Packages:

config.openservicemesh.io/v1alpha2

Package v1alpha2 is the v1alpha2 version of the API.

Resource Types:

    CertManagerProviderSpec

    (Appears on:ProviderSpec)

    CertManagerProviderSpec defines the configuration of the cert-manager provider

    Field Description
    issuerName
    string

    IssuerName specifies the name of the Issuer resource

    issuerKind
    string

    IssuerKind specifies the kind of Issuer

    issuerGroup
    string

    IssuerGroup specifies the group the Issuer belongs to

    CertificateSpec

    (Appears on:MeshConfigSpec)

    CertificateSpec is the type to reperesent OSM’s certificate management configuration.

    Field Description
    serviceCertValidityDuration
    string

    ServiceCertValidityDuration defines the service certificate validity duration.

    certKeyBitSize
    int

    CertKeyBitSize defines the certicate key bit size.

    ingressGateway
    IngressGatewayCertSpec
    (Optional)

    IngressGateway defines the certificate specification for an ingress gateway.

    ExtensionService

    ExtensionService defines the configuration of the external service that an OSM managed mesh integrates with.

    Field Description
    metadata
    Kubernetes meta/v1.ObjectMeta
    (Optional)

    Object’s metadata.

    Refer to the Kubernetes API documentation for the fields of the metadata field.
    spec
    ExtensionServiceSpec
    (Optional)

    Spec defines the specification of the extension service.



    host
    string

    Host defines the hostname of the extension service.

    port
    uint32

    Port defines the port number of the extension service.

    protocol
    string

    Protocol defines the protocol of the extension service.

    connectTimeout
    Kubernetes meta/v1.Duration
    (Optional)

    ConnectTimeout defines the timeout for connecting to the extension service.

    ExtensionServiceSpec

    (Appears on:ExtensionService)

    ExtensionServiceSpec defines the specification of the extension service.

    Field Description
    host
    string

    Host defines the hostname of the extension service.

    port
    uint32

    Port defines the port number of the extension service.

    protocol
    string

    Protocol defines the protocol of the extension service.

    connectTimeout
    Kubernetes meta/v1.Duration
    (Optional)

    ConnectTimeout defines the timeout for connecting to the extension service.

    ExternalAuthzSpec

    (Appears on:TrafficSpec)

    ExternalAuthzSpec is a type to represent external authorization configuration.

    Field Description
    enable
    bool

    Enable defines a boolean indicating if the external authorization policy is to be enabled.

    address
    string

    Address defines the remote address of the external authorization endpoint.

    port
    uint16

    Port defines the destination port of the remote external authorization endpoint.

    statPrefix
    string

    StatPrefix defines a prefix for the stats sink for this external authorization policy.

    timeout
    string

    Timeout defines the timeout in which a response from the external authorization endpoint. is expected to execute.

    failureModeAllow
    bool

    FailureModeAllow defines a boolean indicating if traffic should be allowed on a failure to get a response against the external authorization endpoint.

    FeatureFlags

    (Appears on:MeshConfigSpec)

    FeatureFlags is a type to represent OSM’s feature flags.

    Field Description
    enableWASMStats
    bool

    EnableWASMStats defines if WASM Stats are enabled.

    enableEgressPolicy
    bool

    EnableEgressPolicy defines if OSM’s EgressPolicy API is enabled. DEPRECATED, do not use. Disable mesh-wide global egress by setting ‘spec.traffic.enableEgress’ to ‘false’ to implicitly enable the usage of EgressPolicy API.

    enableSnapshotCacheMode
    bool

    EnableSnapshotCacheMode defines if XDS server starts with snapshot cache.

    enableAsyncProxyServiceMapping
    bool

    EnableAsyncProxyServiceMapping defines if OSM will map proxies to services asynchronously.

    enableIngressBackendPolicy
    bool

    EnableIngressBackendPolicy defines if OSM will use the IngressBackend API to allow ingress traffic to service mesh backends.

    enableEnvoyActiveHealthChecks
    bool

    EnableEnvoyActiveHealthChecks defines if OSM will Envoy active health checks between services allowed to communicate.

    enableRetryPolicy
    bool

    EnableRetryPolicy defines if retry policy is enabled.

    IngressGatewayCertSpec

    (Appears on:CertificateSpec)

    IngressGatewayCertSpec is the type to represent the certificate specification for an ingress gateway.

    Field Description
    subjectAltNames
    []string

    SubjectAltNames defines the Subject Alternative Names (domain names and IP addresses) secured by the certificate.

    validityDuration
    string

    ValidityDuration defines the validity duration of the certificate.

    secret
    Kubernetes core/v1.SecretReference

    Secret defines the secret in which the certificate is stored.

    LocalProxyMode (string alias)

    (Appears on:SidecarSpec)

    LocalProxyMode is a type alias representing the way the envoy sidecar proxies to the main application

    Value Description

    "Localhost"

    LocalProxyModeLocalhost indicates the the sidecar should communicate with the main application over localhost

    "PodIP"

    LocalProxyModePodIP indicates that the sidecar should communicate with the main application via the pod ip

    MeshConfig

    MeshConfig is the type used to represent the mesh configuration.

    Field Description
    metadata
    Kubernetes meta/v1.ObjectMeta
    (Optional)

    Object’s metadata.

    Refer to the Kubernetes API documentation for the fields of the metadata field.
    spec
    MeshConfigSpec
    (Optional)

    Spec is the MeshConfig specification.



    sidecar
    SidecarSpec

    Sidecar defines the configurations of the proxy sidecar in a mesh.

    traffic
    TrafficSpec

    Traffic defines the traffic management configurations for a mesh instance.

    observability
    ObservabilitySpec

    Observalility defines the observability configurations for a mesh instance.

    certificate
    CertificateSpec

    Certificate defines the certificate management configurations for a mesh instance.

    featureFlags
    FeatureFlags

    FeatureFlags defines the feature flags for a mesh instance.

    MeshConfigSpec

    (Appears on:MeshConfig)

    MeshConfigSpec is the spec for OSM’s configuration.

    Field Description
    sidecar
    SidecarSpec

    Sidecar defines the configurations of the proxy sidecar in a mesh.

    traffic
    TrafficSpec

    Traffic defines the traffic management configurations for a mesh instance.

    observability
    ObservabilitySpec

    Observalility defines the observability configurations for a mesh instance.

    certificate
    CertificateSpec

    Certificate defines the certificate management configurations for a mesh instance.

    featureFlags
    FeatureFlags

    FeatureFlags defines the feature flags for a mesh instance.

    MeshRootCertificate

    MeshRootCertificate defines the configuration for certificate issuing by the mesh control plane

    Field Description
    metadata
    Kubernetes meta/v1.ObjectMeta
    (Optional)

    Object’s metadata

    Refer to the Kubernetes API documentation for the fields of the metadata field.
    spec
    MeshRootCertificateSpec
    (Optional)

    Spec is the MeshRootCertificate config specification



    provider
    ProviderSpec

    Provider specifies the mesh certificate provider

    trustDomain
    string

    TrustDomain is the trust domain to use as a suffix in Common Names for new certificates.

    intent
    MeshRootCertificateIntent

    Intent of the MeshRootCertificate resource

    spiffeEnabled
    bool

    SpiffeEnabled will add a SPIFFE ID to the certificates, creating a SPIFFE compatible x509 SVID document To use SPIFFE ID for validation and routing, ‘enableSPIFFE’ must be true in the MeshConfig after the MeshRootCertificate is made ‘active’

    status
    MeshRootCertificateStatus
    (Optional)

    Status of the MeshRootCertificate resource

    MeshRootCertificateComponentStatus (string alias)

    (Appears on:MeshRootCertificateComponentStatuses)

    MeshRootCertificateComponentStatus specifies the status of the certificate component, can be (Issuing, Validating, Unknown).

    Value Description

    "issuing"

    Issuing means that the root cert described by this MRC is now issuing certs for this component of OSM.

    "unknown"

    UnknownComponentStatus means that the use of the root cert described by this MRC is in an unknown state for this component.

    "unused"

    Unused means that the root cert described by this MRC is unused.

    "validating"

    Validating means that the root cert’s cert chain, described by this MRC is now part of the CABundle used to validate requests for this component..

    MeshRootCertificateComponentStatuses

    (Appears on:MeshRootCertificateStatus)

    MeshRootCertificateComponentStatuses is the set of statuses for each certificate component in the cluster.

    Field Description
    validatingWebhook
    MeshRootCertificateComponentStatus
    mutatingWebhook
    MeshRootCertificateComponentStatus
    xdsControlPlane
    MeshRootCertificateComponentStatus
    sidecar
    MeshRootCertificateComponentStatus
    bootstrap
    MeshRootCertificateComponentStatus
    gateway
    MeshRootCertificateComponentStatus

    MeshRootCertificateCondition

    (Appears on:MeshRootCertificateStatus)

    MeshRootCertificateCondition defines the condition of the MeshRootCertificate resource.

    Field Description
    type
    MeshRootCertificateConditionType

    Type of the condition, one of (Ready, Accepted, IssuingRollout, ValidatingRollout, IssuingRollback, ValidatingRollback).

    status
    MeshRootCertificateConditionStatus

    Status of the condition, one of (True, False, Unknown).

    lastTransitionTime
    Kubernetes meta/v1.Time
    (Optional)

    LastTransitionTime is the timestamp corresponding to the last status change of this condition.

    reason
    string
    (Optional)

    Reason is a brief machine readable explanation for the condition’s last transition (should be in camelCase).

    message
    string
    (Optional)

    Message is a human readable description of the details of the last transition, complementing reason.

    MeshRootCertificateConditionStatus (string alias)

    (Appears on:MeshRootCertificateCondition)

    MeshRootCertificateConditionStatus specifies the status of the MeshRootCertificate condition, one of (True, False, Unknown).

    MeshRootCertificateConditionType (string alias)

    (Appears on:MeshRootCertificateCondition)

    MeshRootCertificateConditionType specifies the type of the condition, one of (Ready, Accepted, IssuingRollout, ValidatingRollout, IssuingRollback, ValidatingRollback).

    MeshRootCertificateIntent (string alias)

    (Appears on:MeshRootCertificateSpec)

    MeshRootCertificateIntent specifies the intent of the MeshRootCertificate can be (Active, Passive).

    MeshRootCertificateSpec

    (Appears on:MeshRootCertificate)

    MeshRootCertificateSpec defines the mesh root certificate specification

    Field Description
    provider
    ProviderSpec

    Provider specifies the mesh certificate provider

    trustDomain
    string

    TrustDomain is the trust domain to use as a suffix in Common Names for new certificates.

    intent
    MeshRootCertificateIntent

    Intent of the MeshRootCertificate resource

    spiffeEnabled
    bool

    SpiffeEnabled will add a SPIFFE ID to the certificates, creating a SPIFFE compatible x509 SVID document To use SPIFFE ID for validation and routing, ‘enableSPIFFE’ must be true in the MeshConfig after the MeshRootCertificate is made ‘active’

    MeshRootCertificateStatus

    (Appears on:MeshRootCertificate)

    MeshRootCertificateStatus defines the status of the MeshRootCertificate resource.

    Field Description
    state
    string

    State specifies the state of the certificate provider. All states are specified in constants.go

    transitionAfter
    Kubernetes meta/v1.Time

    If present, this MRC can transition to the next state in the state machine after this timestamp.

    componentStatuses
    MeshRootCertificateComponentStatuses

    Set of statuses for each certificate component in the cluster (e.g. webhooks, bootstrap, etc.) NOTE: There is a caveat that since these components belong to horizontally scalable pods, it is possible that not all of these components will be ready. That is, one controller might mark the ADS server as ready, while all other controllers have yet to rotate their controller cert.

    conditions
    []MeshRootCertificateCondition
    (Optional)

    List of status conditions to indicate the status of a MeshRootCertificate. Known condition types are Ready and InvalidRequest.

    ObservabilitySpec

    (Appears on:MeshConfigSpec)

    ObservabilitySpec is the type to represent OSM’s observability configurations.

    Field Description
    osmLogLevel
    string

    OSMLogLevel defines the log level for OSM control plane logs.

    enableDebugServer
    bool

    EnableDebugServer defines if the debug endpoint on the OSM controller pod is enabled.

    tracing
    TracingSpec

    Tracing defines OSM’s tracing configuration.

    ProviderSpec

    (Appears on:MeshRootCertificateSpec)

    ProviderSpec defines the certificate provider used by the mesh control plane

    Field Description
    certManager
    CertManagerProviderSpec
    (Optional)

    CertManager specifies the cert-manager provider configuration

    vault
    VaultProviderSpec
    (Optional)

    Vault specifies the vault provider configuration

    tresor
    TresorProviderSpec
    (Optional)

    Tresor specifies the Tresor provider configuration

    SecretKeyReferenceSpec

    (Appears on:VaultTokenSpec)

    SecretKeyReferenceSpec defines the configuration of the secret reference

    Field Description
    name
    string

    Name specifies the name of the secret in which the Vault token is stored

    key
    string

    Key specifies the key whose value is the Vault token

    namespace
    string

    Namespace specifies the namespace of the secret in which the Vault token is stored

    SidecarSpec

    (Appears on:MeshConfigSpec)

    SidecarSpec is the type used to represent the specifications for the proxy sidecar.

    Field Description
    enablePrivilegedInitContainer
    bool

    EnablePrivilegedInitContainer defines a boolean indicating whether the init container for a meshed pod should run as privileged.

    logLevel
    string

    LogLevel defines the logging level for the sidecar’s logs. Non developers should generally never set this value. In production environments the LogLevel should be set to error.

    envoyImage
    string

    EnvoyImage defines the container image used for the Envoy proxy sidecar.

    envoyWindowsImage
    string

    EnvoyWindowsImage defines the windows container image used for the Envoy proxy sidecar.

    initContainerImage
    string

    InitContainerImage defines the container image used for the init container injected to meshed pods.

    maxDataPlaneConnections
    int

    MaxDataPlaneConnections defines the maximum allowed data plane connections from a proxy sidecar to the OSM controller.

    configResyncInterval
    string

    ConfigResyncInterval defines the resync interval for regular proxy broadcast updates.

    resources
    Kubernetes core/v1.ResourceRequirements

    Resources defines the compute resources for the sidecar.

    tlsMinProtocolVersion
    string

    TLSMinProtocolVersion defines the minimum TLS protocol version that the sidecar supports. Valid TLS protocol versions are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2 and TLSv1_3.

    tlsMaxProtocolVersion
    string

    TLSMaxProtocolVersion defines the maximum TLS protocol version that the sidecar supports. Valid TLS protocol versions are TLS_AUTO, TLSv1_0 (deprecated), TLSv1_1 (deprecated), TLSv1_2 and TLSv1_3.

    cipherSuites
    []string

    CipherSuites defines a list of ciphers that listener supports when negotiating TLS 1.0-1.2. This setting has no effect when negotiating TLS 1.3. For valid cipher names, see the latest OpenSSL ciphers manual page. E.g. https://www.openssl.org/docs/man1.1.1/apps/ciphers.html.

    ecdhCurves
    []string

    ECDHCurves defines a list of ECDH curves that TLS connection supports. If not specified, the curves are [X25519, P-256] for non-FIPS build and P-256 for builds using BoringSSL FIPS.

    localProxyMode
    LocalProxyMode

    LocalProxyMode defines the network interface the envoy proxy will use to send traffic to the backend service application. Acceptable values are [Localhost, PodIP]. The default is Localhost

    TracingSpec

    (Appears on:ObservabilitySpec)

    TracingSpec is the type to represent OSM’s tracing configuration.

    Field Description
    enable
    bool

    Enable defines a boolean indicating if the sidecars are enabled for tracing.

    port
    int16

    Port defines the tracing collector’s port.

    address
    string

    Address defines the tracing collectio’s hostname.

    endpoint
    string

    Endpoint defines the API endpoint for tracing requests sent to the collector.

    TrafficSpec

    (Appears on:MeshConfigSpec)

    TrafficSpec is the type used to represent OSM’s traffic management configuration.

    Field Description
    enableEgress
    bool

    EnableEgress defines a boolean indicating if mesh-wide Egress is enabled.

    outboundIPRangeExclusionList
    []string

    OutboundIPRangeExclusionList defines a global list of IP address ranges to exclude from outbound traffic interception by the sidecar proxy.

    outboundIPRangeInclusionList
    []string

    OutboundIPRangeInclusionList defines a global list of IP address ranges to include for outbound traffic interception by the sidecar proxy. IP addresses outside this range will be excluded from outbound traffic interception by the sidecar proxy.

    outboundPortExclusionList
    []int

    OutboundPortExclusionList defines a global list of ports to exclude from outbound traffic interception by the sidecar proxy.

    inboundPortExclusionList
    []int

    InboundPortExclusionList defines a global list of ports to exclude from inbound traffic interception by the sidecar proxy.

    enablePermissiveTrafficPolicyMode
    bool

    EnablePermissiveTrafficPolicyMode defines a boolean indicating if permissive traffic policy mode is enabled mesh-wide.

    inboundExternalAuthorization
    ExternalAuthzSpec

    InboundExternalAuthorization defines a ruleset that, if enabled, will configure a remote external authorization endpoint for all inbound and ingress traffic in the mesh.

    networkInterfaceExclusionList
    []string

    NetworkInterfaceExclusionList defines a global list of network interface names to exclude from inbound and outbound traffic interception by the sidecar proxy.

    TresorCASpec

    (Appears on:TresorProviderSpec)

    TresorCASpec defines the configuration of Tresor’s root certificate

    Field Description
    secretRef
    Kubernetes core/v1.SecretReference

    SecretRef specifies the secret in which the root certificate is stored

    TresorProviderSpec

    (Appears on:ProviderSpec)

    TresorProviderSpec defines the configuration of the Tresor provider

    Field Description
    ca
    TresorCASpec

    CA specifies Tresor’s ca configuration

    VaultProviderSpec

    (Appears on:ProviderSpec)

    VaultProviderSpec defines the configuration of the Vault provider

    Field Description
    host
    string

    Host specifies the name of the Vault server

    port
    int

    Port specifies the port of the Vault server

    role
    string

    Role specifies the name of the role for use by mesh control plane

    protocol
    string

    Protocol specifies the protocol for connections to Vault

    token
    VaultTokenSpec

    Token specifies the configuration of the token to be used by mesh control plane to connect to Vault

    VaultTokenSpec

    (Appears on:VaultProviderSpec)

    VaultTokenSpec defines the configuration of the Vault token

    Field Description
    secretKeyRef
    SecretKeyReferenceSpec

    SecretKeyRef specifies the secret in which the Vault token is stored


    Generated with gen-crd-api-reference-docs on git commit a65cd374.