutbounds
{{- range $policy, $v := .Values.plugins.policies }}
{{- if $v }}
- {{ $policy }}
{{- end}}
{{- end}}
{{- range $policy, $v := .Values.plugins.resources }}
{{- if $v }}
- {{ $policy }}
{{- end}}
{{- end}}
{{ .Values.controlPlane.webhooks.ownerReference.additionalRules | nindent 6 }}
sideEffects: None
{{- if ne .Values.controlPlane.mode "global" }}
- name: namespace-kuma-injector.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
- key: kuma.io/sidecar-injection
operator: In
values: ["enabled", "true"]
clientConfig:
caBundle: {{ $caBundle }}
service:
namespace: {{ .Release.Namespace }}
name: {{ include "kuma.controlPlane.serviceName" . }}
path: /inject-sidecar
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
- name: pods-kuma-injector.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: {{ .Values.controlPlane.injectorFailurePolicy }}
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
objectSelector:
matchLabels:
kuma.io/sidecar-injection: enabled
clientConfig:
caBundle: {{ $caBundle }}
service:
namespace: {{ .Release.Namespace }}
name: {{ include "kuma.controlPlane.serviceName" . }}
path: /inject-sidecar
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
resources:
- pods
sideEffects: None
{{- end }}
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: {{ include "kuma.name" . }}-validating-webhook-configuration
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.cpLabels" . | nindent 4 }}
webhooks:
- name: validator.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Fail
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:
namespace: {{ .Release.Namespace }}
name: {{ include "kuma.controlPlane.serviceName" . }}
path: /validate-kuma-io-v1alpha1
rules:
- apiGroups:
- kuma.io
apiVersions:
- v1alpha1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- circuitbreakers
- dataplanes
- externalservices
- faultinjections
- meshgatewayinstances
- healthchecks
- meshes
- meshgateways
- meshgatewayroutes
- proxytemplates
- ratelimits
- retries
- trafficlogs
- trafficpermissions
- trafficroutes
- traffictraces
- virtualoutbounds
- zones
- containerpatches
{{- range $policy, $v := .Values.plugins.policies }}
{{- if $v }}
- {{ $policy }}
{{- end}}
{{- end}}
{{- range $policy, $v := .Values.plugins.resources }}
{{- if $v }}
- {{ $policy }}
{{- end}}
{{- end}}
{{ .Values.controlPlane.webhooks.validator.additionalRules | nindent 6 }}
sideEffects: None
{{- if ne .Values.controlPlane.mode "global" }}
- name: service.validator.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Ignore
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:
namespace: {{ .Release.Namespace }}
name: {{ include "kuma.controlPlane.serviceName" . }}
path: /validate-v1-service
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- services
sideEffects: None
{{- end }}
- name: secret.validator.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
namespaceSelector:
matchLabels:
kuma.io/system-namespace: "true"
failurePolicy: Ignore
clientConfig:
caBundle: {{ $caBundle }}
service:
namespace: {{ .Release.Namespace }}
name: {{ include "kuma.controlPlane.serviceName" . }}
path: /validate-v1-secret
rules:
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- secrets
sideEffects: None
- name: gateway.validator.kuma-admission.kuma.io
admissionReviewVersions: ["v1"]
failurePolicy: Ignore
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: NotIn
values: ["kube-system"]
clientConfig:
caBundle: {{ $caBundle }}
service:
namespace: {{ .Release.Namespace }}
name: {{ include "kuma.controlPlane.serviceName" . }}
path: /validate-gatewayclass
rules:
- apiGroups:
- "gateway.networking.k8s.io"
apiVersions:
- v1beta1
operations:
- CREATE
resources:
- gatewayclasses
sideEffects: None
{{- end }}

137
charts/kuma/kuma/2.8.4/templates/egress-deployment.yaml Normal file
View File

@ -0,0 +1,137 @@
{{- if .Values.egress.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kuma.name" . }}-egress
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.egressLabels" . | nindent 4 }}
spec:
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
{{- if not .Values.egress.autoscaling.enabled }}
replicas: {{ .Values.egress.replicas }}
{{- end }}
selector:
matchLabels:
{{- include "kuma.selectorLabels" . | nindent 6 }}
app: {{ include "kuma.name" . }}-egress
template:
metadata:
annotations:
kuma.io/egress: enabled
{{- range $key, $value := merge .Values.egress.podAnnotations .Values.egress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
{{- include "kuma.egressLabels" . | nindent 8 }}
spec:
{{- with .Values.egress.affinity }}
affinity: {{ tpl (toYaml . | nindent 8) $ }}
{{- end }}
{{- with .Values.egress.topologySpreadConstraints }}
topologySpreadConstraints: {{ tpl (toYaml . | nindent 8) $ }}
{{- end }}
securityContext:
{{- toYaml .Values.egress.podSecurityContext | trim | nindent 8 }}
serviceAccountName: {{ include "kuma.name" . }}-egress
automountServiceAccountToken: {{ .Values.egress.automountServiceAccountToken }}
{{- with .Values.egress.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.egress.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{- end }}
containers:
- name: egress
image: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.image "root" $) | quote }}
imagePullPolicy: {{ .Values.dataPlane.image.pullPolicy }}
securityContext:
{{- toYaml .Values.egress.containerSecurityContext | trim | nindent 12 }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KUMA_CONTROL_PLANE_URL
value: "https://{{ include "kuma.controlPlane.serviceName" . }}.{{ .Release.Namespace }}:5678"
- name: KUMA_CONTROL_PLANE_CA_CERT_FILE
value: /var/run/secrets/kuma.io/cp-ca/ca.crt
- name: KUMA_DATAPLANE_DRAIN_TIME
value: {{ .Values.egress.drainTime }}
- name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: KUMA_DATAPLANE_PROXY_TYPE
value: "egress"
args:
- run
- --log-level={{ .Values.egress.logLevel | default "info" }}
ports:
- containerPort: 10002
livenessProbe:
httpGet:
path: "/ready"
port: 9901
failureThreshold: 12
initialDelaySeconds: 60
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
readinessProbe:
httpGet:
path: "/ready"
port: 9901
failureThreshold: 12
initialDelaySeconds: 1
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
resources: {{ toYaml .Values.egress.resources | nindent 12 }}
volumeMounts:
{{- if not .Values.egress.automountServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: serviceaccount-token
readOnly: true
{{- end }}
- name: control-plane-ca
mountPath: /var/run/secrets/kuma.io/cp-ca
readOnly: true
- name: tmp
mountPath: /tmp
volumes:
{{- if not .Values.egress.automountServiceAccountToken }}
- name: serviceaccount-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3600
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- end }}
- name: control-plane-ca
secret:
secretName: {{ include "kuma.controlPlane.tls.general.caSecretName" . }}
items:
- key: ca.crt
path: ca.crt
- name: tmp
emptyDir: {}
{{- end }}

24
charts/kuma/kuma/2.8.4/templates/egress-hpa.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.egress.autoscaling.enabled }}
{{ if .Capabilities.APIVersions.Has "autoscaling/v2" }}
apiVersion: "autoscaling/v2"
{{ else }}
apiVersion: "autoscaling/v1"
{{ end }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "kuma.name" . }}-egress
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.egressLabels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "kuma.name" . }}-egress
minReplicas: {{ .Values.egress.autoscaling.minReplicas }}
maxReplicas: {{ .Values.egress.autoscaling.maxReplicas }}
{{ if .Capabilities.APIVersions.Has "autoscaling/v2" }}
metrics: {{- toYaml .Values.egress.autoscaling.metrics | nindent 4 }}
{{ else }}
targetCPUUtilizationPercentage: {{ .Values.egress.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- end }}

20
charts/kuma/kuma/2.8.4/templates/egress-pdb.yaml Normal file
View File

@ -0,0 +1,20 @@
{{ if $.Values.egress.podDisruptionBudget.enabled }}
{{ if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{ else if .Capabilities.APIVersions.Has "policy/v1beta1" }}
apiVersion: policy/v1beta1
{{ else }}
{{ fail "pod disruption budgets are not supported by this version of kubernetes" }}
{{ end }}
kind: PodDisruptionBudget
metadata:
name: {{ include "kuma.name" . }}-egress
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.egressLabels" . | nindent 4 }}
spec:
maxUnavailable: {{ .Values.egress.podDisruptionBudget.maxUnavailable }}
selector:
matchLabels:
{{- include "kuma.selectorLabels" . | nindent 6 }}
app: {{ include "kuma.name" . }}-egress
{{ end }}

18
charts/kuma/kuma/2.8.4/templates/egress-rbac.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if .Values.egress.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kuma.name" . }}-egress
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.egressLabels" . | nindent 4 }}
{{- with .Values.egress.serviceAccountAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
{{- end }}

32
charts/kuma/kuma/2.8.4/templates/egress-service.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- if .Values.egress.enabled }}
{{- if eq .Values.controlPlane.mode "global" }}
{{ fail "You shouldn't run zoneEgress when running the CP in global" }}
{{- end }}
{{- end }}
{{- if and .Values.egress.enabled .Values.egress.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kuma.egress.serviceName" . }}
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.egressLabels" . | nindent 4 }}
annotations:
{{- range $key, $value := .Values.egress.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
type: {{ .Values.egress.service.type }}
{{- if .Values.egress.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.egress.service.loadBalancerIP }}
{{- end }}
ports:
- port: {{ .Values.egress.service.port }}
protocol: TCP
targetPort: 10002
{{- if and (eq .Values.egress.service.type "NodePort") .Values.egress.service.nodePort }}
nodePort: {{ .Values.egress.service.nodePort }}
{{- end }}
selector:
app: {{ include "kuma.name" . }}-egress
{{- include "kuma.selectorLabels" . | nindent 4 }}
{{- end }}

19
charts/kuma/kuma/2.8.4/templates/gateway-class.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if and (eq .Values.controlPlane.environment "kubernetes") (eq .Values.controlPlane.mode "zone") }}
{{- if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1/GatewayClass" }}
---
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: kuma
spec:
controllerName: "gateways.kuma.io/controller"
{{- else if .Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1/GatewayClass" }}
---
apiVersion: gateway.networking.k8s.io/v1beta1
kind: GatewayClass
metadata:
name: kuma
spec:
controllerName: "gateways.kuma.io/controller"
{{- end }}
{{- end }}

141
charts/kuma/kuma/2.8.4/templates/ingress-deployment.yaml Normal file
View File

@ -0,0 +1,141 @@
{{- if .Values.ingress.enabled }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "kuma.name" . }}-ingress
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.ingressLabels" . | nindent 4 }}
spec:
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
{{- if not .Values.ingress.autoscaling.enabled }}
replicas: {{ .Values.ingress.replicas }}
{{- end }}
selector:
matchLabels:
{{- include "kuma.selectorLabels" . | nindent 6 }}
app: {{ include "kuma.name" . }}-ingress
template:
metadata:
annotations:
kuma.io/ingress: enabled
{{- range $key, $value := merge .Values.ingress.podAnnotations .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
labels:
{{- include "kuma.ingressLabels" . | nindent 8 }}
spec:
{{- with .Values.ingress.affinity }}
affinity: {{ tpl (toYaml . | nindent 8) $ }}
{{- end }}
{{- with .Values.ingress.topologySpreadConstraints }}
topologySpreadConstraints: {{ tpl (toYaml . | nindent 8) $ }}
{{- end }}
securityContext:
{{- toYaml .Values.ingress.podSecurityContext | trim | nindent 8 }}
serviceAccountName: {{ include "kuma.name" . }}-ingress
automountServiceAccountToken: {{ .Values.ingress.automountServiceAccountToken }}
{{- with .Values.ingress.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.ingress.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{- end }}
terminationGracePeriodSeconds: {{ .Values.ingress.terminationGracePeriodSeconds }}
containers:
- name: ingress
image: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.image "root" $) | quote }}
imagePullPolicy: {{ .Values.dataPlane.image.pullPolicy }}
securityContext:
{{- toYaml .Values.ingress.containerSecurityContext | trim | nindent 12 }}
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: KUMA_CONTROL_PLANE_URL
value: "https://{{ include "kuma.controlPlane.serviceName" . }}.{{ .Release.Namespace }}:5678"
- name: KUMA_CONTROL_PLANE_CA_CERT_FILE
value: /var/run/secrets/kuma.io/cp-ca/ca.crt
- name: KUMA_DATAPLANE_DRAIN_TIME
value: {{ .Values.ingress.drainTime }}
- name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH
value: /var/run/secrets/kubernetes.io/serviceaccount/token
- name: KUMA_DATAPLANE_PROXY_TYPE
value: "ingress"
args:
- run
- --log-level={{ .Values.ingress.logLevel | default "info" }}
ports:
- containerPort: 10001
livenessProbe:
httpGet:
path: "/ready"
port: 9901
failureThreshold: 12
initialDelaySeconds: 60
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
readinessProbe:
httpGet:
path: "/ready"
port: 9901
failureThreshold: 12
initialDelaySeconds: 1
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 3
resources: {{ toYaml .Values.ingress.resources | nindent 12 }}
{{ with .Values.ingress.lifecycle}}
lifecycle: {{ . | toYaml | nindent 12 }}
{{ end }}
volumeMounts:
{{- if not .Values.ingress.automountServiceAccountToken }}
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: serviceaccount-token
readOnly: true
{{- end }}
- name: control-plane-ca
mountPath: /var/run/secrets/kuma.io/cp-ca
readOnly: true
- name: tmp
mountPath: /tmp
volumes:
{{- if not .Values.ingress.automountServiceAccountToken }}
- name: serviceaccount-token
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3600
path: token
- configMap:
name: kube-root-ca.crt
items:
- key: ca.crt
path: ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- end }}
- name: control-plane-ca
secret:
secretName: {{ include "kuma.controlPlane.tls.general.caSecretName" . }}
items:
- key: ca.crt
path: ca.crt
- name: tmp
emptyDir: {}
{{- end }}

24
charts/kuma/kuma/2.8.4/templates/ingress-hpa.yaml Normal file
View File

@ -0,0 +1,24 @@
{{- if .Values.ingress.autoscaling.enabled }}
{{ if .Capabilities.APIVersions.Has "autoscaling/v2" }}
apiVersion: "autoscaling/v2"
{{ else }}
apiVersion: "autoscaling/v1"
{{ end }}
kind: HorizontalPodAutoscaler
metadata:
name: {{ include "kuma.name" . }}-ingress
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.ingressLabels" . | nindent 4 }}
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: {{ include "kuma.name" . }}-ingress
minReplicas: {{ .Values.ingress.autoscaling.minReplicas }}
maxReplicas: {{ .Values.ingress.autoscaling.maxReplicas }}
{{ if .Capabilities.APIVersions.Has "autoscaling/v2" }}
metrics: {{- toYaml .Values.ingress.autoscaling.metrics | nindent 4 }}
{{ else }}
targetCPUUtilizationPercentage: {{ .Values.ingress.autoscaling.targetCPUUtilizationPercentage }}
{{- end }}
{{- end }}

20
charts/kuma/kuma/2.8.4/templates/ingress-pdb.yaml Normal file
View File

@ -0,0 +1,20 @@
{{ if $.Values.ingress.podDisruptionBudget.enabled }}
{{ if .Capabilities.APIVersions.Has "policy/v1" }}
apiVersion: policy/v1
{{ else if .Capabilities.APIVersions.Has "policy/v1beta1" }}
apiVersion: policy/v1beta1
{{ else }}
{{ fail "pod disruption budgets are not supported by this version of kubernetes" }}
{{ end }}
kind: PodDisruptionBudget
metadata:
name: {{ include "kuma.name" . }}-ingress
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.ingressLabels" . | nindent 4 }}
spec:
maxUnavailable: {{ .Values.ingress.podDisruptionBudget.maxUnavailable }}
selector:
matchLabels:
{{- include "kuma.selectorLabels" . | nindent 6 }}
app: {{ include "kuma.name" . }}-ingress
{{ end }}

18
charts/kuma/kuma/2.8.4/templates/ingress-rbac.yaml Normal file
View File

@ -0,0 +1,18 @@
{{- if .Values.ingress.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "kuma.name" . }}-ingress
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.ingressLabels" . | nindent 4 }}
{{- with .Values.ingress.serviceAccountAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
{{- end }}

32
charts/kuma/kuma/2.8.4/templates/ingress-service.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- if .Values.ingress.enabled }}
{{- if or (eq .Values.controlPlane.mode "global") (eq .Values.controlPlane.mode "standalone") }}
{{ fail "You shouldn't run zoneIngress when running the CP in global or standalone" }}
{{- end }}
{{- end }}
{{- if and .Values.ingress.enabled .Values.ingress.service.enabled }}
apiVersion: v1
kind: Service
metadata:
name: {{ include "kuma.ingress.serviceName" . }}
namespace: {{ .Release.Namespace }}
labels: {{ include "kuma.ingressLabels" . | nindent 4 }}
annotations:
{{- range $key, $value := .Values.ingress.service.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
spec:
type: {{ .Values.ingress.service.type }}
{{- if .Values.ingress.service.loadBalancerIP }}
loadBalancerIP: {{ .Values.ingress.service.loadBalancerIP }}
{{- end }}
ports:
- port: {{ .Values.ingress.service.port }}
protocol: TCP
targetPort: 10001
{{- if and (eq .Values.ingress.service.type "NodePort") .Values.ingress.service.nodePort }}
nodePort: {{ .Values.ingress.service.nodePort }}
{{- end }}
selector:
app: {{ include "kuma.name" . }}-ingress
{{- include "kuma.selectorLabels" . | nindent 4 }}
{{- end }}

126
charts/kuma/kuma/2.8.4/templates/post-delete-cleanup-ebpf-job.yaml Normal file
View File

@ -0,0 +1,126 @@
{{- if and (.Values.experimental.ebpf.enabled) (and (not .Values.cni.enabled) (not .Values.noHelmHooks) (eq .Values.controlPlane.environment "kubernetes")) }}
{{- $serviceAccountName := printf "%s-cleanup-node-ebpf-job" (include "kuma.name" .) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": "post-delete"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kuma.name" . }}-cleanup-node-ebpf-job
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": "post-delete"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
rules:
- apiGroups: [""]
resources:
- nodes
verbs:
- list
- apiGroups: [""]
resources:
- pods
verbs:
- watch
- delete
- deletecollection
- apiGroups: ["batch"]
resources:
- jobs
verbs:
- watch
- create
- delete
- deletecollection
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kuma.name" . }}-cleanup-node-ebpf-job
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": "post-delete"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kuma.name" . }}-cleanup-node-ebpf-job
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kuma.name" . }}-cleanup-node-ebpf-job
namespace: {{ .Release.Namespace }}
labels:
{{ include "kuma.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "post-delete"
{{/* Ensure the job is created after the RBAC resources */}}
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
spec:
template:
metadata:
name: {{ template "kuma.name" . }}-cleanup-node-ebpf-job
labels:
{{ include "kuma.labels" . | nindent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{- with .Values.hooks.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.hooks.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
{{- if .Values.hooks.ebpfCleanup.podSecurityContext }}
securityContext:
{{ toYaml .Values.hooks.ebpfCleanup.podSecurityContext | trim | nindent 8 }}
{{- end }}
containers:
- name: post-delete-job
image: {{ include "kuma.formatImage" (dict "image" .Values.dataPlane.initImage "root" $) | quote }}
{{- if .Values.hooks.ebpfCleanup.containerSecurityContext }}
securityContext:
{{ toYaml .Values.hooks.ebpfCleanup.containerSecurityContext | trim | nindent 12 }}
{{- end }}
resources:
requests:
cpu: "20m"
memory: "20Mi"
limits:
cpu: "40m"
memory: "40Mi"
command:
- 'kumactl'
- 'uninstall'
- 'ebpf'
- '--cleanup-image-registry'
- {{ .Values.global.image.registry }}
- '--cleanup-image-repository'
- {{ .Values.dataPlane.initImage.repository }}
{{- end }}

109
charts/kuma/kuma/2.8.4/templates/pre-delete-webhooks.yaml Normal file
View File

@ -0,0 +1,109 @@
{{- if and (eq .Values.controlPlane.environment "kubernetes") (not .Values.noHelmHooks) }}
# HELM first deletes RBAC of Kuma, then it tries to delete Secrets. We've got validating webhook on Secrets.
# But even that the policy of this webhook is Ignore, it fails because Kuma does not have permission to access Secrets anymore.
# Therefore we first need to delete webhook so we can delete the rest of the deployment
{{- $serviceAccountName := printf "%s-pre-delete-job" (include "kuma.name" .) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": "pre-delete"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kuma.name" . }}-pre-delete-job
annotations:
"helm.sh/hook": "pre-delete"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
resourceNames:
- {{ include "kuma.name" . }}-validating-webhook-configuration
verbs:
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kuma.name" . }}-pre-delete-job
annotations:
"helm.sh/hook": "pre-delete"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kuma.name" . }}-pre-delete-job
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kuma.name" . }}-delete-webhook
namespace: {{ .Release.Namespace }}
labels:
{{ include "kuma.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "pre-delete"
{{/* Ensure the job is created after the RBAC resources */}}
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
spec:
template:
metadata:
name: {{ template "kuma.name" . }}-delete-webhook
labels:
{{ include "kuma.labels" . | nindent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{- with .Values.hooks.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.hooks.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
securityContext:
{{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }}
containers:
- name: pre-delete-job
image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}"
command:
- 'kubectl'
- 'delete'
- 'ValidatingWebhookConfiguration'
- '--ignore-not-found'
- {{ include "kuma.name" . }}-validating-webhook-configuration
securityContext:
{{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }}
resources:
requests:
cpu: "100m"
memory: "256Mi"
limits:
cpu: "100m"
memory: "256Mi"
{{- end }}

124
charts/kuma/kuma/2.8.4/templates/pre-install-patch-namespace-job.yaml Normal file
View File

@ -0,0 +1,124 @@
{{- if and ( .Values.noHelmHooks ) (eq .Values.controlPlane.environment "kubernetes") }}
{{- $errorMessage := ".Values.noHelmHooks is set. You must manually create and label the system namespace with kuma.io/system-namespace: \"true\" before installing or upgrading the chart" }}
{{- $systemNamespace := (lookup "v1" "Namespace" "" .Release.Namespace) }}
{{- if not $systemNamespace }}
{{- fail $errorMessage }}
{{- end }}
{{- $systemNamespaceLabels := ($systemNamespace).metadata.labels }}
{{- if ne (get $systemNamespaceLabels "kuma.io/system-namespace") "true" }}
{{- fail $errorMessage }}
{{- end }}
{{- else}}
{{- if .Values.patchSystemNamespace }}
{{- $serviceAccountName := printf "%s-patch-ns-job" (include "kuma.name" .) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
{{- with .Values.global.imagePullSecrets }}
imagePullSecrets:
{{- range . }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kuma.name" . }}-patch-ns-job
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- namespaces
resourceNames:
- {{ .Release.Namespace }}
verbs:
- get
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kuma.name" . }}-patch-ns-job
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kuma.name" . }}-patch-ns-job
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kuma.name" . }}-patch-ns
namespace: {{ .Release.Namespace }}
labels:
{{ include "kuma.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "pre-install"
{{/* Ensure the job is created after the RBAC resources */}}
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
spec:
template:
metadata:
name: {{ template "kuma.name" . }}-patch-ns-script
labels:
{{ include "kuma.labels" . | nindent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{- with .Values.hooks.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.hooks.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
securityContext:
{{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }}
containers:
- name: pre-install-job
image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}"
securityContext:
{{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }}
resources:
requests:
cpu: "100m"
memory: "256Mi"
limits:
cpu: "100m"
memory: "256Mi"
command:
- 'kubectl'
- 'patch'
- 'namespace'
- {{ .Release.Namespace | quote }}
- '--type'
- 'merge'
- '--patch'
- '{ "metadata": { "labels": { "kuma.io/system-namespace": "true" } } }'
{{- end }}
{{- end }}

171
charts/kuma/kuma/2.8.4/templates/pre-upgrade-install-crds-job.yaml Normal file
View File

@ -0,0 +1,171 @@
{{- if (and .Values.installCrdsOnUpgrade.enabled (and (not .Values.noHelmHooks) (eq .Values.controlPlane.environment "kubernetes"))) }}
{{ $hook := "pre-upgrade,pre-install" }}
{{- $serviceAccountName := printf "%s-install-crds" (include "kuma.name" .) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": "{{ $hook }}"
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
{{- with concat .Values.installCrdsOnUpgrade.imagePullSecrets .Values.global.imagePullSecrets | uniq }}
imagePullSecrets:
{{- range . }}
- name: {{ . | quote }}
{{- end }}
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "kuma.name" . }}-install-crds
annotations:
"helm.sh/hook": "{{ $hook }}"
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
rules:
- apiGroups:
- "apiextensions.k8s.io"
resources:
- customresourcedefinitions
verbs:
- create
- patch
- update
- list
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "kuma.name" . }}-install-crds
annotations:
"helm.sh/hook": "{{ $hook }}"
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
labels:
{{- include "kuma.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "kuma.name" . }}-install-crds
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "kuma.name" . }}-install-crds-scripts
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": "{{ $hook }}"
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
labels:
{{- include "kuma.labels" . | nindent 4 }}
data:
install_crds.sh: |
#!/usr/bin/env sh
set -e
if [ -s /kuma/crds/crds.yaml ]; then
echo "/kuma/crds/crds.yaml found and is not empty, adding crds"
kubectl apply -f /kuma/crds/crds.yaml
else
echo "/kuma/crds/crds.yaml not found or empty, it looks like there is no crds to install"
fi
save_crds.sh: |
set -e
crds="$(kumactl install crds --no-config)"
if [ -n "${crds}" ]; then
echo "found crds - saving to /kuma/crds/crds.yaml"
echo "${crds}" > /kuma/crds/crds.yaml
fi
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "kuma.name" . }}-install-crds
namespace: {{ .Release.Namespace }}
labels:
{{ include "kuma.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "{{ $hook }}"
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
spec:
template:
metadata:
name: {{ template "kuma.name" . }}-install-crds-job
labels:
{{ include "kuma.labels" . | nindent 8 }}
spec:
serviceAccountName: {{ $serviceAccountName }}
{{- with .Values.hooks.nodeSelector }}
nodeSelector:
{{ toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.hooks.tolerations }}
tolerations:
{{ toYaml . | nindent 8 }}
{{- end }}
restartPolicy: OnFailure
securityContext:
{{- toYaml .Values.hooks.podSecurityContext | trim | nindent 8 }}
containers:
- name: pre-upgrade-job
image: "{{ .Values.kubectl.image.registry }}/{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}"
securityContext:
{{- toYaml (mergeOverwrite (dict "runAsUser" 65534) .Values.hooks.containerSecurityContext) | trim | nindent 12 }}
resources:
requests:
cpu: "100m"
memory: "256Mi"
limits:
cpu: "100m"
memory: "256Mi"
command: ["/kuma/scripts/install_crds.sh"]
volumeMounts:
- mountPath: /kuma/crds
name: crds
readOnly: true
- mountPath: /kuma/scripts
name: scripts
readOnly: true
initContainers:
- name: pre-upgrade-job-init
image: {{ include "kuma.formatImage" (dict "image" .Values.kumactl.image "root" $) | quote }}
securityContext:
{{- toYaml .Values.hooks.containerSecurityContext | trim | nindent 12 }}
resources:
requests:
cpu: "100m"
memory: "256Mi"
limits:
cpu: "100m"
memory: "256Mi"
volumeMounts:
- mountPath: /kuma/crds
name: crds
- mountPath: /kuma/scripts
name: scripts
readOnly: true
command: ["sh", "-c"]
args: ["/kuma/scripts/save_crds.sh"]
volumes:
- name: scripts
configMap:
name: {{ include "kuma.name" . }}-install-crds-scripts
defaultMode: 0755
- name: crds
emptyDir: {}
{{- end }}

748
charts/kuma/kuma/2.8.4/values.yaml Normal file
View File

@ -0,0 +1,748 @@
global:
image:
# -- Default registry for all Kuma Images
registry: "docker.io/kumahq"
# -- The default tag for all Kuma images, which itself defaults to .Chart.AppVersion
tag:
# -- Add `imagePullSecrets` to all the service accounts used for Kuma components
imagePullSecrets: []
# -- Whether to patch the target namespace with the system label
patchSystemNamespace: true
installCrdsOnUpgrade:
# -- Whether install new CRDs before upgrade (if any were introduced with the new version of Kuma)
enabled: true
# -- The `imagePullSecrets` to attach to the Service Account running CRD installation.
# This field will be deprecated in a future release, please use .global.imagePullSecrets
imagePullSecrets: []
# -- Whether to disable all helm hooks
noHelmHooks: false
# -- Whether to restart control-plane by calculating a new checksum for the secret
restartOnSecretChange: true
controlPlane:
# -- Environment that control plane is run in, useful when running universal global control plane on k8s
environment: "kubernetes"
# -- Labels to add to resources in addition to default labels
extraLabels: {}
# -- Kuma CP log level: one of off,info,debug
logLevel: "info"
# -- Kuma CP log output path: Defaults to /dev/stdout
logOutputPath: ""
# -- Kuma CP modes: one of zone,global
mode: "zone"
# -- (string) Kuma CP zone, if running multizone
zone:
# -- Only used in `zone` mode
kdsGlobalAddress: ""
# -- Number of replicas of the Kuma CP. Ignored when autoscaling is enabled
replicas: 1
# -- Minimum number of seconds for which a newly created pod should be ready for it to be considered available.
minReadySeconds: 0
# -- Annotations applied only to the `Deployment` resource
deploymentAnnotations: {}
# -- Annotations applied only to the `Pod` resource
podAnnotations: {}
# Horizontal Pod Autoscaling configuration
autoscaling:
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
enabled: false
# -- The minimum CP pods to allow
minReplicas: 2
# -- The max CP pods to scale to
maxReplicas: 5
# -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
targetCPUUtilizationPercentage: 80
# -- For clusters that do support autoscaling/v2, use metrics
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
# -- Node selector for the Kuma Control Plane pods
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations for the Kuma Control Plane pods
tolerations: []
podDisruptionBudget:
# -- Whether to create a pod disruption budget
enabled: false
# -- The maximum number of unavailable pods allowed by the budget
maxUnavailable: 1
# -- Affinity placement rule for the Kuma Control Plane pods.
# This is rendered as a template, so you can reference other helm variables or includes.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
# These match the selector labels used on the deployment.
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- '{{ include "kuma.name" . }}'
- key: app.kubernetes.io/instance
operator: In
values:
- '{{ .Release.Name }}'
- key: app
operator: In
values:
- '{{ include "kuma.name" . }}-control-plane'
topologyKey: kubernetes.io/hostname
# -- Topology spread constraints rule for the Kuma Control Plane pods.
# This is rendered as a template, so you can use variables to generate match labels.
topologySpreadConstraints:
# -- Failure policy of the mutating webhook implemented by the Kuma Injector component
injectorFailurePolicy: Fail
service:
apiServer:
http:
# -- Port on which Http api server Service is exposed on Node for service of type NodePort
nodePort: 30681
https:
# -- Port on which Https api server Service is exposed on Node for service of type NodePort
nodePort: 30682
# -- Whether to create a service resource.
enabled: true
# -- (string) Optionally override of the Kuma Control Plane Service's name
name:
# -- Service type of the Kuma Control Plane
type: ClusterIP
# -- Annotations to put on the Kuma Control Plane
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "5680"
# Kuma API and GUI ingress settings. Useful if you want to expose the
# API and GUI of Kuma outside the k8s cluster.
ingress:
# -- Install K8s Ingress resource that exposes GUI and API
enabled: false
# -- IngressClass defines which controller will implement the resource
ingressClassName:
# -- Ingress hostname
hostname:
# -- Map of ingress annotations.
annotations: {}
# -- Ingress path.
path: /
# -- Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix)
pathType: ImplementationSpecific
# -- Port from kuma-cp to use to expose API and GUI. Switch to 5682 to expose TLS port
servicePort: 5681
globalZoneSyncService:
# -- Whether to create a k8s service for the global zone sync
# service. It will only be created when enabled and deploying the global
# control plane.
enabled: true
# -- Service type of the Global-zone sync
type: LoadBalancer
# -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
loadBalancerIP:
# -- Optionally specify allowed source ranges that can access the load balancer
loadBalancerSourceRanges: []
# -- Additional annotations to put on the Global Zone Sync Service
annotations: { }
# -- Port on which Global Zone Sync Service is exposed on Node for service of type NodePort
nodePort: 30685
# -- Port on which Global Zone Sync Service is exposed
port: 5685
# -- Protocol of the Global Zone Sync service port
protocol: grpc
defaults:
# -- Whether to skip creating the default Mesh
skipMeshCreation: false
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
automountServiceAccountToken: true
# -- Optionally override the resource spec
resources:
requests:
cpu: 500m
memory: 256Mi
limits:
memory: 256Mi
# -- Pod lifecycle settings (useful for adding a preStop hook, when
# using AWS ALB or NLB)
lifecycle: {}
# -- Number of seconds to wait before force killing the pod. Make sure to
# update this if you add a preStop hook.
terminationGracePeriodSeconds: 30
# TLS for various servers
tls:
general:
# -- Secret that contains tls.crt, tls.key [and ca.crt when no
# controlPlane.tls.general.caSecretName specified] for protecting
# Kuma in-cluster communication
secretName: ""
# -- Secret that contains ca.crt that was used to sign cert for protecting
# Kuma in-cluster communication (ca.crt present in this secret
# have precedence over the one provided in the controlPlane.tls.general.secretName)
caSecretName: ""
# -- Base64 encoded CA certificate (the same as in controlPlane.tls.general.secret#ca.crt)
caBundle: ""
apiServer:
# -- Secret that contains tls.crt, tls.key for protecting Kuma API on HTTPS
secretName: ""
# -- Secret that contains list of .pem certificates that can access admin endpoints of Kuma API on HTTPS
clientCertsSecretName: ""
# - if not creating the global control plane, then do nothing
# - if secretName is empty and create is false, then do nothing
# - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName
# - if secretName is empty and create is true, then create a secret with a default name and use it
# - if secretName is non-empty and create is true, then create the secret using the provided name
kdsGlobalServer:
# -- Name of the K8s TLS Secret resource. If you set this and don't set
# create=true, you have to create the secret manually.
secretName: ""
# -- Whether to create the TLS secret in helm.
create: false
# -- The TLS certificate to offer.
cert: ""
# -- The TLS key to use.
key: ""
# - if not creating the zonal control plane, then do nothing
# - if secretName is empty and create is false, then do nothing
# - if secretName is non-empty and create is false, then use the secret made outside of helm with the name secretName
# - if secretName is empty and create is true, then create a secret with a default name and use it
# - if secretName is non-empty and create is true, then create the secret using the provided name
kdsZoneClient:
# -- Name of the K8s Secret resource that contains ca.crt which was
# used to sign the certificate of KDS Global Server. If you set this
# and don't set create=true, you have to create the secret manually.
secretName: ""
# -- Whether to create the TLS secret in helm.
create: false
# -- CA bundle that was used to sign the certificate of KDS Global Server.
cert: ""
# -- If true, TLS cert of the server is not verified.
skipVerify: false
# -- Annotations to add for Control Plane's Service Account
serviceAccountAnnotations: { }
image:
# -- Kuma CP ImagePullPolicy
pullPolicy: IfNotPresent
# -- Kuma CP image repository
repository: "kuma-cp"
# -- Kuma CP Image tag. When not specified, the value is copied from global.tag
tag:
# -- (object with { Env: string, Secret: string, Key: string }) Secrets to add as environment variables,
# where `Env` is the name of the env variable,
# `Secret` is the name of the Secret,
# and `Key` is the key of the Secret value to use
secrets:
# someSecret:
# Secret: some-secret
# Key: secret_key
# Env: SOME_SECRET
# -- Additional environment variables that will be passed to the control plane
envVars: { }
# -- Additional config maps to mount into the control plane, with optional inline values
extraConfigMaps: [ ]
# - name: extra-config
# mountPath: /etc/extra-config
# readOnly: true
# values:
# extra-config-key: |
# extra-config-value
# -- (object with { name: string, mountPath: string, readOnly: string }) Additional secrets to mount into the control plane,
# where `Env` is the name of the env variable,
# `Secret` is the name of the Secret,
# and `Key` is the key of the Secret value to use
extraSecrets:
# extraConfig:
# name: extra-config
# mountPath: /etc/extra-config
# readOnly: true
webhooks:
validator:
# -- Additional rules to apply on Kuma validator webhook. Useful when building custom policy on top of Kuma.
additionalRules: ""
ownerReference:
# -- Additional rules to apply on Kuma owner reference webhook. Useful when building custom policy on top of Kuma.
additionalRules: ""
# -- Specifies if the deployment should be started in hostNetwork mode.
hostNetwork: false
# -- Define a new server port for the admission controller. Recommended to set in combination with
# hostNetwork to prevent multiple port bindings on the same port (like Calico in AWS EKS).
admissionServerPort: 5443
# -- Security context at the pod level for control plane.
podSecurityContext:
runAsNonRoot: true
# -- Security context at the container level for control plane.
containerSecurityContext:
readOnlyRootFilesystem: true
# -- If true, then control plane can support TLS secrets for builtin gateway outside of mesh system namespace.
# The downside is that control plane requires permission to read Secrets in all namespaces.
supportGatewaySecretsInAllNamespaces: false
cni:
# -- Install Kuma with CNI instead of proxy init container
enabled: false
# -- Install CNI in chained mode
chained: false
# -- Set the CNI install directory
netDir: /etc/cni/multus/net.d
# -- Set the CNI bin directory
binDir: /var/lib/cni/bin
# -- Set the CNI configuration name
confName: kuma-cni.conf
# -- CNI log level: one of off,info,debug
logLevel: info
# -- Node Selector for the CNI pods
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations for the CNI pods
tolerations: []
# -- Additional pod annotations
podAnnotations: { }
# -- Set the CNI namespace
namespace: kube-system
image:
# -- CNI image repository
repository: "kuma-cni"
# -- CNI image tag - defaults to .Chart.AppVersion
tag:
# -- CNI image pull policy
imagePullPolicy: IfNotPresent
# -- it's only useful in tests to trigger a possible race condition
delayStartupSeconds: 0
# -- use new CNI (experimental)
experimental:
imageEbpf:
# -- CNI experimental eBPF image registry
registry: "docker.io/kumahq"
# -- CNI experimental eBPF image repository
repository: "merbridge"
# -- CNI experimental eBPF image tag
tag: "0.8.5"
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
memory: 100Mi
# -- Security context at the pod level for cni
podSecurityContext: {}
# -- Security context at the container level for cni
containerSecurityContext:
readOnlyRootFilesystem: true
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
dataPlane:
# -- If true, then turn on CoreDNS query logging
dnsLogging: false
image:
# -- The Kuma DP image repository
repository: "kuma-dp"
# -- Kuma DP ImagePullPolicy
pullPolicy: IfNotPresent
# -- Kuma DP Image Tag. When not specified, the value is copied from global.tag
tag:
initImage:
# -- The Kuma DP init image repository
repository: "kuma-init"
# -- Kuma DP init image tag When not specified, the value is copied from global.tag
tag:
ingress:
# -- If true, it deploys Ingress for cross cluster communication
enabled: false
# -- Labels to add to resources, in addition to default labels
extraLabels: {}
# -- Time for which old listener will still be active as draining
drainTime: 30s
# -- Number of replicas of the Ingress. Ignored when autoscaling is enabled.
replicas: 1
# -- Log level for ingress (available values: off|info|debug)
logLevel: info
# -- Define the resources to allocate to mesh ingress
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 1000m
memory: 512Mi
# -- Pod lifecycle settings (useful for adding a preStop hook, when
# using AWS ALB or NLB)
lifecycle: {}
# -- Number of seconds to wait before force killing the pod. Make sure to
# update this if you add a preStop hook.
terminationGracePeriodSeconds: 40
# Horizontal Pod Autoscaling configuration
autoscaling:
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
enabled: false
# -- The minimum CP pods to allow
minReplicas: 2
# -- The max CP pods to scale to
maxReplicas: 5
# -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
targetCPUUtilizationPercentage: 80
# -- For clusters that do support autoscaling/v2, use metrics
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
service:
# -- Whether to create a Service resource.
enabled: true
# -- Service type of the Ingress
type: LoadBalancer
# -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
loadBalancerIP:
# -- Additional annotations to put on the Ingress service
annotations: { }
# -- Port on which Ingress is exposed
port: 10001
# -- Port on which service is exposed on Node for service of type NodePort
nodePort:
# -- Additional pod annotations (deprecated favor `podAnnotations`)
annotations: { }
# -- Additional pod annotations
podAnnotations: { }
# -- Node Selector for the Ingress pods
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations for the Ingress pods
tolerations: []
podDisruptionBudget:
# -- Whether to create a pod disruption budget
enabled: false
# -- The maximum number of unavailable pods allowed by the budget
maxUnavailable: 1
# -- Affinity placement rule for the Kuma Ingress pods
# This is rendered as a template, so you can reference other helm variables
# or includes.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
# These match the selector labels used on the deployment.
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- '{{ include "kuma.name" . }}'
- key: app.kubernetes.io/instance
operator: In
values:
- '{{ .Release.Name }}'
- key: app
operator: In
values:
- kuma-ingress
topologyKey: kubernetes.io/hostname
# -- Topology spread constraints rule for the Kuma Mesh Ingress pods.
# This is rendered as a template, so you can use variables to generate match labels.
topologySpreadConstraints:
# -- Security context at the pod level for ingress
podSecurityContext:
runAsNonRoot: true
runAsUser: 5678
runAsGroup: 5678
# -- Security context at the container level for ingress
containerSecurityContext:
readOnlyRootFilesystem: true
# -- Annotations to add for Control Plane's Service Account
serviceAccountAnnotations: { }
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
automountServiceAccountToken: true
egress:
# -- If true, it deploys Egress for cross cluster communication
enabled: false
# -- Labels to add to resources, in addition to the default labels.
extraLabels: {}
# -- Time for which old listener will still be active as draining
drainTime: 30s
# -- Number of replicas of the Egress. Ignored when autoscaling is enabled.
replicas: 1
# -- Log level for egress (available values: off|info|debug)
logLevel: info
# Horizontal Pod Autoscaling configuration
autoscaling:
# -- Whether to enable Horizontal Pod Autoscaling, which requires the [Metrics Server](https://github.com/kubernetes-sigs/metrics-server) in the cluster
enabled: false
# -- The minimum CP pods to allow
minReplicas: 2
# -- The max CP pods to scale to
maxReplicas: 5
# -- For clusters that don't support autoscaling/v2, autoscaling/v1 is used
targetCPUUtilizationPercentage: 80
# -- For clusters that do support autoscaling/v2, use metrics
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 1000m
memory: 512Mi
service:
# -- Whether to create the service object
enabled: true
# -- Service type of the Egress
type: ClusterIP
# -- (string) Optionally specify IP to be used by cloud provider when configuring load balancer
loadBalancerIP:
# -- Additional annotations to put on the Egress service
annotations: { }
# -- Port on which Egress is exposed
port: 10002
# -- Port on which service is exposed on Node for service of type NodePort
nodePort:
# -- Additional pod annotations (deprecated favor `podAnnotations`)
annotations: { }
# -- Additional pod annotations
podAnnotations: { }
# -- Node Selector for the Egress pods
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations for the Egress pods
tolerations: []
podDisruptionBudget:
# -- Whether to create a pod disruption budget
enabled: false
# -- The maximum number of unavailable pods allowed by the budget
maxUnavailable: 1
# -- Affinity placement rule for the Kuma Egress pods.
# This is rendered as a template, so you can reference other helm variables or includes.
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
# These match the selector labels used on the deployment.
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- '{{ include "kuma.name" . }}'
- key: app.kubernetes.io/instance
operator: In
values:
- '{{ .Release.Name }}'
- key: app
operator: In
values:
- kuma-egress
topologyKey: kubernetes.io/hostname
# -- Topology spread constraints rule for the Kuma Egress pods.
# This is rendered as a template, so you can use variables to generate match labels.
topologySpreadConstraints:
# -- Security context at the pod level for egress
podSecurityContext:
runAsNonRoot: true
runAsUser: 5678
runAsGroup: 5678
# -- Security context at the container level for egress
containerSecurityContext:
readOnlyRootFilesystem: true
# -- Annotations to add for Control Plane's Service Account
serviceAccountAnnotations: { }
# -- Whether to automountServiceAccountToken for cp. Optionally set to false
automountServiceAccountToken: true
kumactl:
image:
# -- The kumactl image repository
repository: kumactl
# -- The kumactl image tag. When not specified, the value is copied from global.tag
tag:
kubectl:
image:
# -- The kubectl image registry
registry: docker.io
# -- The kubectl image repository
repository: bitnami/kubectl
# -- The kubectl image tag
tag: "1.27.5"
hooks:
# -- Node selector for the HELM hooks
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations for the HELM hooks
tolerations: []
# -- Security context at the pod level for crd/webhook/ns
podSecurityContext:
runAsNonRoot: true
# -- Security context at the container level for crd/webhook/ns
containerSecurityContext:
readOnlyRootFilesystem: true
# -- ebpf-cleanup hook needs write access to the root filesystem to clean ebpf programs
# Changing below values will potentially break ebpf cleanup completely,
# so be cautious when doing so.
ebpfCleanup:
# -- Security context at the pod level for crd/webhook/cleanup-ebpf
podSecurityContext:
runAsNonRoot: false
# -- Security context at the container level for crd/webhook/cleanup-ebpf
containerSecurityContext:
readOnlyRootFilesystem: false
experimental:
# Configuration for the experimental ebpf mode for transparent proxy
ebpf:
# -- If true, ebpf will be used instead of using iptables to install/configure transparent proxy
enabled: false
# -- Name of the environmental variable which will contain the IP address of a pod
instanceIPEnvVarName: INSTANCE_IP
# -- Path where BPF file system should be mounted
bpffsPath: /sys/fs/bpf
# -- Host's cgroup2 path
cgroupPath: /sys/fs/cgroup
# -- Name of the network interface which TC programs should be attached to, we'll try to automatically determine it if empty
tcAttachIface: ""
# -- Path where compiled eBPF programs which will be installed can be found
programsSourcePath: /tmp/kuma-ebpf
# -- If false, it uses legacy API for resource synchronization
deltaKds: true
# -- If true, enable native Kubernetes sidecars. This requires at least
# Kubernetes v1.29
sidecarContainers: false
# Postgres' settings for universal control plane on k8s
postgres:
# -- Postgres port, password should be provided as a secret reference in "controlPlane.secrets"
# with the Env value "KUMA_STORE_POSTGRES_PASSWORD".
# Example:
# controlPlane:
# secrets:
# - Secret: postgres-postgresql
# Key: postgresql-password
# Env: KUMA_STORE_POSTGRES_PASSWORD
port: "5432"
# TLS settings
tls:
# -- Mode of TLS connection. Available values are: "disable", "verifyNone", "verifyCa", "verifyFull"
mode: disable # ENV: KUMA_STORE_POSTGRES_TLS_MODE
# -- Whether to disable SNI the postgres `sslsni` option.
disableSSLSNI: false # ENV: KUMA_STORE_POSTGRES_TLS_DISABLE_SSLSNI
# -- Secret name that contains the ca.crt
caSecretName:
# -- Secret name that contains the client tls.crt, tls.key
secretName:
# @ignored for helm-docs
plugins:
resources:
hostnamegenerators: true
meshexternalservices: true
meshservices: true
policies:
meshaccesslogs: true
meshcircuitbreakers: true
meshfaultinjections: true
meshhealthchecks: true
meshhttproutes: true
meshloadbalancingstrategies: true
meshmetrics: true
meshpassthroughs: true
meshproxypatches: true
meshratelimits: true
meshretries: true
meshtcproutes: true
meshtimeouts: true
meshtraces: true
meshtrafficpermissions: true

23
charts/speedscale/speedscale-operator/2.2.509/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

27
charts/speedscale/speedscale-operator/2.2.509/Chart.yaml Normal file
View File

@ -0,0 +1,27 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Speedscale Operator
catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: speedscale-operator
apiVersion: v1
appVersion: 2.2.509
description: Stress test your APIs with real world scenarios. Collect and replay
traffic without scripting.
home: https://speedscale.com
icon: file://assets/icons/speedscale-operator.png
keywords:
- speedscale
- test
- testing
- regression
- reliability
- load
- replay
- network
- traffic
kubeVersion: '>= 1.17.0-0'
maintainers:
- email: support@speedscale.com
name: Speedscale Support
name: speedscale-operator
version: 2.2.509

201
charts/speedscale/speedscale-operator/2.2.509/LICENSE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2021 Speedscale
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

111
charts/speedscale/speedscale-operator/2.2.509/README.md Normal file
View File

@ -0,0 +1,111 @@
![GitHub Tag](https://img.shields.io/github/v/tag/speedscale/operator-helm)
# Speedscale Operator
The [Speedscale](https://www.speedscale.com) Operator is a [Kubernetes operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
that watches for deployments to be applied to the cluster and takes action based on annotations. The operator
can inject a proxy to capture traffic into or out of applications, or setup an isolation test environment around
a deployment for testing. The operator itself is a deployment that will be always present on the cluster once
the helm chart is installed.
## Prerequisites
- Kubernetes 1.20+
- Helm 3+
- Appropriate [network and firewall configuration](https://docs.speedscale.com/reference/networking) for Speedscale cloud and webhook traffic
## Get Repo Info
```bash
helm repo add speedscale https://speedscale.github.io/operator-helm/
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Install Chart
An API key is required. Sign up for a [free Speedscale trial](https://speedscale.com/free-trial/) if you do not have one.
```bash
helm install speedscale-operator speedscale/speedscale-operator \
-n speedscale \
--create-namespace \
--set apiKey=<YOUR-SPEEDSCALE-API-KEY> \
--set clusterName=<YOUR-CLUSTER-NAME>
```
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
### Pre-install job failure
We use pre-install job to check provided API key and provision some of the required resources.
If the job failed during the installation, you'll see the following error during install:
```
Error: INSTALLATION FAILED: failed pre-install: job failed: BackoffLimitExceeded
```
You can inspect the logs using this command:
```bash
kubectl -n speedscale logs job/speedscale-operator-pre-install
```
After fixing the error, uninstall the helm release, delete the failed job
and try installing again:
```bash
helm -n speedscale uninstall speedscale-operator
kubectl -n speedscale delete job speedscale-operator-pre-install
```
## Uninstall Chart
```bash
helm -n speedscale uninstall speedscale-operator
```
This removes all the Kubernetes components associated with the chart and deletes the release.
_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
CRDs created by this chart are not removed by default and should be manually cleaned up:
```bash
kubectl delete crd trafficreplays.speedscale.com
```
## Upgrading Chart
```bash
helm repo update
helm -n speedscale upgrade speedscale-operator speedscale/speedscale-operator
```
Resources capturing traffic will need to be rolled to pick up the latest
Speedscale sidecar. Use the rollout restart command for each namespace and
resource type:
```bash
kubectl -n <namespace> rollout restart deployment
```
With Helm v3, CRDs created by this chart are not updated by default
and should be manually updated.
Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
### Upgrading an existing Release to a new version
A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
incompatible breaking change needing manual actions.
## Help
Speedscale docs information available at [docs.speedscale.com](https://docs.speedscale.com) or join us
on the [Speedscale community Slack](https://join.slack.com/t/speedscalecommunity/shared_invite/zt-x5rcrzn4-XHG1QqcHNXIM~4yozRrz8A)!

111
charts/speedscale/speedscale-operator/2.2.509/app-readme.md Normal file
View File

@ -0,0 +1,111 @@
![GitHub Tag](https://img.shields.io/github/v/tag/speedscale/operator-helm)
# Speedscale Operator
The [Speedscale](https://www.speedscale.com) Operator is a [Kubernetes operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
that watches for deployments to be applied to the cluster and takes action based on annotations. The operator
can inject a proxy to capture traffic into or out of applications, or setup an isolation test environment around
a deployment for testing. The operator itself is a deployment that will be always present on the cluster once
the helm chart is installed.
## Prerequisites
- Kubernetes 1.20+
- Helm 3+
- Appropriate [network and firewall configuration](https://docs.speedscale.com/reference/networking) for Speedscale cloud and webhook traffic
## Get Repo Info
```bash
helm repo add speedscale https://speedscale.github.io/operator-helm/
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Install Chart
An API key is required. Sign up for a [free Speedscale trial](https://speedscale.com/free-trial/) if you do not have one.
```bash
helm install speedscale-operator speedscale/speedscale-operator \
-n speedscale \
--create-namespace \
--set apiKey=<YOUR-SPEEDSCALE-API-KEY> \
--set clusterName=<YOUR-CLUSTER-NAME>
```
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
### Pre-install job failure
We use pre-install job to check provided API key and provision some of the required resources.
If the job failed during the installation, you'll see the following error during install:
```
Error: INSTALLATION FAILED: failed pre-install: job failed: BackoffLimitExceeded
```
You can inspect the logs using this command:
```bash
kubectl -n speedscale logs job/speedscale-operator-pre-install
```
After fixing the error, uninstall the helm release, delete the failed job
and try installing again:
```bash
helm -n speedscale uninstall speedscale-operator
kubectl -n speedscale delete job speedscale-operator-pre-install
```
## Uninstall Chart
```bash
helm -n speedscale uninstall speedscale-operator
```
This removes all the Kubernetes components associated with the chart and deletes the release.
_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
CRDs created by this chart are not removed by default and should be manually cleaned up:
```bash
kubectl delete crd trafficreplays.speedscale.com
```
## Upgrading Chart
```bash
helm repo update
helm -n speedscale upgrade speedscale-operator speedscale/speedscale-operator
```
Resources capturing traffic will need to be rolled to pick up the latest
Speedscale sidecar. Use the rollout restart command for each namespace and
resource type:
```bash
kubectl -n <namespace> rollout restart deployment
```
With Helm v3, CRDs created by this chart are not updated by default
and should be manually updated.
Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
### Upgrading an existing Release to a new version
A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
incompatible breaking change needing manual actions.
## Help
Speedscale docs information available at [docs.speedscale.com](https://docs.speedscale.com) or join us
on the [Speedscale community Slack](https://join.slack.com/t/speedscalecommunity/shared_invite/zt-x5rcrzn4-XHG1QqcHNXIM~4yozRrz8A)!

9
charts/speedscale/speedscale-operator/2.2.509/questions.yaml Normal file
View File

@ -0,0 +1,9 @@
questions:
- variable: apiKey
default: "fffffffffffffffffffffffffffffffffffffffffffff"
description: "An API key is required to connect to the Speedscale cloud."
required: true
type: string
label: API Key
group: Authentication

12
charts/speedscale/speedscale-operator/2.2.509/templates/NOTES.txt Normal file
View File

@ -0,0 +1,12 @@
Thank you for installing the Speedscale Operator!
Next you'll need to add the Speedscale Proxy Sidecar to your deployments.
See https://docs.speedscale.com/setup/sidecar/install/
If upgrading use the rollout restart command for each namespace and resource
type to ensure Speedscale sidecars are updated:
kubectl -n <namespace> rollout restart deployment
Once your deployment is running the sidecar your service will show up on
https://app.speedscale.com/.

209
charts/speedscale/speedscale-operator/2.2.509/templates/admission.yaml Normal file
View File

@ -0,0 +1,209 @@
{{- $cacrt := "" -}}
{{- $crt := "" -}}
{{- $key := "" -}}
{{- $s := (lookup "v1" "Secret" .Release.Namespace "speedscale-webhook-certs") -}}
{{- if $s -}}
{{- $cacrt = index $s.data "ca.crt" | default (index $s.data "tls.crt") | b64dec -}}
{{- $crt = index $s.data "tls.crt" | b64dec -}}
{{- $key = index $s.data "tls.key" | b64dec -}}
{{ else }}
{{- $altNames := list ( printf "speedscale-operator.%s" .Release.Namespace ) ( printf "speedscale-operator.%s.svc" .Release.Namespace ) -}}
{{- $ca := genCA "speedscale-operator" 3650 -}}
{{- $cert := genSignedCert "speedscale-operator" nil $altNames 3650 $ca -}}
{{- $cacrt = $ca.Cert -}}
{{- $crt = $cert.Cert -}}
{{- $key = $cert.Key -}}
{{- end -}}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: null
name: speedscale-operator
annotations:
argocd.argoproj.io/hook: PreSync
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ $cacrt | b64enc }}
service:
name: speedscale-operator
namespace: {{ .Release.Namespace }}
path: /mutate
failurePolicy: Ignore
name: sidecar.speedscale.com
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: "NotIn"
values:
- kube-system
- kube-node-lease
{{- if .Values.namespaceSelector }}
- key: kubernetes.io/metadata.name
operator: "In"
values:
{{- range .Values.namespaceSelector }}
- {{ . | quote }}
{{- end }}
{{- end }}
reinvocationPolicy: IfNeeded
rules:
- apiGroups:
- apps
- batch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- deployments
- statefulsets
- daemonsets
- jobs
- replicasets
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- pods
- apiGroups:
- argoproj.io
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
- DELETE
resources:
- rollouts
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: null
name: speedscale-operator-replay
annotations:
argocd.argoproj.io/hook: PreSync
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ $cacrt | b64enc }}
service:
name: speedscale-operator
namespace: {{ .Release.Namespace }}
path: /mutate-speedscale-com-v1-trafficreplay
failurePolicy: Fail
name: replay.speedscale.com
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: "NotIn"
values:
- kube-system
- kube-node-lease
{{- if .Values.namespaceSelector }}
- key: kubernetes.io/metadata.name
operator: "In"
values:
{{- range .Values.namespaceSelector }}
- {{ . | quote }}
{{- end }}
{{- end }}
rules:
- apiGroups:
- speedscale.com
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- trafficreplays
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
creationTimestamp: null
name: speedscale-operator-replay
annotations:
argocd.argoproj.io/hook: PreSync
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ $cacrt | b64enc }}
service:
name: speedscale-operator
namespace: {{ .Release.Namespace }}
path: /validate-speedscale-com-v1-trafficreplay
failurePolicy: Fail
name: replay.speedscale.com
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: "NotIn"
values:
- kube-system
- kube-node-lease
{{- if .Values.namespaceSelector }}
- key: kubernetes.io/metadata.name
operator: "In"
values:
{{- range .Values.namespaceSelector }}
- {{ . | quote }}
{{- end }}
{{- end }}
rules:
- apiGroups:
- speedscale.com
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- trafficreplays
sideEffects: None
timeoutSeconds: 10
---
apiVersion: v1
kind: Secret
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: before-hook-creation
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
creationTimestamp: null
name: speedscale-webhook-certs
namespace: {{ .Release.Namespace }}
type: kubernetes.io/tls
data:
ca.crt: {{ $cacrt | b64enc }}
tls.crt: {{ $crt | b64enc }}
tls.key: {{ $key | b64enc }}

43
charts/speedscale/speedscale-operator/2.2.509/templates/configmap.yaml Normal file
View File

@ -0,0 +1,43 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: speedscale-operator
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PreSync
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
data:
CLUSTER_NAME: {{ .Values.clusterName }}
IMAGE_PULL_POLICY: {{ .Values.image.pullPolicy }}
IMAGE_PULL_SECRETS: ""
IMAGE_REGISTRY: {{ .Values.image.registry }}
IMAGE_TAG: {{ .Values.image.tag }}
INSTANCE_ID: '{{- $cm := (lookup "v1" "ConfigMap" .Release.Namespace "speedscale-operator") -}}{{ if $cm }}{{ $cm.data.INSTANCE_ID }}{{ else }}{{ ( printf "%s-%s" .Values.clusterName uuidv4 ) }}{{ end }}'
LOG_LEVEL: {{ .Values.logLevel }}
SPEEDSCALE_DLP_CONFIG: {{ .Values.dlp.config }}
SPEEDSCALE_FILTER_RULE: {{ .Values.filterRule }}
TELEMETRY_INTERVAL: 1s
WITH_DLP: {{ .Values.dlp.enabled | quote }}
WITH_INSPECTOR: {{ .Values.dashboardAccess | quote }}
API_KEY_SECRET_NAME: {{ .Values.apiKeySecret | quote }}
DEPLOY_DEMO: {{ .Values.deployDemo | quote }}
GLOBAL_ANNOTATIONS: {{ .Values.globalAnnotations | toJson | quote }}
GLOBAL_LABELS: {{ .Values.globalLabels | toJson | quote }}
{{- if .Values.http_proxy }}
HTTP_PROXY: {{ .Values.http_proxy }}
{{- end }}
{{- if .Values.https_proxy }}
HTTPS_PROXY: {{ .Values.https_proxy }}
{{- end }}
{{- if .Values.no_proxy }}
NO_PROXY: {{ .Values.no_proxy }}
{{- end }}
PRIVILEGED_SIDECARS: {{ .Values.privilegedSidecars | quote }}
DISABLE_SMARTDNS: {{ .Values.disableSidecarSmartReverseDNS | quote }}
SIDECAR_CONFIG: {{ .Values.sidecar | toJson | quote }}
FORWARDER_CONFIG: {{ .Values.forwarder | toJson | quote }}
TEST_PREP_TIMEOUT: {{ .Values.operator.test_prep_timeout }}
CONTROL_PLANE_TIMEOUT: {{ .Values.operator.control_plane_timeout }}

525
charts/speedscale/speedscale-operator/2.2.509/templates/crds/trafficreplays.yaml Normal file
View File

@ -0,0 +1,525 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
creationTimestamp: null
name: trafficreplays.speedscale.com
spec:
group: speedscale.com
names:
kind: TrafficReplay
listKind: TrafficReplayList
plural: trafficreplays
shortNames:
- replay
singular: trafficreplay
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.active
name: Active
type: boolean
- jsonPath: .spec.mode
name: Mode
type: string
- jsonPath: .status.conditions[-1:].message
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: TrafficReplay is the Schema for the trafficreplays API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TrafficReplaySpec defines the desired state of TrafficReplay
properties:
buildTag:
description: |-
BuildTag links a unique tag, build hash, etc. to the generated
traffic replay report. That way you can connect the report results to the
version of the code that was tested.
type: string
cleanup:
description: |-
Cleanup is the name of cleanup mode used for this TrafficReplay. Set to
"none" to leave resources in the state they were during the replay. The
default mode "inventory" will revert the environment to the state it was
before the replay.
enum:
- inventory
- all
- none
type: string
collectLogs:
description: |-
CollectLogs enables or disables log collection from target
workload. Defaults to true.
DEPRECATED: use TestReport.ActualConfig.Cluster.CollectLogs
type: boolean
configChecksum:
description: |-
ConfigChecksum, managed my the operator, is the SHA1 checksum of the
configuration.
type: string
customURL:
description: |-
CustomURL specifies a custom URL to send *ALL* traffic to. Use
Workload.CustomURI to send traffic to a specific URL for only that
workload.
type: string
generatorLowData:
description: |-
GeneratorLowData forces the generator into a high
efficiency/low data output mode. This is ideal for high volume
performance tests. Defaults to false.
DEPRECATED
type: boolean
mode:
description: Mode is the name of replay mode used for this TrafficReplay.
enum:
- full-replay
- responder-only
- generator-only
type: string
needsReport:
description: Indicates whether a responder-only replay needs a report.
type: boolean
proxyMode:
description: |-
ProxyMode defines proxy operational mode used with injected sidecar.
DEPRECATED
type: string
responderLowData:
description: |-
ResponderLowData forces the responder into a high
efficiency/low data output mode. This is ideal for high volume
performance tests. Defaults to false.
DEPRECATED
type: boolean
secretRefs:
description: |-
SecretRefs hold the references to the secrets which contain
various secrets like (e.g. short-lived JWTs to be used by the generator
for authorization with HTTP calls).
items:
description: |-
LocalObjectReference contains enough information to locate the referenced
Kubernetes resource object.
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
type: array
sidecar:
description: |-
Sidecar defines sidecar specific configuration.
DEPRECATED: use Workloads
properties:
inject:
description: 'DEPRECATED: do not use'
type: boolean
patch:
description: Patch is .yaml file patch for the Workload
format: byte
type: string
tls:
properties:
in:
description: In provides configuration for sidecar inbound
TLS.
properties:
private:
description: Private is the filename of the TLS inbound
private key.
type: string
public:
description: Public is the filename of the TLS inbound
public key.
type: string
secret:
description: Secret is a secret with the TLS keys to use
for inbound traffic.
type: string
type: object
mutual:
description: Mutual provides configuration for sidecar mutual
TLS.
properties:
private:
description: Private is the filename of the mutual TLS
private key.
type: string
public:
description: Public is the filename of the mutual TLS
public key.
type: string
secret:
description: Secret is a secret with the mutual TLS keys.
type: string
type: object
out:
description: |-
Out enables or disables TLS out on the
sidecar during replay.
type: boolean
type: object
type: object
snapshotID:
description: |-
SnapshotID is the id of the traffic snapshot for this
TrafficReplay.
type: string
testConfigID:
description: |-
TestConfigID is the id of the replay configuration to be used
by the generator and responder for the TrafficReplay.
type: string
timeout:
description: |-
Timeout is the time to wait for replay test to finish. Defaults
to value of the `TIMEOUT` setting of the operator.
type: string
ttlAfterReady:
description: |-
TTLAfterReady provides a TTL (time to live) mechanism to limit
the lifetime of TrafficReplay object that have finished the execution and
reached its final state (either complete or failed).
type: string
workloadRef:
description: |-
WorkloadRef is the reference to the target workload (SUT) for
TrafficReplay. The operations will be performed in the namespace of the
target object.
DEPRECATED: use Workloads
properties:
apiVersion:
description: API version of the referenced object.
type: string
kind:
description: Kind of the referenced object. Defaults to "Deployment".
type: string
name:
description: |-
Name of the referenced object. Required when defining for a test unless a
custom URI is provided. Always required when defining mocks.
type: string
namespace:
description: Namespace of the referenced object. Defaults to the
TrafficReplay namespace.
type: string
required:
- name
type: object
workloads:
description: |-
Workloads define target workloads (SUT) for a TrafficReplay. Many
workloads may be provided, or none. Workloads may be modified and
restarted during replay to configure communication with a responder.
items:
description: |-
Workload represents a Kubernetes workload to be targeted during replay and
associated settings.
properties:
customURI:
description: |-
CustomURI will be target of the traffic instead of directly targeting
workload. This is required if a Ref is not specified.
type: string
inTrafficKey:
description: 'DEPRECATED: use Tests'
type: string
inTrafficKeys:
description: 'DEPRECATED: use Tests'
items:
type: string
type: array
mocks:
description: |-
Mocks are strings used to identify slices of outbound snapshot traffic to
mock for this workload and maps directly to a snapshot's `OutTraffic`
field. Snapshot egress traffic can be split across multiple slices where
each slice contains part of the traffic. A workload may specify multiple
keys and multiple workloads may specify the same key.
Only the traffic slices defined here will be mocked. A workload with no
keys defined will not mock any traffic. Pass '*' to mock all traffic.
Mock strings may only match part of the snapshot's `OutTraffic` key if the
string matches exactly one key. For example, the test string
`foo.example.com` would match the `OutTraffic` key of
my-service:foo.example.com:8080, as long as no other keys would match
`foo.example.com`. Multiple mocks must be specified for multiple keys
unless using '*'.
items:
type: string
type: array
outTrafficKeys:
description: 'DEPRECATED: use Mocks'
items:
type: string
type: array
ref:
description: |-
Ref is a reference to a cluster workload, like a deployment or a
statefulset. This is required unless a CustomURI is specified.
properties:
apiVersion:
description: API version of the referenced object.
type: string
kind:
description: Kind of the referenced object. Defaults to
"Deployment".
type: string
name:
description: |-
Name of the referenced object. Required when defining for a test unless a
custom URI is provided. Always required when defining mocks.
type: string
namespace:
description: Namespace of the referenced object. Defaults
to the TrafficReplay namespace.
type: string
required:
- name
type: object
routing:
description: Routing configures how workloads route egress traffic
to responders
enum:
- hostalias
- nat
type: string
sidecar:
description: |-
TODO: this is not implemented, come back and replace deprecated Sidecar with workload specific settings
Sidecar defines sidecar specific configuration.
properties:
inject:
description: 'DEPRECATED: do not use'
type: boolean
patch:
description: Patch is .yaml file patch for the Workload
format: byte
type: string
tls:
properties:
in:
description: In provides configuration for sidecar inbound
TLS.
properties:
private:
description: Private is the filename of the TLS
inbound private key.
type: string
public:
description: Public is the filename of the TLS inbound
public key.
type: string
secret:
description: Secret is a secret with the TLS keys
to use for inbound traffic.
type: string
type: object
mutual:
description: Mutual provides configuration for sidecar
mutual TLS.
properties:
private:
description: Private is the filename of the mutual
TLS private key.
type: string
public:
description: Public is the filename of the mutual
TLS public key.
type: string
secret:
description: Secret is a secret with the mutual
TLS keys.
type: string
type: object
out:
description: |-
Out enables or disables TLS out on the
sidecar during replay.
type: boolean
type: object
type: object
tests:
description: |-
Tests are strings used to identify slices of inbound snapshot traffic this
workload is targeting and maps directly to a snapshot's `InTraffic` field.
Snapshot ingress traffic can be split across multiple slices where each
slice contains part of the traffic. A key must only be specified once
across all workloads, but a workload may specify multiple keys. Pass '*'
to match all keys.
Test strings may only match part of the snapshot's `InTraffic` key if the
string matches exactly one key. For example, the test string
`foo.example.com` would match the `InTraffic` key of
my-service:foo.example.com:8080, as long as no other keys would match
`foo.example.com`
This field is optional in the spec to provide support for single-workload
and legacy replays, but must be specified for multi-workload replays in
order to provide deterministic replay configuration.
items:
type: string
type: array
type: object
type: array
required:
- snapshotID
- testConfigID
type: object
status:
default:
observedGeneration: -1
description: TrafficReplayStatus defines the observed state of TrafficReplay
properties:
active:
description: Active indicates whether this traffic replay is currently
underway or not.
type: boolean
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
finishedTime:
description: Information when the traffic replay has finished.
format: date-time
type: string
initializedTime:
description: Information when the test environment was successfully
prepared.
format: date-time
type: string
lastHeartbeatTime:
description: 'DEPRECATED: will not be set'
format: date-time
type: string
observedGeneration:
description: ObservedGeneration is the last observed generation.
format: int64
type: integer
reconcileFailures:
description: |-
ReconcileFailures is the number of times the traffic replay controller
experienced an error during the reconciliation process. The traffic
replay will be deleted if too many errors occur.
format: int64
type: integer
reportID:
description: The id of the traffic replay report created.
type: string
reportURL:
description: The url to the traffic replay report.
type: string
startedTime:
description: Information when the traffic replay has started.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

132
charts/speedscale/speedscale-operator/2.2.509/templates/deployments.yaml Normal file
View File

@ -0,0 +1,132 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
operator.speedscale.com/ignore: "true"
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
labels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
{{- if .Values.globalLabels }}
{{ toYaml .Values.globalLabels | indent 4}}
{{- end }}
name: speedscale-operator
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
strategy:
type: Recreate
template:
metadata:
annotations:
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 8}}
{{- end }}
labels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
{{- if .Values.globalLabels }}
{{ toYaml .Values.globalLabels | indent 8}}
{{- end }}
spec:
containers:
- command:
- /operator
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: speedscale-operator
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core
# When a key exists in multiple sources, the value associated with the last source will take precedence.
# Values defined by an Env with a duplicate key will take precedence.
- configMapRef:
name: speedscale-operator-override
optional: true
- secretRef:
name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
optional: false
image: '{{ .Values.image.registry }}/operator:{{ .Values.image.tag }}'
imagePullPolicy: {{ .Values.image.pullPolicy }}
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: health-check
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
name: operator
ports:
- containerPort: 443
name: webhook-server
- containerPort: 8081
name: health-check
readinessProbe:
failureThreshold: 10
httpGet:
path: /readyz
port: health-check
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
resources: {{- toYaml .Values.operator.resources | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
# Run as root to bind 443 https://github.com/kubernetes/kubernetes/issues/56374
runAsUser: 0
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: webhook-certs
readOnly: true
- mountPath: /etc/ssl/speedscale
name: speedscale-tls-out
readOnly: true
hostNetwork: {{ .Values.hostNetwork }}
securityContext:
runAsNonRoot: true
serviceAccountName: speedscale-operator
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: tmp
- name: webhook-certs
secret:
secretName: speedscale-webhook-certs
- name: speedscale-tls-out
secret:
secretName: speedscale-certs
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}

73
charts/speedscale/speedscale-operator/2.2.509/templates/hooks.yaml Normal file
View File

@ -0,0 +1,73 @@
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "4"
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
creationTimestamp: null
name: speedscale-operator-pre-install
namespace: {{ .Release.Namespace }}
labels:
{{- if .Values.globalLabels }}
{{ toYaml .Values.globalLabels | indent 4}}
{{- end }}
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 30
template:
metadata:
annotations:
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 8}}
{{- end }}
creationTimestamp: null
labels:
{{- if .Values.globalLabels }}
{{ toYaml .Values.globalLabels | indent 8}}
{{- end }}
spec:
containers:
- args:
- |-
# ensure valid settings before the chart reports a successfull install
{{- if .Values.http_proxy }}
HTTP_PROXY={{ .Values.http_proxy | quote }} \
{{- end }}
{{- if .Values.https_proxy }}
HTTPS_PROXY={{ .Values.https_proxy | quote }} \
{{- end }}
{{- if .Values.no_proxy }}
NO_PROXY={{ .Values.no_proxy | quote }} \
{{- end }}
speedctl init --overwrite --no-rcfile-update \
--api-key $SPEEDSCALE_API_KEY \
--app-url $SPEEDSCALE_APP_URL
# in case we're in istio
curl -X POST http://127.0.0.1:15000/quitquitquit || true
command:
- sh
- -c
envFrom:
- secretRef:
name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
optional: false
image: '{{ .Values.image.registry }}/speedscale-cli:{{ .Values.image.tag }}'
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: speedscale-cli
resources: {}
restartPolicy: Never
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}

244
charts/speedscale/speedscale-operator/2.2.509/templates/rbac.yaml Normal file
View File

@ -0,0 +1,244 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: speedscale-operator
{{- if .Values.globalAnnotations }}
annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
verbs:
- get
- list
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- secrets
- pods
- services
- serviceaccounts
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- list
- apiGroups:
- ""
resources:
- events
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.istio.io
resources:
- envoyfilters
- sidecars
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- security.istio.io
resources:
- peerauthentications
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- speedscale.com
resources:
- trafficreplays
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- speedscale.com
resources:
- trafficreplays/status
verbs:
- get
- update
- patch
- apiGroups:
- argoproj.io
resources:
- rollouts
verbs:
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: speedscale-operator
{{- if .Values.globalAnnotations }}
annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: speedscale-operator
subjects:
- kind: ServiceAccount
name: speedscale-operator
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
creationTimestamp: null
labels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
name: speedscale-operator
namespace: {{ .Release.Namespace }}
{{- if .Values.globalAnnotations }}
annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
{{- end }}

18
charts/speedscale/speedscale-operator/2.2.509/templates/secrets.yaml Normal file
View File

@ -0,0 +1,18 @@
---
{{ if .Values.apiKey }}
apiVersion: v1
kind: Secret
metadata:
name: speedscale-apikey
namespace: {{ .Release.Namespace }}
annotations:
helm.sh/hook: pre-install
helm.sh/hook-weight: "3"
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
type: Opaque
data:
SPEEDSCALE_API_KEY: {{ .Values.apiKey | b64enc }}
SPEEDSCALE_APP_URL: {{ .Values.appUrl | b64enc }}
{{ end }}

22
charts/speedscale/speedscale-operator/2.2.509/templates/services.yaml Normal file
View File

@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
name: speedscale-operator
namespace: {{ .Release.Namespace }}
{{- if .Values.globalAnnotations }}
annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
{{- end }}
spec:
ports:
- port: 443
protocol: TCP
selector:
app: speedscale-operator
controlplane.speedscale.com/component: operator
status:
loadBalancer: {}

Some files were not shown because too many files have changed in this diff Show More