diff --git a/Makefile b/Makefile
index 27f5c7b30..71b28158c 100644
--- a/Makefile
+++ b/Makefile
@@ -302,7 +302,9 @@ generate-crd-docs: bin/crd-ref-docs ## Generate CRD reference docs
--config=crd-ref-docs/config.yaml \
--templates-dir=crd-ref-docs/templates \
--max-depth=25
- # Replace Optional: \{\} and Required: \{\} with Optional and Required
sed -i'' -e 's/Optional: \\{\\}/Optional/g' docs/user/04-00-istio-custom-resource.md
sed -i'' -e 's/Required: \\{\\}/Required/g' docs/user/04-00-istio-custom-resource.md
- rm docs/user/04-00-istio-custom-resource.md-e
+ sed -i'' -e 's/XIntOrString: \\{\\}/XIntOrString/g' docs/user/04-00-istio-custom-resource.md
+ sed -i'' -e '1N;$$!N;/\n.*ReasonWithMessage/!P;D' docs/user/04-00-istio-custom-resource.md
+ sed -i'' -e '/ReasonWithMessage/d' docs/user/04-00-istio-custom-resource.md
+ rm -f docs/user/04-00-istio-custom-resource.md-e
diff --git a/api/v1alpha2/authorizers.go b/api/v1alpha2/authorizers.go
index ae96bf769..a93dbbb8b 100644
--- a/api/v1alpha2/authorizers.go
+++ b/api/v1alpha2/authorizers.go
@@ -4,30 +4,30 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
-// Authorizer defines an external authorization provider configuration.
+// Defines an external authorization provider's configuration.
// The defined authorizer can be referenced by name in an AuthorizationPolicy
// with action CUSTOM to enforce requests to be authorized by the external authorization service.
type Authorizer struct {
- // A unique name identifying the extension authorization provider.
+ // Specifies a unique name identifying the authorization provider.
// +kubebuilder:validation:Required
Name string `json:"name"`
- // Specifies the service that implements the Envoy ext_authz HTTP authorization service.
- // The format is "[Namespace/]Hostname".
- // The specification of "Namespace" is required only when it is insufficient to unambiguously resolve a service in the service registry.
- // The "Hostname" is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.
- // The recommended format is "[Namespace/]Hostname".
+ // Specifies the service that implements the Envoy `ext_authz` HTTP authorization service.
+ // The recommended format is `[Namespace/]Hostname`.
+ // Specify the namespace if it is required to unambiguously resolve a service in the service registry.
+ // The host name refers to the fully qualified host name of a service defined by either a Kubernetes Service or a ServiceEntry.
+ // +kubebuilder:validation:Optional
Service string `json:"service"`
- // Specifies the port of the service.
+ // Specifies the port of the Service.
// +kubebuilder:validation:Required
Port uint32 `json:"port"`
- // Specifies headers to be included, added or forwarded during authorization.
+ // Specifies the headers included, added, or forwarded during authorization.
Headers *Headers `json:"headers,omitempty"`
- // Specifies the prefix which will be included in the request sent to the authorization service.
- // The prefix might be constructed with special characters (e.g., "/test?original_path=").
+ // Specifies the prefix included in the request sent to the authorization service.
+ // The prefix might be constructed with special characters (for example, `/test?original_path=`).
// +kubebuilder:validation:Optional
PathPrefix *string `json:"pathPrefix,omitempty"`
@@ -36,52 +36,54 @@ type Authorizer struct {
Timeout *metav1.Duration `json:"timeout,omitempty"`
}
-// Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match
-// https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule):
-// - Exact match: "abc" will match on value "abc".
-// - Prefix match: "abc*" will match on value "abc" and "abcd".
-// - Suffix match: "*abc" will match on value "abc" and "xabc".
-
+// Specifies headers included, added, or forwarded during authorization.
+// Exact, prefix, and suffix matches are supported, similar to the syntax used in AuthorizationPolicy rules (excluding the presence match):
+// - Exact match: `abc` matches the value `abc`.
+// - Prefix match: `abc*` matches the values `abc` and `abcd`.
+// - Suffix match: `*abc` matches the values `abc` and `xabc`.
type Headers struct {
- // Defines headers to be included or added in check authorization request.
+ // Defines the headers to be included or added in check authorization request.
InCheck *InCheck `json:"inCheck,omitempty"`
- // Defines headers to be forwarded to the upstream (to the backend service).
+ // Defines the headers to be forwarded to the upstream (to the backend service).
ToUpstream *ToUpstream `json:"toUpstream,omitempty"`
- // Defines headers to be forwarded to the downstream (the client).
+ // Defines the headers to be forwarded to the downstream (the client).
ToDownstream *ToDownstream `json:"toDownstream,omitempty"`
}
+// Defines the headers to be included or added in check authorization request.
type InCheck struct {
- // List of client request headers that should be included in the authorization request sent to the authorization service.
- // Note that in addition to the headers specified here, the following headers are included by default:
- // 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
- // 2. *Content-Length* will be set to 0, and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by include_request_body_in_check setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size.
+ // Lists client request headers included in the authorization request sent to the authorization service.
+ // In addition to the headers specified here, the following headers are included by default:
+ // - **Host**, **Method**, **Path**, and **Content-Length** are automatically sent.
+ // - **Content-Length** is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size.
Include []string `json:"include,omitempty"`
- // Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
- // The Key is the header name and value is the header value.
- // Note that client request of the same key or headers specified in `Include` will be overridden.
+ // Specifies a set of additional fixed headers included in the authorization request sent to the authorization service.
+ // The key is the header name and value is the header value.
+ // Client request of the same key or headers specified in `Include` are overridden.
Add map[string]string `json:"add,omitempty"`
}
+// Defines the headers to be forwarded to the upstream (to the backend service).
type ToUpstream struct {
- // List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
- // If not specified, the original request will not be modified and forwarded to backend as-is.
- // Note, any existing headers will be overridden.
+ // Lists headers from the authorization service added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code `200`).
+ // If not specified, the original request is forwarded to the backend unmodified.
+ // Any existing headers are overridden.
OnAllow []string `json:"onAllow,omitempty"`
}
+// Defines the headers to be forwarded to the downstream (the client).
type ToDownstream struct {
- // List of headers from the authorization service that should be forwarded to downstream when the authorization check result is allowed (HTTP code 200).
- // If not specified, the original response will not be modified and forwarded to downstream as-is.
- // Note, any existing headers will be overridden.
+ // Lists headers from the authorization service forwarded to downstream when the authorization check result is allowed (HTTP code `200`).
+ // If not specified, the original request is forwarded to the backend unmodified.
+ // Any existing headers are overridden.
OnAllow []string `json:"onAllow,omitempty"`
- // List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200).
- // If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to the downstream.
- // When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added.
- // Note, the body from the authorization service is always included in the response to downstream.
+ // Lists headers from the authorization service forwarded to downstream when the authorization check result is not allowed (HTTP code is other than `200`).
+ // If not specified, all the authorization response headers, except **Authority (Host)**, are included in the response to the downstream.
+ // When a header is included in this list, the following headers are automatically added: **Path**, **Status**, **Content-Length**, **WWWAuthenticate**, and **Location**.
+ // The body from the authorization service is always included in the response to downstream.
OnDeny []string `json:"onDeny,omitempty"`
}
diff --git a/api/v1alpha2/experimental.go b/api/v1alpha2/experimental.go
index 2190c8299..f019e0855 100644
--- a/api/v1alpha2/experimental.go
+++ b/api/v1alpha2/experimental.go
@@ -1,6 +1,9 @@
package v1alpha2
+// Defines experimental features.
type Experimental struct {
+ // Defines experimental features for Istio Pilot.
+ // +kubebuilder:validation:Optional
PilotFeatures `json:"pilot"`
// Enables dual-stack support.
@@ -11,7 +14,12 @@ type Experimental struct {
EnableAmbient *bool `json:"enableAmbient,omitempty"`
}
+// Defines experimental features for Istio Pilot.
type PilotFeatures struct {
+ // Defines alpha Gateway API support.
+ // +kubebuilder:validation:Optional
EnableAlphaGatewayAPI bool `json:"enableAlphaGatewayAPI"`
+ // Enables multi-network discovery for Gateway API.
+ // +kubebuilder:validation:Optional
EnableMultiNetworkDiscoverGatewayAPI bool `json:"enableMultiNetworkDiscoverGatewayAPI"`
}
diff --git a/api/v1alpha2/istio_structs.go b/api/v1alpha2/istio_structs.go
index f25a50e3b..93702aca6 100644
--- a/api/v1alpha2/istio_structs.go
+++ b/api/v1alpha2/istio_structs.go
@@ -5,9 +5,7 @@ import (
"k8s.io/apimachinery/pkg/util/intstr"
)
-// +kubebuilder:validation:Optional
-
-// Config is the configuration for the Istio installation.
+// Configures the Istio installation.
type Config struct {
// Defines the number of trusted proxies deployed in front of the Istio gateway proxy.
// +kubebuilder:validation:Minimum=0
@@ -24,8 +22,8 @@ type Config struct {
// Defines a list of external authorization providers.
Authorizers []*Authorizer `json:"authorizers,omitempty"`
- // Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are "Local" or "Cluster". The external traffic policy set to "Local" preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
- // WARNING: Switching `externalTrafficPolicy` may result in a temporal increase in request delay. Make sure that this is acceptable.
+ // Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are `"Local"` or `"Cluster"`. The external traffic policy set to `"Local"` preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
+ // WARNING: Switching **externalTrafficPolicy** may result in a temporal increase in request delay. Make sure that this is acceptable.
// +kubebuilder:validation:Optional
// +kubebuilder:validation:Enum=Local;Cluster
GatewayExternalTrafficPolicy *string `json:"gatewayExternalTrafficPolicy,omitempty"`
@@ -53,113 +51,129 @@ const (
)
type Components struct {
- // Pilot defines component configuration for Istiod
+ // Configures the Istiod component.
Pilot *IstioComponent `json:"pilot,omitempty"`
- // IngressGateway defines component configurations for Istio Ingress Gateway
+ // Configures the Istio Ingress Gateway component.
IngressGateway *IstioComponent `json:"ingressGateway,omitempty"`
- // Cni defines component configuration for Istio CNI DaemonSet
+ // Configures the Istio CNI DaemonSet component.
Cni *CniComponent `json:"cni,omitempty"`
- // Proxy defines component configuration for Istio proxy sidecar
+ // Configures the Istio sidecar proxy component.
Proxy *ProxyComponent `json:"proxy,omitempty"`
+ // Configures the Istio Egress Gateway component.
// +kubebuilder:validation:Optional
EgressGateway *EgressGateway `json:"egressGateway,omitempty"`
}
-// KubernetesResourcesConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+// Defines Kubernetes-level configuration options for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
type KubernetesResourcesConfig struct {
- // HPASpec defines configuration for HorizontalPodAutoscaler: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
+ // Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
// +kubebuilder:validation:Optional
HPASpec *HPASpec `json:"hpaSpec,omitempty"`
- // Strategy defines configuration for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment
+ // Defines the rolling updates strategy. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
// +kubebuilder:validation:Optional
Strategy *Strategy `json:"strategy,omitempty"`
- // Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ // Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
// +kubebuilder:validation:Optional
Resources *Resources `json:"resources,omitempty"`
}
-// ProxyComponent defines configuration for Istio proxies.
+// Configures the Istio sidecar proxy component.
type ProxyComponent struct {
+ // Contains a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
// +kubebuilder:validation:Required
K8S *ProxyK8sConfig `json:"k8s"`
}
-// ProxyK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+// Contains a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
type ProxyK8sConfig struct {
+ // Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
Resources *Resources `json:"resources,omitempty"`
}
-// CniComponent defines configuration for CNI Istio component.
+// Configures the Istio CNI DaemonSet component.
type CniComponent struct {
- // CniK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+ // Configures the Istio CNI DaemonSet component. It is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
// +kubebuilder:validation:Required
K8S *CniK8sConfig `json:"k8s"`
}
+// Configures the Istio CNI DaemonSet component. It is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
type CniK8sConfig struct {
- // Affinity defines the Pod scheduling affinity constraints: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
+ // Defines the Pod scheduling affinity constraints. See [Affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
// +kubebuilder:validation:Optional
Affinity *corev1.Affinity `json:"affinity,omitempty"`
- // Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+ // Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
// +kubebuilder:validation:Optional
Resources *Resources `json:"resources,omitempty"`
}
-// HPASpec defines configuration for HorizontalPodAutoscaler.
+// Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
type HPASpec struct {
+ // Defines the minimum number of replicas for the HorizontalPodAutoscaler.
// +kubebuilder:validation:Minimum=0
// +kubebuilder:validation:Maximum=2147483647
MaxReplicas *int32 `json:"maxReplicas,omitempty"`
+ // Defines the maximum number of replicas for the HorizontalPodAutoscaler.
// +kubebuilder:validation:Minimum=0
// +kubebuilder:validation:Maximum=2147483647
MinReplicas *int32 `json:"minReplicas,omitempty"`
}
-// IstioComponent defines configuration for generic Istio component (ingress gateway, istiod).
+// Defines the configuration for the generic Istio components, that is, Istio Ingress gateway and istiod.
type IstioComponent struct {
+ // Defines the Kubernetes resources' configuration for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
// +kubebuilder:validation:Required
K8s *KubernetesResourcesConfig `json:"k8s"`
}
-// Strategy defines rolling update strategy.
+// Defines the rolling updates strategy. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
type Strategy struct {
+ // Defines the configuration for rolling updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
// +kubebuilder:validation:Required
RollingUpdate *RollingUpdate `json:"rollingUpdate"`
}
-// RollingUpdate defines configuration for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment
+// Defines the configuration for rolling updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
type RollingUpdate struct {
+ // Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge).
+ // +kubebuilder:validation:Optional
// +kubebuilder:validation:XIntOrString
// +kubebuilder:validation:Pattern=`^[0-9]+%?$`
// +kubebuilder:validation:XValidation:rule="(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)",message="must not be negative, more than 2147483647 or an empty string"
MaxSurge *intstr.IntOrString `json:"maxSurge" protobuf:"bytes,2,opt,name=maxSurge"`
+ // Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable)
// +kubebuilder:validation:XIntOrString
// +kubebuilder:validation:Pattern="^((100|[0-9]{1,2})%|[0-9]+)$"
// +kubebuilder:validation:XValidation:rule="(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)",message="must not be negative, more than 2147483647 or an empty string"
+ // +kubebuilder:validation:Optional
MaxUnavailable *intstr.IntOrString `json:"maxUnavailable" protobuf:"bytes,1,opt,name=maxUnavailable"`
}
-// Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+// Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
type Resources struct {
- Limits *ResourceClaims `json:"limits,omitempty"`
+ // The maximum amount of resources a container is allowed to use.
+ Limits *ResourceClaims `json:"limits,omitempty"`
+ // The minimum amount of resources (such as CPU and memory) a container needs to run.
Requests *ResourceClaims `json:"requests,omitempty"`
}
+// Defines CPU and memory resource requirements for Kubernetes containers and Pods. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
type ResourceClaims struct {
+ // Specifies CPU resource allocation (requests or limits)
// +kubebuilder:validation:Pattern=`^([0-9]+m?|[0-9]\.[0-9]{1,3})$`
CPU *string `json:"cpu,omitempty"`
-
+ // Specifies memory resource allocation (requests or limits).
// +kubebuilder:validation:Pattern=`^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$`
Memory *string `json:"memory,omitempty"`
}
-// EgressGateway defines configuration for Istio egressGateway.
+// Configures the Istio Egress Gateway component.
type EgressGateway struct {
- // Defines the Kubernetes resources configuration for Istio egress gateway.
+ // Defines the Kubernetes resources' configuration for Istio Egress Gateway. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
// +kubebuilder:validation:Optional
K8s *KubernetesResourcesConfig `json:"k8s"`
- // Enables or disables the Istio egress gateway.
+ // Enables or disables Istio Egress Gateway.
// +kubebuilder:validation:Optional
Enabled *bool `json:"enabled,omitempty"`
}
diff --git a/api/v1alpha2/istio_types.go b/api/v1alpha2/istio_types.go
index 048ec0f53..254d184bc 100644
--- a/api/v1alpha2/istio_types.go
+++ b/api/v1alpha2/istio_types.go
@@ -20,21 +20,23 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
+// Signifies the current state of the Istio custom resource.
+// The possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`.
type State string
type ConditionType string
type ConditionReason string
// Valid IstioCR States.
const (
- // Ready is reported when the Istio installation / upgrade process has completed successfully.
+ // Istio installation or upgrade process has completed successfully.
Ready State = "Ready"
- // Processing is reported when the Istio installation / upgrade process is in progress.
+ // Istio installation or upgrade process is in progress.
Processing State = "Processing"
- // Error is reported when the Istio installation / upgrade process has failed.
+ // Istio installation or upgrade process has failed.
Error State = "Error"
- // Deleting is reported when the Istio installation / upgrade process is being deleted.
+ // The Istio custom resource is being deleted.
Deleting State = "Deleting"
- // Warning is reported when the Istio installation / upgrade process has completed with warnings.
+ // Istio installation or upgrade process has completed with warnings.
// This state warrants user attention, as some features may not work as expected.
Warning State = "Warning"
@@ -44,7 +46,7 @@ const (
// General
- // Reconciliation finished with full success.
+ // Reconciliation finished successfully.
ConditionReasonReconcileSucceeded ConditionReason = "ReconcileSucceeded"
ConditionReasonReconcileSucceededMessage = "Reconciliation succeeded"
// Reconciliation is in progress or failed previously.
@@ -59,7 +61,7 @@ const (
// Reconciliation did not happen as validation of Istio Custom Resource failed.
ConditionReasonValidationFailed ConditionReason = "ValidationFailed"
ConditionReasonValidationFailedMessage = "Reconciliation did not happen as Istio Custom Resource failed to validate"
- // Reconciliation did not happen as there exists an older Istio Custom Resource.
+ // Reconciliation did not happen because an older Istio CR exists.
ConditionReasonOlderCRExists ConditionReason = "OlderCRExists"
ConditionReasonOlderCRExistsMessage = "This Istio custom resource is not the oldest one and does not represent the module state"
// Reconciliation did not happen as the oldest Istio Custom Resource could not be found.
@@ -68,7 +70,7 @@ const (
// Istio installation / uninstallation
- // Istio installtion is not needed.
+ // Istio installation is not needed.
ConditionReasonIstioInstallNotNeeded ConditionReason = "IstioInstallNotNeeded"
ConditionReasonIstioInstallNotNeededMessage = "Istio installation is not needed"
// Istio installation or uninstallation succeeded.
@@ -80,10 +82,10 @@ const (
// Istio installation or uninstallation failed.
ConditionReasonIstioInstallUninstallFailed ConditionReason = "IstioInstallUninstallFailed"
ConditionReasonIstioInstallUninstallFailedMessage = "Istio install or uninstall failed"
- // Istio Custom Resource has invalid configuration.
+ // The Istio custom resource has invalid configuration.
ConditionReasonCustomResourceMisconfigured ConditionReason = "IstioCustomResourceMisconfigured"
ConditionReasonCustomResourceMisconfiguredMessage = "Istio custom resource has invalid configuration"
- // Istio Custom Resources are blocking Istio uninstallation.
+ // Istio custom resources are blocking Istio uninstallation.
ConditionReasonIstioCRsDangling ConditionReason = "IstioCustomResourcesDangling"
ConditionReasonIstioCRsDanglingMessage = "Istio deletion blocked because of existing Istio custom resources"
// Istio version update is not allowed.
@@ -92,10 +94,10 @@ const (
// Istio CRs
- // Custom resources reconciliation succeeded.
+ // Reconciliation of custom resources succeeded.
ConditionReasonCRsReconcileSucceeded ConditionReason = "CustomResourcesReconcileSucceeded"
ConditionReasonCRsReconcileSucceededMessage = "Custom resources reconciliation succeeded"
- // Custom resources reconciliation failed.
+ // Reconciliation of custom resources failed.
ConditionReasonCRsReconcileFailed ConditionReason = "CustomResourcesReconcileFailed"
ConditionReasonCRsReconcileFailedMessage = "Custom resources reconciliation failed"
@@ -110,7 +112,7 @@ const (
// Proxy sidecar restart partially succeeded.
ConditionReasonProxySidecarRestartPartiallySucceeded ConditionReason = "ProxySidecarRestartPartiallySucceeded"
ConditionReasonProxySidecarRestartPartiallySucceededMessage = "Proxy sidecar restart partially succeeded"
- // Proxy sidecar manual restart is required.
+ // A manual restart of the proxy sidecar is required for some workloads.
ConditionReasonProxySidecarManualRestartRequired ConditionReason = "ProxySidecarManualRestartRequired"
ConditionReasonProxySidecarManualRestartRequiredMessage = "Proxy sidecar manual restart is required for some workloads"
@@ -145,23 +147,26 @@ const (
ConditionReasonIngressTargetingUserResourceDetectionFailedMessage = "Resource targeting Istio Ingress Gateway detection failed"
)
+// Couples a condition's reason with its message.
type ReasonWithMessage struct {
- Reason ConditionReason
- Message string
+ // Contains the reason for setting up a condition.
+ Reason ConditionReason `json:"reason"`
+ // Describes the reason.
+ Message string `json:"message"`
}
// IstioSpec describes the desired specification for installing or updating Istio.
type IstioSpec struct {
- // Defines configuration of the Istio installation.
+ // Configures the Istio installation.
// +kubebuilder:validation:Optional
Config Config `json:"config,omitempty"`
- // Defines configuration of Istio components.
+ // Configures Istio components.
// +kubebuilder:validation:Optional
Components *Components `json:"components,omitempty"`
// Defines experimental configuration options.
// +kubebuilder:validation:Optional
Experimental *Experimental `json:"experimental,omitempty"`
- // Enables compatibility mode for Istio installation.
+ // Enables the compatibility mode for the Istio installation.
// +kubebuilder:validation:Optional
CompatibilityMode bool `json:"compatibilityMode,omitempty"`
}
@@ -172,36 +177,35 @@ type IstioSpec struct {
//+kubebuilder:printcolumn:JSONPath=".status.state",name="State",type="string"
//+kubebuilder:storageversion
-// Istio contains Istio CR specification and current status.
+// Contains the Istio custom resource's specification and its current status.
type Istio struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
- // Spec defines the desired state of the Istio installation.
+ // Defines the desired state of the Istio installation.
Spec IstioSpec `json:"spec,omitempty"`
- // Status represents the current state of the Istio installation.
+ // Defines the current state of the Istio installation.
Status IstioStatus `json:"status,omitempty"`
}
//+kubebuilder:object:root=true
-// IstioList contains a list of Istio's.
+// Contains a list of Istios.
type IstioList struct {
metav1.TypeMeta ` json:",inline"`
metav1.ListMeta ` json:"metadata,omitempty"`
Items []Istio `json:"items"`
}
-// IstioStatus defines the observed state of IstioCR.
+// Defines the observed state of the Istio custom resource.
type IstioStatus struct {
- // State signifies the current state of CustomObject. Value
- // can be one of ("Ready", "Processing", "Error", "Deleting", "Warning").
+ // Signifies the current state of the Istio custom resource. Possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`.
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=Processing;Deleting;Ready;Error;Warning
State State `json:"state"`
- // Conditions associated with IstioStatus.
+ // Contains conditions associated with **IstioStatus**.
Conditions *[]metav1.Condition `json:"conditions,omitempty"`
- // Description of Istio status.
+ // Describes the Istio status.
Description string `json:"description,omitempty"`
}
diff --git a/api/v1alpha2/telemetry.go b/api/v1alpha2/telemetry.go
index 322e5aa2e..7047070c7 100644
--- a/api/v1alpha2/telemetry.go
+++ b/api/v1alpha2/telemetry.go
@@ -1,15 +1,17 @@
package v1alpha2
+// Configures Istio telemetry.
type Telemetry struct {
- // Istio telemetry configuration related to metrics
+ // Configures Istio telemetry metrics.
// +kubebuilder:validation:Optional
Metrics Metrics `json:"metrics,omitempty"`
}
+// Configures Istio telemetry metrics.
type Metrics struct {
- // Defines whether the prometheusMerge feature is enabled. If yes, appropriate prometheus.io annotations will be added to all data plane pods to set up scraping.
- // If these annotations already exist, they will be overwritten. With this option, the Envoy sidecar will merge Istio’s metrics with the application metrics.
- // The merged metrics will be scraped from :15020/stats/prometheus.
+ // Defines whether the **prometheusMerge** feature is enabled. If it is, appropriate prometheus.io annotations are added to all data plane Pods to set up scraping.
+ // If these annotations already exist, they are overwritten. With this option, the Envoy sidecar merges Istio’s metrics with the application metrics.
+ // The merged metrics are scraped from `:15020/stats/prometheus`.
// +kubebuilder:validation:Optional
PrometheusMerge bool `json:"prometheusMerge,omitempty"`
-}
+}
\ No newline at end of file
diff --git a/config/crd/bases/operator.kyma-project.io_istios.yaml b/config/crd/bases/operator.kyma-project.io_istios.yaml
index 1d9126959..72a543310 100644
--- a/config/crd/bases/operator.kyma-project.io_istios.yaml
+++ b/config/crd/bases/operator.kyma-project.io_istios.yaml
@@ -24,7 +24,8 @@ spec:
name: v1alpha2
schema:
openAPIV3Schema:
- description: Istio contains Istio CR specification and current status.
+ description: Contains the Istio custom resource's specification and its current
+ status.
properties:
apiVersion:
description: |-
@@ -44,24 +45,24 @@ spec:
metadata:
type: object
spec:
- description: Spec defines the desired state of the Istio installation.
+ description: Defines the desired state of the Istio installation.
properties:
compatibilityMode:
- description: Enables compatibility mode for Istio installation.
+ description: Enables the compatibility mode for the Istio installation.
type: boolean
components:
- description: Defines configuration of Istio components.
+ description: Configures Istio components.
properties:
cni:
- description: Cni defines component configuration for Istio CNI
- DaemonSet
+ description: Configures the Istio CNI DaemonSet component.
properties:
k8s:
- description: CniK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+ description: Configures the Istio CNI DaemonSet component.
+ It is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
properties:
affinity:
- description: 'Affinity defines the Pod scheduling affinity
- constraints: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity'
+ description: Defines the Pod scheduling affinity constraints.
+ See [Affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity).
properties:
nodeAffinity:
description: Describes node affinity scheduling rules
@@ -989,24 +990,36 @@ spec:
type: object
type: object
resources:
- description: 'Resources define Kubernetes resources configuration:
- https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: Defines Kubernetes resources' configuration.
+ See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
properties:
limits:
+ description: The maximum amount of resources a container
+ is allowed to use.
properties:
cpu:
+ description: Specifies CPU resource allocation
+ (requests or limits)
pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$
type: string
memory:
+ description: Specifies memory resource allocation
+ (requests or limits).
pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$
type: string
type: object
requests:
+ description: The minimum amount of resources (such
+ as CPU and memory) a container needs to run.
properties:
cpu:
+ description: Specifies CPU resource allocation
+ (requests or limits)
pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$
type: string
memory:
+ description: Specifies memory resource allocation
+ (requests or limits).
pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$
type: string
type: object
@@ -1016,65 +1029,83 @@ spec:
- k8s
type: object
egressGateway:
- description: EgressGateway defines configuration for Istio egressGateway.
+ description: Configures the Istio Egress Gateway component.
properties:
enabled:
- description: Enables or disables the Istio egress gateway.
+ description: Enables or disables Istio Egress Gateway.
type: boolean
k8s:
- description: Defines the Kubernetes resources configuration
- for Istio egress gateway.
+ description: Defines the Kubernetes resources' configuration
+ for Istio Egress Gateway. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
properties:
hpaSpec:
- description: 'HPASpec defines configuration for HorizontalPodAutoscaler:
- https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/'
+ description: Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
properties:
maxReplicas:
+ description: Defines the minimum number of replicas
+ for the HorizontalPodAutoscaler.
format: int32
maximum: 2147483647
minimum: 0
type: integer
minReplicas:
+ description: Defines the maximum number of replicas
+ for the HorizontalPodAutoscaler.
format: int32
maximum: 2147483647
minimum: 0
type: integer
type: object
resources:
- description: 'Resources define Kubernetes resources configuration:
- https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: Defines Kubernetes resources' configuration.
+ See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
properties:
limits:
+ description: The maximum amount of resources a container
+ is allowed to use.
properties:
cpu:
+ description: Specifies CPU resource allocation
+ (requests or limits)
pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$
type: string
memory:
+ description: Specifies memory resource allocation
+ (requests or limits).
pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$
type: string
type: object
requests:
+ description: The minimum amount of resources (such
+ as CPU and memory) a container needs to run.
properties:
cpu:
+ description: Specifies CPU resource allocation
+ (requests or limits)
pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$
type: string
memory:
+ description: Specifies memory resource allocation
+ (requests or limits).
pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$
type: string
type: object
type: object
strategy:
- description: 'Strategy defines configuration for rolling
- updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment'
+ description: Defines the rolling updates strategy. See
+ [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
properties:
rollingUpdate:
- description: 'RollingUpdate defines configuration
- for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment'
+ description: Defines the configuration for rolling
+ updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
properties:
maxSurge:
anyOf:
- type: integer
- type: string
+ description: Specifies the maximum number of Pods
+ that can be created over the desired number
+ of Pods. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge).
pattern: ^[0-9]+%?$
x-kubernetes-int-or-string: true
x-kubernetes-validations:
@@ -1086,6 +1117,9 @@ spec:
anyOf:
- type: integer
- type: string
+ description: Specifies the maximum number of Pods
+ that can be unavailable during the update process.
+ See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable)
pattern: ^((100|[0-9]{1,2})%|[0-9]+)$
x-kubernetes-int-or-string: true
x-kubernetes-validations:
@@ -1100,62 +1134,80 @@ spec:
type: object
type: object
ingressGateway:
- description: IngressGateway defines component configurations for
- Istio Ingress Gateway
+ description: Configures the Istio Ingress Gateway component.
properties:
k8s:
- description: KubernetesResourcesConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+ description: Defines the Kubernetes resources' configuration
+ for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
properties:
hpaSpec:
- description: 'HPASpec defines configuration for HorizontalPodAutoscaler:
- https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/'
+ description: Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
properties:
maxReplicas:
+ description: Defines the minimum number of replicas
+ for the HorizontalPodAutoscaler.
format: int32
maximum: 2147483647
minimum: 0
type: integer
minReplicas:
+ description: Defines the maximum number of replicas
+ for the HorizontalPodAutoscaler.
format: int32
maximum: 2147483647
minimum: 0
type: integer
type: object
resources:
- description: 'Resources define Kubernetes resources configuration:
- https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: Defines Kubernetes resources' configuration.
+ See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
properties:
limits:
+ description: The maximum amount of resources a container
+ is allowed to use.
properties:
cpu:
+ description: Specifies CPU resource allocation
+ (requests or limits)
pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$
type: string
memory:
+ description: Specifies memory resource allocation
+ (requests or limits).
pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$
type: string
type: object
requests:
+ description: The minimum amount of resources (such
+ as CPU and memory) a container needs to run.
properties:
cpu:
+ description: Specifies CPU resource allocation
+ (requests or limits)
pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$
type: string
memory:
+ description: Specifies memory resource allocation
+ (requests or limits).
pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$
type: string
type: object
type: object
strategy:
- description: 'Strategy defines configuration for rolling
- updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment'
+ description: Defines the rolling updates strategy. See
+ [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
properties:
rollingUpdate:
- description: 'RollingUpdate defines configuration
- for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment'
+ description: Defines the configuration for rolling
+ updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
properties:
maxSurge:
anyOf:
- type: integer
- type: string
+ description: Specifies the maximum number of Pods
+ that can be created over the desired number
+ of Pods. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge).
pattern: ^[0-9]+%?$
x-kubernetes-int-or-string: true
x-kubernetes-validations:
@@ -1167,6 +1219,9 @@ spec:
anyOf:
- type: integer
- type: string
+ description: Specifies the maximum number of Pods
+ that can be unavailable during the update process.
+ See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable)
pattern: ^((100|[0-9]{1,2})%|[0-9]+)$
x-kubernetes-int-or-string: true
x-kubernetes-validations:
@@ -1183,61 +1238,80 @@ spec:
- k8s
type: object
pilot:
- description: Pilot defines component configuration for Istiod
+ description: Configures the Istiod component.
properties:
k8s:
- description: KubernetesResourcesConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+ description: Defines the Kubernetes resources' configuration
+ for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
properties:
hpaSpec:
- description: 'HPASpec defines configuration for HorizontalPodAutoscaler:
- https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/'
+ description: Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
properties:
maxReplicas:
+ description: Defines the minimum number of replicas
+ for the HorizontalPodAutoscaler.
format: int32
maximum: 2147483647
minimum: 0
type: integer
minReplicas:
+ description: Defines the maximum number of replicas
+ for the HorizontalPodAutoscaler.
format: int32
maximum: 2147483647
minimum: 0
type: integer
type: object
resources:
- description: 'Resources define Kubernetes resources configuration:
- https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: Defines Kubernetes resources' configuration.
+ See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
properties:
limits:
+ description: The maximum amount of resources a container
+ is allowed to use.
properties:
cpu:
+ description: Specifies CPU resource allocation
+ (requests or limits)
pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$
type: string
memory:
+ description: Specifies memory resource allocation
+ (requests or limits).
pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$
type: string
type: object
requests:
+ description: The minimum amount of resources (such
+ as CPU and memory) a container needs to run.
properties:
cpu:
+ description: Specifies CPU resource allocation
+ (requests or limits)
pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$
type: string
memory:
+ description: Specifies memory resource allocation
+ (requests or limits).
pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$
type: string
type: object
type: object
strategy:
- description: 'Strategy defines configuration for rolling
- updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment'
+ description: Defines the rolling updates strategy. See
+ [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
properties:
rollingUpdate:
- description: 'RollingUpdate defines configuration
- for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment'
+ description: Defines the configuration for rolling
+ updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
properties:
maxSurge:
anyOf:
- type: integer
- type: string
+ description: Specifies the maximum number of Pods
+ that can be created over the desired number
+ of Pods. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge).
pattern: ^[0-9]+%?$
x-kubernetes-int-or-string: true
x-kubernetes-validations:
@@ -1249,6 +1323,9 @@ spec:
anyOf:
- type: integer
- type: string
+ description: Specifies the maximum number of Pods
+ that can be unavailable during the update process.
+ See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable)
pattern: ^((100|[0-9]{1,2})%|[0-9]+)$
x-kubernetes-int-or-string: true
x-kubernetes-validations:
@@ -1265,31 +1342,42 @@ spec:
- k8s
type: object
proxy:
- description: Proxy defines component configuration for Istio proxy
- sidecar
+ description: Configures the Istio sidecar proxy component.
properties:
k8s:
- description: ProxyK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+ description: Contains a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
properties:
resources:
- description: 'Resources define Kubernetes resources configuration:
- https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
+ description: Defines Kubernetes resources' configuration.
+ See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
properties:
limits:
+ description: The maximum amount of resources a container
+ is allowed to use.
properties:
cpu:
+ description: Specifies CPU resource allocation
+ (requests or limits)
pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$
type: string
memory:
+ description: Specifies memory resource allocation
+ (requests or limits).
pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$
type: string
type: object
requests:
+ description: The minimum amount of resources (such
+ as CPU and memory) a container needs to run.
properties:
cpu:
+ description: Specifies CPU resource allocation
+ (requests or limits)
pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$
type: string
memory:
+ description: Specifies memory resource allocation
+ (requests or limits).
pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$
type: string
type: object
@@ -1300,98 +1388,97 @@ spec:
type: object
type: object
config:
- description: Defines configuration of the Istio installation.
+ description: Configures the Istio installation.
properties:
authorizers:
description: Defines a list of external authorization providers.
items:
description: |-
- Authorizer defines an external authorization provider configuration.
+ Defines an external authorization provider's configuration.
The defined authorizer can be referenced by name in an AuthorizationPolicy
with action CUSTOM to enforce requests to be authorized by the external authorization service.
properties:
headers:
- description: Specifies headers to be included, added or
- forwarded during authorization.
+ description: Specifies the headers included, added, or forwarded
+ during authorization.
properties:
inCheck:
- description: Defines headers to be included or added
+ description: Defines the headers to be included or added
in check authorization request.
properties:
add:
additionalProperties:
type: string
description: |-
- Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
- The Key is the header name and value is the header value.
- Note that client request of the same key or headers specified in `Include` will be overridden.
+ Specifies a set of additional fixed headers included in the authorization request sent to the authorization service.
+ The key is the header name and value is the header value.
+ Client request of the same key or headers specified in `Include` are overridden.
type: object
include:
description: |-
- List of client request headers that should be included in the authorization request sent to the authorization service.
- Note that in addition to the headers specified here, the following headers are included by default:
- 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
- 2. *Content-Length* will be set to 0, and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by include_request_body_in_check setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size.
+ Lists client request headers included in the authorization request sent to the authorization service.
+ In addition to the headers specified here, the following headers are included by default:
+ - **Host**, **Method**, **Path**, and **Content-Length** are automatically sent.
+ - **Content-Length** is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size.
items:
type: string
type: array
type: object
toDownstream:
- description: Defines headers to be forwarded to the
- downstream (the client).
+ description: Defines the headers to be forwarded to
+ the downstream (the client).
properties:
onAllow:
description: |-
- List of headers from the authorization service that should be forwarded to downstream when the authorization check result is allowed (HTTP code 200).
- If not specified, the original response will not be modified and forwarded to downstream as-is.
- Note, any existing headers will be overridden.
+ Lists headers from the authorization service forwarded to downstream when the authorization check result is allowed (HTTP code `200`).
+ If not specified, the original request is forwarded to the backend unmodified.
+ Any existing headers are overridden.
items:
type: string
type: array
onDeny:
description: |-
- List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200).
- If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to the downstream.
- When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added.
- Note, the body from the authorization service is always included in the response to downstream.
+ Lists headers from the authorization service forwarded to downstream when the authorization check result is not allowed (HTTP code is other than `200`).
+ If not specified, all the authorization response headers, except **Authority (Host)**, are included in the response to the downstream.
+ When a header is included in this list, the following headers are automatically added: **Path**, **Status**, **Content-Length**, **WWWAuthenticate**, and **Location**.
+ The body from the authorization service is always included in the response to downstream.
items:
type: string
type: array
type: object
toUpstream:
- description: Defines headers to be forwarded to the
- upstream (to the backend service).
+ description: Defines the headers to be forwarded to
+ the upstream (to the backend service).
properties:
onAllow:
description: |-
- List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
- If not specified, the original request will not be modified and forwarded to backend as-is.
- Note, any existing headers will be overridden.
+ Lists headers from the authorization service added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code `200`).
+ If not specified, the original request is forwarded to the backend unmodified.
+ Any existing headers are overridden.
items:
type: string
type: array
type: object
type: object
name:
- description: A unique name identifying the extension authorization
+ description: Specifies a unique name identifying the authorization
provider.
type: string
pathPrefix:
description: |-
- Specifies the prefix which will be included in the request sent to the authorization service.
- The prefix might be constructed with special characters (e.g., "/test?original_path=").
+ Specifies the prefix included in the request sent to the authorization service.
+ The prefix might be constructed with special characters (for example, `/test?original_path=`).
type: string
port:
- description: Specifies the port of the service.
+ description: Specifies the port of the Service.
format: int32
type: integer
service:
description: |-
- Specifies the service that implements the Envoy ext_authz HTTP authorization service.
- The format is "[Namespace/]Hostname".
- The specification of "Namespace" is required only when it is insufficient to unambiguously resolve a service in the service registry.
- The "Hostname" is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.
- The recommended format is "[Namespace/]Hostname".
+ Specifies the service that implements the Envoy `ext_authz` HTTP authorization service.
+ The recommended format is `[Namespace/]Hostname`.
+ Specify the namespace if it is required to unambiguously resolve a service in the service registry.
+ The host name refers to the fully qualified host name of a service defined by either a Kubernetes Service or a ServiceEntry.
type: string
timeout:
description: Specifies the timeout for the HTTP authorization
@@ -1416,8 +1503,8 @@ spec:
type: string
gatewayExternalTrafficPolicy:
description: |-
- Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are "Local" or "Cluster". The external traffic policy set to "Local" preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
- WARNING: Switching `externalTrafficPolicy` may result in a temporal increase in request delay. Make sure that this is acceptable.
+ Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are `"Local"` or `"Cluster"`. The external traffic policy set to `"Local"` preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
+ WARNING: Switching **externalTrafficPolicy** may result in a temporal increase in request delay. Make sure that this is acceptable.
enum:
- Local
- Cluster
@@ -1432,13 +1519,13 @@ spec:
description: Defines the telemetry configuration of Istio.
properties:
metrics:
- description: Istio telemetry configuration related to metrics
+ description: Configures Istio telemetry metrics.
properties:
prometheusMerge:
description: |-
- Defines whether the prometheusMerge feature is enabled. If yes, appropriate prometheus.io annotations will be added to all data plane pods to set up scraping.
- If these annotations already exist, they will be overwritten. With this option, the Envoy sidecar will merge Istio’s metrics with the application metrics.
- The merged metrics will be scraped from :15020/stats/prometheus.
+ Defines whether the **prometheusMerge** feature is enabled. If it is, appropriate prometheus.io annotations are added to all data plane Pods to set up scraping.
+ If these annotations already exist, they are overwritten. With this option, the Envoy sidecar merges Istio’s metrics with the application metrics.
+ The merged metrics are scraped from `:15020/stats/prometheus`.
type: boolean
type: object
type: object
@@ -1453,19 +1540,22 @@ spec:
description: Enables dual-stack support.
type: boolean
pilot:
+ description: Defines experimental features for Istio Pilot.
properties:
enableAlphaGatewayAPI:
+ description: Defines alpha Gateway API support.
type: boolean
enableMultiNetworkDiscoverGatewayAPI:
+ description: Enables multi-network discovery for Gateway API.
type: boolean
type: object
type: object
type: object
status:
- description: Status represents the current state of the Istio installation.
+ description: Defines the current state of the Istio installation.
properties:
conditions:
- description: ' Conditions associated with IstioStatus.'
+ description: Contains conditions associated with **IstioStatus**.
items:
description: Condition contains details for one aspect of the current
state of this API Resource.
@@ -1522,12 +1612,12 @@ spec:
type: object
type: array
description:
- description: Description of Istio status.
+ description: Describes the Istio status.
type: string
state:
- description: |-
- State signifies the current state of CustomObject. Value
- can be one of ("Ready", "Processing", "Error", "Deleting", "Warning").
+ description: Signifies the current state of the Istio custom resource.
+ Possible values are `Ready`, `Processing`, `Error`, `Deleting`,
+ or `Warning`.
enum:
- Processing
- Deleting
diff --git a/crd-ref-docs/config.yaml b/crd-ref-docs/config.yaml
index d51a38394..e533ea448 100644
--- a/crd-ref-docs/config.yaml
+++ b/crd-ref-docs/config.yaml
@@ -9,4 +9,4 @@ render:
knownTypes:
- name: RollingUpdate
package: "github.com/kyma-project/istio/operator/api/v1alpha2"
- link: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#rollingupdatedeployment-v1-apps
+ link: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#rollingupdatedeployment-v1-apps
\ No newline at end of file
diff --git a/crd-ref-docs/templates/gv_list.tpl b/crd-ref-docs/templates/gv_list.tpl
index e0cef4338..33d246681 100644
--- a/crd-ref-docs/templates/gv_list.tpl
+++ b/crd-ref-docs/templates/gv_list.tpl
@@ -35,7 +35,7 @@ The following tables list all the possible parameters of a given resource togeth
### APIVersions
{{- range $groupVersions }}
-- {{ markdownRenderGVLink . }}
+- {{ .GroupVersionString }}
{{- end -}}
{{ range $groupVersions }}
diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md
index 45ca09dfc..f71c49f93 100644
--- a/docs/user/04-00-istio-custom-resource.md
+++ b/docs/user/04-00-istio-custom-resource.md
@@ -31,14 +31,14 @@ spec:
The following tables list all the possible parameters of a given resource together with their descriptions.
### APIVersions
-- [operator.kyma-project.io/v1alpha2](#operatorkyma-projectiov1alpha2)
+- operator.kyma-project.io/v1alpha2
### Resource Types
- [Istio](#istio)
### Authorizer
-Authorizer defines an external authorization provider configuration.
+Defines an external authorization provider's configuration.
The defined authorizer can be referenced by name in an AuthorizationPolicy
with action CUSTOM to enforce requests to be authorized by the external authorization service.
@@ -47,33 +47,35 @@ Appears in:
| Field | Description | Validation |
| --- | --- | --- |
-| **name**
string | A unique name identifying the extension authorization provider. | Required
|
-| **service**
string | Specifies the service that implements the Envoy ext_authz HTTP authorization service.
The format is "[Namespace/]Hostname".
The specification of "Namespace" is required only when it is insufficient to unambiguously resolve a service in the service registry.
The "Hostname" is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.
The recommended format is "[Namespace/]Hostname". | Optional |
-| **port**
integer | Specifies the port of the service. | Required
|
-| **headers**
[Headers](#headers) | Specifies headers to be included, added or forwarded during authorization. | Optional |
-| **pathPrefix**
string | Specifies the prefix which will be included in the request sent to the authorization service.
The prefix might be constructed with special characters (e.g., "/test?original_path="). | Optional
|
+| **name**
string | Specifies a unique name identifying the authorization provider. | Required
|
+| **service**
string | Specifies the service that implements the Envoy `ext_authz` HTTP authorization service.
The recommended format is `[Namespace/]Hostname`.
Specify the namespace if it is required to unambiguously resolve a service in the service registry.
The host name refers to the fully qualified host name of a service defined by either a Kubernetes Service or a ServiceEntry. | Optional
|
+| **port**
integer | Specifies the port of the Service. | Required
|
+| **headers**
[Headers](#headers) | Specifies the headers included, added, or forwarded during authorization. | Optional |
+| **pathPrefix**
string | Specifies the prefix included in the request sent to the authorization service.
The prefix might be constructed with special characters (for example, `/test?original_path=`). | Optional
|
| **timeout**
[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#duration-v1-meta) | Specifies the timeout for the HTTP authorization request to the external service. | Optional
|
### CniComponent
-CniComponent defines configuration for CNI Istio component.
+Configures the Istio CNI DaemonSet component.
Appears in:
- [Components](#components)
| Field | Description | Validation |
| --- | --- | --- |
-| **k8s**
[CniK8sConfig](#cnik8sconfig) | CniK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec | Required
|
+| **k8s**
[CniK8sConfig](#cnik8sconfig) | Configures the Istio CNI DaemonSet component. It is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). | Required
|
### CniK8sConfig
+Configures the Istio CNI DaemonSet component. It is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
+
Appears in:
- [CniComponent](#cnicomponent)
| Field | Description | Validation |
| --- | --- | --- |
-| **affinity**
[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#affinity-v1-core) | Affinity defines the Pod scheduling affinity constraints: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | Optional
|
-| **resources**
[Resources](#resources) | Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Optional
|
+| **affinity**
[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#affinity-v1-core) | Defines the Pod scheduling affinity constraints. See [Affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). | Optional
|
+| **resources**
[Resources](#resources) | Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). | Optional
|
### Components
@@ -82,41 +84,38 @@ Appears in:
| Field | Description | Validation |
| --- | --- | --- |
-| **pilot**
[IstioComponent](#istiocomponent) | Pilot defines component configuration for Istiod | Optional |
-| **ingressGateway**
[IstioComponent](#istiocomponent) | IngressGateway defines component configurations for Istio Ingress Gateway | Optional |
-| **cni**
[CniComponent](#cnicomponent) | Cni defines component configuration for Istio CNI DaemonSet | Optional |
-| **proxy**
[ProxyComponent](#proxycomponent) | Proxy defines component configuration for Istio proxy sidecar | Optional |
-| **egressGateway**
[EgressGateway](#egressgateway) | | Optional
|
+| **pilot**
[IstioComponent](#istiocomponent) | Configures the Istiod component. | Optional |
+| **ingressGateway**
[IstioComponent](#istiocomponent) | Configures the Istio Ingress Gateway component. | Optional |
+| **cni**
[CniComponent](#cnicomponent) | Configures the Istio CNI DaemonSet component. | Optional |
+| **proxy**
[ProxyComponent](#proxycomponent) | Configures the Istio sidecar proxy component. | Optional |
+| **egressGateway**
[EgressGateway](#egressgateway) | Configures the Istio Egress Gateway component. | Optional
|
### ConditionReason
Underlying type: string
-Appears in:
-- [ReasonWithMessage](#reasonwithmessage)
-
| Field | Description |
| --- | --- |
-| **ReconcileSucceeded** | Reconciliation finished with full success.
|
+| **ReconcileSucceeded** | Reconciliation finished successfully.
|
| **ReconcileUnknown** | Reconciliation is in progress or failed previously.
|
| **ReconcileRequeued** | Reconciliation is requeued to be tried again later.
|
| **ReconcileFailed** | Reconciliation failed.
|
| **ValidationFailed** | Reconciliation did not happen as validation of Istio Custom Resource failed.
|
-| **OlderCRExists** | Reconciliation did not happen as there exists an older Istio Custom Resource.
|
+| **OlderCRExists** | Reconciliation did not happen because an older Istio CR exists.
|
| **OldestCRNotFound** | Reconciliation did not happen as the oldest Istio Custom Resource could not be found.
|
-| **IstioInstallNotNeeded** | Istio installtion is not needed.
|
+| **IstioInstallNotNeeded** | Istio installation is not needed.
|
| **IstioInstallSucceeded** | Istio installation or uninstallation succeeded.
|
| **IstioUninstallSucceeded** | Istio uninstallation succeeded.
|
| **IstioInstallUninstallFailed** | Istio installation or uninstallation failed.
|
-| **IstioCustomResourceMisconfigured** | Istio Custom Resource has invalid configuration.
|
-| **IstioCustomResourcesDangling** | Istio Custom Resources are blocking Istio uninstallation.
|
+| **IstioCustomResourceMisconfigured** | The Istio custom resource has invalid configuration.
|
+| **IstioCustomResourcesDangling** | Istio custom resources are blocking Istio uninstallation.
|
| **IstioVersionUpdateNotAllowed** | Istio version update is not allowed.
|
-| **CustomResourcesReconcileSucceeded** | Custom resources reconciliation succeeded.
|
-| **CustomResourcesReconcileFailed** | Custom resources reconciliation failed.
|
+| **CustomResourcesReconcileSucceeded** | Reconciliation of custom resources succeeded.
|
+| **CustomResourcesReconcileFailed** | Reconciliation of custom resources failed.
|
| **ProxySidecarRestartSucceeded** | Proxy sidecar restart succeeded.
|
| **ProxySidecarRestartFailed** | Proxy sidecar restart failed.
|
| **ProxySidecarRestartPartiallySucceeded** | Proxy sidecar restart partially succeeded.
|
-| **ProxySidecarManualRestartRequired** | Proxy sidecar manual restart is required.
|
+| **ProxySidecarManualRestartRequired** | A manual restart of the proxy sidecar is required for some workloads.
|
| **IngressGatewayRestartSucceeded** | Istio ingress gateway restart succeeded.
|
| **IngressGatewayRestartFailed** | Istio ingress gateway restart failed.
|
| **EgressGatewayRestartSucceeded** | Istio egress gateway restart succeeded.
|
@@ -128,7 +127,7 @@ Appears in:
### Config
-Config is the configuration for the Istio installation.
+Configures the Istio installation.
Appears in:
- [IstioSpec](#istiospec)
@@ -138,87 +137,97 @@ Appears in:
| **numTrustedProxies**
integer | Defines the number of trusted proxies deployed in front of the Istio gateway proxy. | Maximum: 4.294967295e+09
Minimum: 0
|
| **forwardClientCertDetails**
[XFCCStrategy](#xfccstrategy) | Defines the strategy of handling the **X-Forwarded-Client-Cert** header.
The default behavior is "SANITIZE". | Enum: [APPEND_FORWARD SANITIZE_SET SANITIZE ALWAYS_FORWARD_ONLY FORWARD_ONLY]
Optional
|
| **authorizers**
[Authorizer](#authorizer) array | Defines a list of external authorization providers. | Optional |
-| **gatewayExternalTrafficPolicy**
string | Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are "Local" or "Cluster". The external traffic policy set to "Local" preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
WARNING: Switching `externalTrafficPolicy` may result in a temporal increase in request delay. Make sure that this is acceptable. | Enum: [Local Cluster]
Optional
|
+| **gatewayExternalTrafficPolicy**
string | Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are `"Local"` or `"Cluster"`. The external traffic policy set to `"Local"` preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
WARNING: Switching **externalTrafficPolicy** may result in a temporal increase in request delay. Make sure that this is acceptable. | Enum: [Local Cluster]
Optional
|
| **telemetry**
[Telemetry](#telemetry) | Defines the telemetry configuration of Istio. | Optional
|
### EgressGateway
-EgressGateway defines configuration for Istio egressGateway.
+Configures the Istio Egress Gateway component.
Appears in:
- [Components](#components)
| Field | Description | Validation |
| --- | --- | --- |
-| **k8s**
[KubernetesResourcesConfig](#kubernetesresourcesconfig) | Defines the Kubernetes resources configuration for Istio egress gateway. | Optional
|
-| **enabled**
boolean | Enables or disables the Istio egress gateway. | Optional
|
+| **k8s**
[KubernetesResourcesConfig](#kubernetesresourcesconfig) | Defines the Kubernetes resources' configuration for Istio Egress Gateway. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). | Optional
|
+| **enabled**
boolean | Enables or disables Istio Egress Gateway. | Optional
|
### Experimental
+Defines experimental features.
+
Appears in:
- [IstioSpec](#istiospec)
| Field | Description | Validation |
| --- | --- | --- |
-| **pilot**
[PilotFeatures](#pilotfeatures) | | Optional |
+| **pilot**
[PilotFeatures](#pilotfeatures) | Defines experimental features for Istio Pilot. | Optional
|
| **enableDualStack**
boolean | Enables dual-stack support. | Optional
|
| **enableAmbient**
boolean | Enables ambient mode support. | Optional
|
### HPASpec
-HPASpec defines configuration for HorizontalPodAutoscaler.
+Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/).
Appears in:
- [KubernetesResourcesConfig](#kubernetesresourcesconfig)
| Field | Description | Validation |
| --- | --- | --- |
-| **maxReplicas**
integer | | Maximum: 2.147483647e+09
Minimum: 0
|
-| **minReplicas**
integer | | Maximum: 2.147483647e+09
Minimum: 0
|
+| **maxReplicas**
integer | Defines the minimum number of replicas for the HorizontalPodAutoscaler. | Maximum: 2.147483647e+09
Minimum: 0
|
+| **minReplicas**
integer | Defines the maximum number of replicas for the HorizontalPodAutoscaler. | Maximum: 2.147483647e+09
Minimum: 0
|
### Headers
+Specifies headers included, added, or forwarded during authorization.
+Exact, prefix, and suffix matches are supported, similar to the syntax used in AuthorizationPolicy rules (excluding the presence match):
+- Exact match: `abc` matches the value `abc`.
+- Prefix match: `abc*` matches the values `abc` and `abcd`.
+- Suffix match: `*abc` matches the values `abc` and `xabc`.
+
Appears in:
- [Authorizer](#authorizer)
| Field | Description | Validation |
| --- | --- | --- |
-| **inCheck**
[InCheck](#incheck) | Defines headers to be included or added in check authorization request. | Optional |
-| **toUpstream**
[ToUpstream](#toupstream) | Defines headers to be forwarded to the upstream (to the backend service). | Optional |
-| **toDownstream**
[ToDownstream](#todownstream) | Defines headers to be forwarded to the downstream (the client). | Optional |
+| **inCheck**
[InCheck](#incheck) | Defines the headers to be included or added in check authorization request. | Optional |
+| **toUpstream**
[ToUpstream](#toupstream) | Defines the headers to be forwarded to the upstream (to the backend service). | Optional |
+| **toDownstream**
[ToDownstream](#todownstream) | Defines the headers to be forwarded to the downstream (the client). | Optional |
### InCheck
+Defines the headers to be included or added in check authorization request.
+
Appears in:
- [Headers](#headers)
| Field | Description | Validation |
| --- | --- | --- |
-| **include**
string array | List of client request headers that should be included in the authorization request sent to the authorization service.
Note that in addition to the headers specified here, the following headers are included by default:
1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
2. *Content-Length* will be set to 0, and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by include_request_body_in_check setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. | Optional |
-| **add**
object (keys:string, values:string) | Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
The Key is the header name and value is the header value.
Note that client request of the same key or headers specified in `Include` will be overridden. | Optional |
+| **include**
string array | Lists client request headers included in the authorization request sent to the authorization service.
In addition to the headers specified here, the following headers are included by default:
- **Host**, **Method**, **Path**, and **Content-Length** are automatically sent.
- **Content-Length** is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. | Optional |
+| **add**
object (keys:string, values:string) | Specifies a set of additional fixed headers included in the authorization request sent to the authorization service.
The key is the header name and value is the header value.
Client request of the same key or headers specified in `Include` are overridden. | Optional |
### Istio
-Istio contains Istio CR specification and current status.
+Contains the Istio custom resource's specification and its current status.
| Field | Description | Validation |
| --- | --- | --- |
| **apiVersion**
string | `operator.kyma-project.io/v1alpha2` | Optional |
| **kind**
string | `Istio` | Optional |
| **metadata**
[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#objectmeta-v1-meta) | For more information on the metadata fields, see Kubernetes API documentation. | Optional |
-| **spec**
[IstioSpec](#istiospec) | Spec defines the desired state of the Istio installation. | Optional |
-| **status**
[IstioStatus](#istiostatus) | Status represents the current state of the Istio installation. | Optional |
+| **spec**
[IstioSpec](#istiospec) | Defines the desired state of the Istio installation. | Optional |
+| **status**
[IstioStatus](#istiostatus) | Defines the current state of the Istio installation. | Optional |
### IstioComponent
-IstioComponent defines configuration for generic Istio component (ingress gateway, istiod).
+Defines the configuration for the generic Istio components, that is, Istio Ingress gateway and istiod.
Appears in:
- [Components](#components)
| Field | Description | Validation |
| --- | --- | --- |
-| **k8s**
[KubernetesResourcesConfig](#kubernetesresourcesconfig) | | Required
|
+| **k8s**
[KubernetesResourcesConfig](#kubernetesresourcesconfig) | Defines the Kubernetes resources' configuration for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). | Required
|
### IstioSpec
@@ -229,27 +238,27 @@ Appears in:
| Field | Description | Validation |
| --- | --- | --- |
-| **config**
[Config](#config) | Defines configuration of the Istio installation. | Optional
|
-| **components**
[Components](#components) | Defines configuration of Istio components. | Optional
|
+| **config**
[Config](#config) | Configures the Istio installation. | Optional
|
+| **components**
[Components](#components) | Configures Istio components. | Optional
|
| **experimental**
[Experimental](#experimental) | Defines experimental configuration options. | Optional
|
-| **compatibilityMode**
boolean | Enables compatibility mode for Istio installation. | Optional
|
+| **compatibilityMode**
boolean | Enables the compatibility mode for the Istio installation. | Optional
|
### IstioStatus
-IstioStatus defines the observed state of IstioCR.
+Defines the observed state of the Istio custom resource.
Appears in:
- [Istio](#istio)
| Field | Description | Validation |
| --- | --- | --- |
-| **state**
[State](#state) | State signifies the current state of CustomObject. Value
can be one of ("Ready", "Processing", "Error", "Deleting", "Warning"). | Enum: [Processing Deleting Ready Error Warning]
Required
|
-| **conditions**
[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#condition-v1-meta) | Conditions associated with IstioStatus. | Optional |
-| **description**
string | Description of Istio status. | Optional |
+| **state**
[State](#state) | Signifies the current state of the Istio custom resource. Possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`. | Enum: [Processing Deleting Ready Error Warning]
Required
|
+| **conditions**
[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#condition-v1-meta) | Contains conditions associated with **IstioStatus**. | Optional |
+| **description**
string | Describes the Istio status. | Optional |
### KubernetesResourcesConfig
-KubernetesResourcesConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+Defines Kubernetes-level configuration options for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
Appears in:
- [EgressGateway](#egressgateway)
@@ -257,65 +266,71 @@ Appears in:
| Field | Description | Validation |
| --- | --- | --- |
-| **hpaSpec**
[HPASpec](#hpaspec) | HPASpec defines configuration for HorizontalPodAutoscaler: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | Optional
|
-| **strategy**
[Strategy](#strategy) | Strategy defines configuration for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment | Optional
|
-| **resources**
[Resources](#resources) | Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Optional
|
+| **hpaSpec**
[HPASpec](#hpaspec) | Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). | Optional
|
+| **strategy**
[Strategy](#strategy) | Defines the rolling updates strategy. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). | Optional
|
+| **resources**
[Resources](#resources) | Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). | Optional
|
### Metrics
+Configures Istio telemetry metrics.
+
Appears in:
- [Telemetry](#telemetry)
| Field | Description | Validation |
| --- | --- | --- |
-| **prometheusMerge**
boolean | Defines whether the prometheusMerge feature is enabled. If yes, appropriate prometheus.io annotations will be added to all data plane pods to set up scraping.
If these annotations already exist, they will be overwritten. With this option, the Envoy sidecar will merge Istio’s metrics with the application metrics.
The merged metrics will be scraped from :15020/stats/prometheus. | Optional
|
+| **prometheusMerge**
boolean | Defines whether the **prometheusMerge** feature is enabled. If it is, appropriate prometheus.io annotations are added to all data plane Pods to set up scraping.
If these annotations already exist, they are overwritten. With this option, the Envoy sidecar merges Istio’s metrics with the application metrics.
The merged metrics are scraped from `:15020/stats/prometheus`. | Optional
|
### PilotFeatures
+Defines experimental features for Istio Pilot.
+
Appears in:
- [Experimental](#experimental)
| Field | Description | Validation |
| --- | --- | --- |
-| **enableAlphaGatewayAPI**
boolean | | Optional |
-| **enableMultiNetworkDiscoverGatewayAPI**
boolean | | Optional |
+| **enableAlphaGatewayAPI**
boolean | Defines alpha Gateway API support. | Optional
|
+| **enableMultiNetworkDiscoverGatewayAPI**
boolean | Enables multi-network discovery for Gateway API. | Optional
|
### ProxyComponent
-ProxyComponent defines configuration for Istio proxies.
+Configures the Istio sidecar proxy component.
Appears in:
- [Components](#components)
| Field | Description | Validation |
| --- | --- | --- |
-| **k8s**
[ProxyK8sConfig](#proxyk8sconfig) | | Required
|
+| **k8s**
[ProxyK8sConfig](#proxyk8sconfig) | Contains a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). | Required
|
### ProxyK8sConfig
-ProxyK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
+Contains a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).
Appears in:
- [ProxyComponent](#proxycomponent)
| Field | Description | Validation |
| --- | --- | --- |
-| **resources**
[Resources](#resources) | | Optional |
+| **resources**
[Resources](#resources) | Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). | Optional |
### ResourceClaims
+Defines CPU and memory resource requirements for Kubernetes containers and Pods. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+
Appears in:
- [Resources](#resources)
| Field | Description | Validation |
| --- | --- | --- |
-| **cpu**
string | | Pattern: `^([0-9]+m?\|[0-9]\.[0-9]\{1,3\})$`
|
-| **memory**
string | | Pattern: `^[0-9]+(((\.[0-9]+)?(E\|P\|T\|G\|M\|k\|Ei\|Pi\|Ti\|Gi\|Mi\|Ki\|m)?)\|(e[0-9]+))$`
|
+| **cpu**
string | Specifies CPU resource allocation (requests or limits) | Pattern: `^([0-9]+m?\|[0-9]\.[0-9]\{1,3\})$`
|
+| **memory**
string | Specifies memory resource allocation (requests or limits). | Pattern: `^[0-9]+(((\.[0-9]+)?(E\|P\|T\|G\|M\|k\|Ei\|Pi\|Ti\|Gi\|Mi\|Ki\|m)?)\|(e[0-9]+))$`
|
### Resources
-Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
Appears in:
- [CniK8sConfig](#cnik8sconfig)
@@ -324,23 +339,26 @@ Appears in:
| Field | Description | Validation |
| --- | --- | --- |
-| **limits**
[ResourceClaims](#resourceclaims) | | Optional |
-| **requests**
[ResourceClaims](#resourceclaims) | | Optional |
+| **limits**
[ResourceClaims](#resourceclaims) | The maximum amount of resources a container is allowed to use. | Optional |
+| **requests**
[ResourceClaims](#resourceclaims) | The minimum amount of resources (such as CPU and memory) a container needs to run. | Optional |
### RollingUpdate
-RollingUpdate defines configuration for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment
+Defines the configuration for rolling updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
Appears in:
- [Strategy](#strategy)
| Field | Description | Validation |
| --- | --- | --- |
-| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | | Pattern: `^[0-9]+%?$`
XIntOrString: \{\}
|
-| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | | Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString: \{\}
|
+| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Optional
Pattern: `^[0-9]+%?$`
XIntOrString
|
+| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Optional
Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString
|
### State
+Signifies the current state of the Istio custom resource.
+The possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`.
+
Underlying type: string
Appears in:
@@ -348,50 +366,56 @@ Appears in:
| Field | Description |
| --- | --- |
-| **Ready** | Ready is reported when the Istio installation / upgrade process has completed successfully.
|
-| **Processing** | Processing is reported when the Istio installation / upgrade process is in progress.
|
-| **Error** | Error is reported when the Istio installation / upgrade process has failed.
|
-| **Deleting** | Deleting is reported when the Istio installation / upgrade process is being deleted.
|
-| **Warning** | Warning is reported when the Istio installation / upgrade process has completed with warnings.
This state warrants user attention, as some features may not work as expected.
|
+| **Ready** | Istio installation or upgrade process has completed successfully.
|
+| **Processing** | Istio installation or upgrade process is in progress.
|
+| **Error** | Istio installation or upgrade process has failed.
|
+| **Deleting** | The Istio custom resource is being deleted.
|
+| **Warning** | Istio installation or upgrade process has completed with warnings.
This state warrants user attention, as some features may not work as expected.
|
### Strategy
-Strategy defines rolling update strategy.
+Defines the rolling updates strategy. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment).
Appears in:
- [KubernetesResourcesConfig](#kubernetesresourcesconfig)
| Field | Description | Validation |
| --- | --- | --- |
-| **rollingUpdate**
[RollingUpdate](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#rollingupdatedeployment-v1-apps) | | Required
|
+| **rollingUpdate**
[RollingUpdate](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#rollingupdatedeployment-v1-apps) | Defines the configuration for rolling updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). | Required
|
### Telemetry
+Configures Istio telemetry.
+
Appears in:
- [Config](#config)
| Field | Description | Validation |
| --- | --- | --- |
-| **metrics**
[Metrics](#metrics) | Istio telemetry configuration related to metrics | Optional
|
+| **metrics**
[Metrics](#metrics) | Configures Istio telemetry metrics. | Optional
|
### ToDownstream
+Defines the headers to be forwarded to the downstream (the client).
+
Appears in:
- [Headers](#headers)
| Field | Description | Validation |
| --- | --- | --- |
-| **onAllow**
string array | List of headers from the authorization service that should be forwarded to downstream when the authorization check result is allowed (HTTP code 200).
If not specified, the original response will not be modified and forwarded to downstream as-is.
Note, any existing headers will be overridden. | Optional |
-| **onDeny**
string array | List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200).
If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to the downstream.
When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added.
Note, the body from the authorization service is always included in the response to downstream. | Optional |
+| **onAllow**
string array | Lists headers from the authorization service forwarded to downstream when the authorization check result is allowed (HTTP code `200`).
If not specified, the original request is forwarded to the backend unmodified.
Any existing headers are overridden. | Optional |
+| **onDeny**
string array | Lists headers from the authorization service forwarded to downstream when the authorization check result is not allowed (HTTP code is other than `200`).
If not specified, all the authorization response headers, except **Authority (Host)**, are included in the response to the downstream.
When a header is included in this list, the following headers are automatically added: **Path**, **Status**, **Content-Length**, **WWWAuthenticate**, and **Location**.
The body from the authorization service is always included in the response to downstream. | Optional |
### ToUpstream
+Defines the headers to be forwarded to the upstream (to the backend service).
+
Appears in:
- [Headers](#headers)
| Field | Description | Validation |
| --- | --- | --- |
-| **onAllow**
string array | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
If not specified, the original request will not be modified and forwarded to backend as-is.
Note, any existing headers will be overridden. | Optional |
+| **onAllow**
string array | Lists headers from the authorization service added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code `200`).
If not specified, the original request is forwarded to the backend unmodified.
Any existing headers are overridden. | Optional |
### XFCCStrategy