From 83fec622712806d84eb1446036b18648b0e88017 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Fri, 28 Nov 2025 14:01:14 +0100 Subject: [PATCH 01/19] update crd descriptions --- api/v1alpha2/authorizers.go | 77 ++--- api/v1alpha2/istio_structs.go | 70 +++-- api/v1alpha2/istio_types.go | 53 ++-- api/v1alpha2/telemetry.go | 12 +- .../operator.kyma-project.io_istios.yaml | 294 ++++++++++++------ crd-ref-docs/templates/gv_list.tpl | 2 +- docs/user/04-00-istio-custom-resource.md | 179 ++++++----- 7 files changed, 416 insertions(+), 271 deletions(-) diff --git a/api/v1alpha2/authorizers.go b/api/v1alpha2/authorizers.go index ae96bf7696..30edb4d338 100644 --- a/api/v1alpha2/authorizers.go +++ b/api/v1alpha2/authorizers.go @@ -4,30 +4,29 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -// Authorizer defines an external authorization provider configuration. +// Defines an external authorization provider's configuration. // The defined authorizer can be referenced by name in an AuthorizationPolicy // with action CUSTOM to enforce requests to be authorized by the external authorization service. type Authorizer struct { - // A unique name identifying the extension authorization provider. + // Specifies a unique name identifying the authorization provider. // +kubebuilder:validation:Required Name string `json:"name"` - // Specifies the service that implements the Envoy ext_authz HTTP authorization service. - // The format is "[Namespace/]Hostname". - // The specification of "Namespace" is required only when it is insufficient to unambiguously resolve a service in the service registry. - // The "Hostname" is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry. - // The recommended format is "[Namespace/]Hostname". + // Specifies the service that implements the Envoy `ext_authz` HTTP authorization service. + // The recommended format is `[Namespace/]Hostname`. + // Specify the namespace if it is required to unambiguously resolve a service in the service registry. + // The host name refers to the fully qualified host name of a service defined by either a Kubernetes Service or a ServiceEntry. Service string `json:"service"` - // Specifies the port of the service. + // Specifies the port of the Service. // +kubebuilder:validation:Required Port uint32 `json:"port"` - // Specifies headers to be included, added or forwarded during authorization. + // Specifies the headers included, added, or forwarded during authorization. Headers *Headers `json:"headers,omitempty"` - // Specifies the prefix which will be included in the request sent to the authorization service. - // The prefix might be constructed with special characters (e.g., "/test?original_path="). + // Specifies the prefix which included in the request sent to the authorization service. + // The prefix might be constructed with special characters (for example, `/test?original_path=`). // +kubebuilder:validation:Optional PathPrefix *string `json:"pathPrefix,omitempty"` @@ -36,52 +35,54 @@ type Authorizer struct { Timeout *metav1.Duration `json:"timeout,omitempty"` } -// Exact, prefix and suffix matches are supported (similar to the authorization policy rule syntax except the presence match -// https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule): -// - Exact match: "abc" will match on value "abc". -// - Prefix match: "abc*" will match on value "abc" and "abcd". -// - Suffix match: "*abc" will match on value "abc" and "xabc". - +// Specifies headers included, added, or forwarded during authorization. +// Exact, prefix, and suffix matches are supported, similar to the syntax used in AuthorizationPolicy rules (excluding the presence match): +// - Exact match: `abc` matches the value `abc`. +// - Prefix match: `abc*` matches the values `abc` and `abcd`. +// - Suffix match: `*abc` matches the values `abc` and `xabc`. type Headers struct { - // Defines headers to be included or added in check authorization request. + // Defines the headers to be included or added in check authorization request. InCheck *InCheck `json:"inCheck,omitempty"` - // Defines headers to be forwarded to the upstream (to the backend service). + // Defines the headers to be forwarded to the upstream (to the backend service). ToUpstream *ToUpstream `json:"toUpstream,omitempty"` - // Defines headers to be forwarded to the downstream (the client). + // Defines the headers to be forwarded to the downstream (the client). ToDownstream *ToDownstream `json:"toDownstream,omitempty"` } +// Defines the headers to be included or added in check authorization request. type InCheck struct { - // List of client request headers that should be included in the authorization request sent to the authorization service. - // Note that in addition to the headers specified here, the following headers are included by default: - // 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. - // 2. *Content-Length* will be set to 0, and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by include_request_body_in_check setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. + // Lists client request headers included in the authorization request sent to the authorization service. + // In addition to the headers specified here, the following headers are included by default: + // - *Host*, *Method*, *Path*, and *Content-Length* are automatically sent. + // - *Content-Length* is set to `0`, and the request does have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. Include []string `json:"include,omitempty"` - // Set of additional fixed headers that should be included in the authorization request sent to the authorization service. - // The Key is the header name and value is the header value. - // Note that client request of the same key or headers specified in `Include` will be overridden. + // Specifies a set of additional fixed headers that included in the authorization request sent to the authorization service. + // The key is the header name and value is the header value. + // Client request of the same key or headers specified in `Include` are overridden. Add map[string]string `json:"add,omitempty"` } +// Defines the headers to be forwarded to the upstream (to the backend service). type ToUpstream struct { - // List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). - // If not specified, the original request will not be modified and forwarded to backend as-is. - // Note, any existing headers will be overridden. + // Lists headers from the authorization service added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code `200`). + // If not specified, the original request is forwarded to the backend unmodified. + // Any existing headers are overridden. OnAllow []string `json:"onAllow,omitempty"` } +// Defines the headers to be forwarded to the downstream (the client). type ToDownstream struct { - // List of headers from the authorization service that should be forwarded to downstream when the authorization check result is allowed (HTTP code 200). - // If not specified, the original response will not be modified and forwarded to downstream as-is. - // Note, any existing headers will be overridden. + // Lists headers from the authorization service forwarded to downstream when the authorization check result is allowed (HTTP code `200`). + // If not specified, the original request is forwarded to the backend unmodified. + // Any existing headers are overridden. OnAllow []string `json:"onAllow,omitempty"` - // List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200). - // If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to the downstream. - // When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added. - // Note, the body from the authorization service is always included in the response to downstream. + // Lists headers from the authorization service forwarded to downstream when the authorization check result is not allowed (HTTP code is other than `200`). + // If not specified, all the authorization response headers, except *Authority (Host)*, are included in the response to the downstream. + // When a header is included in this list, the following headers are automatically added: *Path*, *Status*, *Content-Length*, *WWWAuthenticate*, and *Location*. + // The body from the authorization service is always included in the response to downstream. OnDeny []string `json:"onDeny,omitempty"` -} +} \ No newline at end of file diff --git a/api/v1alpha2/istio_structs.go b/api/v1alpha2/istio_structs.go index aec0eb19e9..c8ad9b1db7 100644 --- a/api/v1alpha2/istio_structs.go +++ b/api/v1alpha2/istio_structs.go @@ -5,9 +5,8 @@ import ( "k8s.io/apimachinery/pkg/util/intstr" ) +// Configures the Istio installation. // +kubebuilder:validation:Optional - -// Config is the configuration for the Istio installation. type Config struct { // Defines the number of trusted proxies deployed in front of the Istio gateway proxy. // +kubebuilder:validation:Minimum=0 @@ -17,8 +16,8 @@ type Config struct { // Defines a list of external authorization providers. Authorizers []*Authorizer `json:"authorizers,omitempty"` - // Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are "Local" or "Cluster". The external traffic policy set to "Local" preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution. - // WARNING: Switching `externalTrafficPolicy` may result in a temporal increase in request delay. Make sure that this is acceptable. + // Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are `"Local"` or `"Cluster"`. The external traffic policy set to `"Local"` preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution. + // WARNING: Switching **externalTrafficPolicy** may result in a temporal increase in request delay. Make sure that this is acceptable. // +kubebuilder:validation:Optional // +kubebuilder:validation:Enum=Local;Cluster GatewayExternalTrafficPolicy *string `json:"gatewayExternalTrafficPolicy,omitempty"` @@ -28,114 +27,129 @@ type Config struct { Telemetry Telemetry `json:"telemetry,omitempty"` } +// Configures Istio components. type Components struct { - // Pilot defines component configuration for Istiod + // Configures the Istio Pilot component. Pilot *IstioComponent `json:"pilot,omitempty"` - // IngressGateway defines component configurations for Istio Ingress Gateway + // Configures the Istio Ingress Gateway component. IngressGateway *IstioComponent `json:"ingressGateway,omitempty"` - // Cni defines component configuration for Istio CNI DaemonSet + // Configures the Istio CNI DaemonSet component. Cni *CniComponent `json:"cni,omitempty"` - // Proxy defines component configuration for Istio proxy sidecar + // Configures the Istio sidecar proxy component. Proxy *ProxyComponent `json:"proxy,omitempty"` + // Configures the Istio Egress Gateway component. // +kubebuilder:validation:Optional EgressGateway *EgressGateway `json:"egressGateway,omitempty"` } -// KubernetesResourcesConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec +// Defines Kubernetes-level configuration options for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). type KubernetesResourcesConfig struct { - // HPASpec defines configuration for HorizontalPodAutoscaler: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ + // Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). // +kubebuilder:validation:Optional HPASpec *HPASpec `json:"hpaSpec,omitempty"` - // Strategy defines configuration for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment + // Defines the rolling updates strategy. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). // +kubebuilder:validation:Optional Strategy *Strategy `json:"strategy,omitempty"` - // Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). // +kubebuilder:validation:Optional Resources *Resources `json:"resources,omitempty"` } -// ProxyComponent defines configuration for Istio proxies. +// Configures the Istio sidecar proxy component. type ProxyComponent struct { + // **ProxyK8sConfig** is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). // +kubebuilder:validation:Required K8S *ProxyK8sConfig `json:"k8s"` } -// ProxyK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec +// **ProxyK8sConfig** is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). type ProxyK8sConfig struct { + // Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). Resources *Resources `json:"resources,omitempty"` } -// CniComponent defines configuration for CNI Istio component. +// Configures the Istio CNI DaemonSet component. type CniComponent struct { - // CniK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec + // Configures the Istio CNI DaemonSet component. It is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). // +kubebuilder:validation:Required K8S *CniK8sConfig `json:"k8s"` } +// Configures the Istio CNI DaemonSet component. It is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). type CniK8sConfig struct { - // Affinity defines the Pod scheduling affinity constraints: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity + // Defines the Pod scheduling affinity constraints. See [Affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). // +kubebuilder:validation:Optional Affinity *corev1.Affinity `json:"affinity,omitempty"` - // Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). // +kubebuilder:validation:Optional Resources *Resources `json:"resources,omitempty"` } -// HPASpec defines configuration for HorizontalPodAutoscaler. +// Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). type HPASpec struct { + // Defines the minimum number of replicas for the HorizontalPodAutoscaler. // +kubebuilder:validation:Minimum=0 // +kubebuilder:validation:Maximum=2147483647 MaxReplicas *int32 `json:"maxReplicas,omitempty"` + // Defines the maximum number of replicas for the HorizontalPodAutoscaler. // +kubebuilder:validation:Minimum=0 // +kubebuilder:validation:Maximum=2147483647 MinReplicas *int32 `json:"minReplicas,omitempty"` } -// IstioComponent defines configuration for generic Istio component (ingress gateway, istiod). +// Defines the configuration for the generic Istio components, that is, Istio Ingress gateway and istiod. type IstioComponent struct { + // Defines the Kubernetes resources' configuration for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). // +kubebuilder:validation:Required K8s *KubernetesResourcesConfig `json:"k8s"` } -// Strategy defines rolling update strategy. +// Defines the rolling updates strategy. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). type Strategy struct { + // Defines the configuration for rolling updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). // +kubebuilder:validation:Required RollingUpdate *RollingUpdate `json:"rollingUpdate"` } -// RollingUpdate defines configuration for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment +// Defines the configuration for rolling updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). type RollingUpdate struct { + // Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). // +kubebuilder:validation:XIntOrString // +kubebuilder:validation:Pattern=`^[0-9]+%?$` // +kubebuilder:validation:XValidation:rule="(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)",message="must not be negative, more than 2147483647 or an empty string" MaxSurge *intstr.IntOrString `json:"maxSurge" protobuf:"bytes,2,opt,name=maxSurge"` + // Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) // +kubebuilder:validation:XIntOrString // +kubebuilder:validation:Pattern="^((100|[0-9]{1,2})%|[0-9]+)$" // +kubebuilder:validation:XValidation:rule="(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)",message="must not be negative, more than 2147483647 or an empty string" MaxUnavailable *intstr.IntOrString `json:"maxUnavailable" protobuf:"bytes,1,opt,name=maxUnavailable"` } -// Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +// Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). type Resources struct { + // The maximum amount of resources a container is allowed to use. Limits *ResourceClaims `json:"limits,omitempty"` + // The minimum amount of resources ( such as CPU and memory) a container needs to run. Requests *ResourceClaims `json:"requests,omitempty"` } +// Defines CPU and memory resource requirements for Kubernetes containers and Pods. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). type ResourceClaims struct { + // Specifies CPU resource allocation (requests or limits) // +kubebuilder:validation:Pattern=`^([0-9]+m?|[0-9]\.[0-9]{1,3})$` CPU *string `json:"cpu,omitempty"` - + // Specifies memory resource allocation (requests or limits). // +kubebuilder:validation:Pattern=`^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$` Memory *string `json:"memory,omitempty"` } -// EgressGateway defines configuration for Istio egressGateway. +// Configures the Istio Egress Gateway component. type EgressGateway struct { - // Defines the Kubernetes resources configuration for Istio egress gateway. + // Defines the Kubernetes resources' configuration for Istio Egress Gateway. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). // +kubebuilder:validation:Optional K8s *KubernetesResourcesConfig `json:"k8s"` - // Enables or disables the Istio egress gateway. + // Enables or disables Istio Egress Gateway. // +kubebuilder:validation:Optional Enabled *bool `json:"enabled,omitempty"` -} +} \ No newline at end of file diff --git a/api/v1alpha2/istio_types.go b/api/v1alpha2/istio_types.go index 048ec0f53d..a57c4e7f06 100644 --- a/api/v1alpha2/istio_types.go +++ b/api/v1alpha2/istio_types.go @@ -20,21 +20,23 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) +// Signifies the current state of the Istio custom resource. +// The possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`. type State string type ConditionType string type ConditionReason string // Valid IstioCR States. const ( - // Ready is reported when the Istio installation / upgrade process has completed successfully. + // Istio installation or upgrade process has completed successfully. Ready State = "Ready" - // Processing is reported when the Istio installation / upgrade process is in progress. + // Istio installation or upgrade process is in progress. Processing State = "Processing" - // Error is reported when the Istio installation / upgrade process has failed. + // Istio installation or upgrade process has failed. Error State = "Error" - // Deleting is reported when the Istio installation / upgrade process is being deleted. + // The Istio custom resource is being deleted. Deleting State = "Deleting" - // Warning is reported when the Istio installation / upgrade process has completed with warnings. + // Istio installation or upgrade process has completed with warnings. // This state warrants user attention, as some features may not work as expected. Warning State = "Warning" @@ -44,7 +46,7 @@ const ( // General - // Reconciliation finished with full success. + // Reconciliation finished successfully. ConditionReasonReconcileSucceeded ConditionReason = "ReconcileSucceeded" ConditionReasonReconcileSucceededMessage = "Reconciliation succeeded" // Reconciliation is in progress or failed previously. @@ -59,7 +61,7 @@ const ( // Reconciliation did not happen as validation of Istio Custom Resource failed. ConditionReasonValidationFailed ConditionReason = "ValidationFailed" ConditionReasonValidationFailedMessage = "Reconciliation did not happen as Istio Custom Resource failed to validate" - // Reconciliation did not happen as there exists an older Istio Custom Resource. + // Reconciliation did not happen because an older Istio CR exists. ConditionReasonOlderCRExists ConditionReason = "OlderCRExists" ConditionReasonOlderCRExistsMessage = "This Istio custom resource is not the oldest one and does not represent the module state" // Reconciliation did not happen as the oldest Istio Custom Resource could not be found. @@ -68,7 +70,7 @@ const ( // Istio installation / uninstallation - // Istio installtion is not needed. + // Istio installation is not needed. ConditionReasonIstioInstallNotNeeded ConditionReason = "IstioInstallNotNeeded" ConditionReasonIstioInstallNotNeededMessage = "Istio installation is not needed" // Istio installation or uninstallation succeeded. @@ -80,10 +82,10 @@ const ( // Istio installation or uninstallation failed. ConditionReasonIstioInstallUninstallFailed ConditionReason = "IstioInstallUninstallFailed" ConditionReasonIstioInstallUninstallFailedMessage = "Istio install or uninstall failed" - // Istio Custom Resource has invalid configuration. + // The Istio custom resource has invalid configuration. ConditionReasonCustomResourceMisconfigured ConditionReason = "IstioCustomResourceMisconfigured" ConditionReasonCustomResourceMisconfiguredMessage = "Istio custom resource has invalid configuration" - // Istio Custom Resources are blocking Istio uninstallation. + // Istio custom resources are blocking Istio uninstallation. ConditionReasonIstioCRsDangling ConditionReason = "IstioCustomResourcesDangling" ConditionReasonIstioCRsDanglingMessage = "Istio deletion blocked because of existing Istio custom resources" // Istio version update is not allowed. @@ -92,10 +94,10 @@ const ( // Istio CRs - // Custom resources reconciliation succeeded. + // Reconciliation of custom resources succeeded. ConditionReasonCRsReconcileSucceeded ConditionReason = "CustomResourcesReconcileSucceeded" ConditionReasonCRsReconcileSucceededMessage = "Custom resources reconciliation succeeded" - // Custom resources reconciliation failed. + // Reconciliation of custom resources failed. ConditionReasonCRsReconcileFailed ConditionReason = "CustomResourcesReconcileFailed" ConditionReasonCRsReconcileFailedMessage = "Custom resources reconciliation failed" @@ -110,7 +112,7 @@ const ( // Proxy sidecar restart partially succeeded. ConditionReasonProxySidecarRestartPartiallySucceeded ConditionReason = "ProxySidecarRestartPartiallySucceeded" ConditionReasonProxySidecarRestartPartiallySucceededMessage = "Proxy sidecar restart partially succeeded" - // Proxy sidecar manual restart is required. + // A manual restart of the proxy sidecar is required for some workloads. ConditionReasonProxySidecarManualRestartRequired ConditionReason = "ProxySidecarManualRestartRequired" ConditionReasonProxySidecarManualRestartRequiredMessage = "Proxy sidecar manual restart is required for some workloads" @@ -152,16 +154,16 @@ type ReasonWithMessage struct { // IstioSpec describes the desired specification for installing or updating Istio. type IstioSpec struct { - // Defines configuration of the Istio installation. + // Configures the Istio installation. // +kubebuilder:validation:Optional Config Config `json:"config,omitempty"` - // Defines configuration of Istio components. + // Configures Istio components. // +kubebuilder:validation:Optional Components *Components `json:"components,omitempty"` // Defines experimental configuration options. // +kubebuilder:validation:Optional Experimental *Experimental `json:"experimental,omitempty"` - // Enables compatibility mode for Istio installation. + // Enables the compatibility mode for the Istio installation. // +kubebuilder:validation:Optional CompatibilityMode bool `json:"compatibilityMode,omitempty"` } @@ -172,40 +174,39 @@ type IstioSpec struct { //+kubebuilder:printcolumn:JSONPath=".status.state",name="State",type="string" //+kubebuilder:storageversion -// Istio contains Istio CR specification and current status. +// Contains the Istio custom resource's specification and its current status. type Istio struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` - // Spec defines the desired state of the Istio installation. + // Defines the desired state of the Istio installation. Spec IstioSpec `json:"spec,omitempty"` - // Status represents the current state of the Istio installation. + // Defines the current state of the Istio installation. Status IstioStatus `json:"status,omitempty"` } //+kubebuilder:object:root=true -// IstioList contains a list of Istio's. +// Contains a list of Istios. type IstioList struct { metav1.TypeMeta ` json:",inline"` metav1.ListMeta ` json:"metadata,omitempty"` Items []Istio `json:"items"` } -// IstioStatus defines the observed state of IstioCR. +// Defines the observed state of the Istio custom resource. type IstioStatus struct { - // State signifies the current state of CustomObject. Value - // can be one of ("Ready", "Processing", "Error", "Deleting", "Warning"). + // Signifies the current state of the Istio custom resource. Possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`. // +kubebuilder:validation:Required // +kubebuilder:validation:Enum=Processing;Deleting;Ready;Error;Warning State State `json:"state"` - // Conditions associated with IstioStatus. + // Contains conditions associated with **IstioStatus**. Conditions *[]metav1.Condition `json:"conditions,omitempty"` - // Description of Istio status. + // Describes the Istio status. Description string `json:"description,omitempty"` } //nolint:gochecknoinits // this is a scaffolded file. TODO: remove init function func init() { SchemeBuilder.Register(&Istio{}, &IstioList{}) -} +} \ No newline at end of file diff --git a/api/v1alpha2/telemetry.go b/api/v1alpha2/telemetry.go index 322e5aa2eb..7047070c74 100644 --- a/api/v1alpha2/telemetry.go +++ b/api/v1alpha2/telemetry.go @@ -1,15 +1,17 @@ package v1alpha2 +// Configures Istio telemetry. type Telemetry struct { - // Istio telemetry configuration related to metrics + // Configures Istio telemetry metrics. // +kubebuilder:validation:Optional Metrics Metrics `json:"metrics,omitempty"` } +// Configures Istio telemetry metrics. type Metrics struct { - // Defines whether the prometheusMerge feature is enabled. If yes, appropriate prometheus.io annotations will be added to all data plane pods to set up scraping. - // If these annotations already exist, they will be overwritten. With this option, the Envoy sidecar will merge Istio’s metrics with the application metrics. - // The merged metrics will be scraped from :15020/stats/prometheus. + // Defines whether the **prometheusMerge** feature is enabled. If it is, appropriate prometheus.io annotations are added to all data plane Pods to set up scraping. + // If these annotations already exist, they are overwritten. With this option, the Envoy sidecar merges Istio’s metrics with the application metrics. + // The merged metrics are scraped from `:15020/stats/prometheus`. // +kubebuilder:validation:Optional PrometheusMerge bool `json:"prometheusMerge,omitempty"` -} +} \ No newline at end of file diff --git a/config/crd/bases/operator.kyma-project.io_istios.yaml b/config/crd/bases/operator.kyma-project.io_istios.yaml index 3deb2e22fa..93242a9374 100644 --- a/config/crd/bases/operator.kyma-project.io_istios.yaml +++ b/config/crd/bases/operator.kyma-project.io_istios.yaml @@ -24,7 +24,8 @@ spec: name: v1alpha2 schema: openAPIV3Schema: - description: Istio contains Istio CR specification and current status. + description: Contains the Istio custom resource's specification and its current + status. properties: apiVersion: description: |- @@ -44,24 +45,24 @@ spec: metadata: type: object spec: - description: Spec defines the desired state of the Istio installation. + description: Defines the desired state of the Istio installation. properties: compatibilityMode: - description: Enables compatibility mode for Istio installation. + description: Enables the compatibility mode for the Istio installation. type: boolean components: - description: Defines configuration of Istio components. + description: Configures Istio components. properties: cni: - description: Cni defines component configuration for Istio CNI - DaemonSet + description: Configures the Istio CNI DaemonSet component. properties: k8s: - description: CniK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec + description: Configures the Istio CNI DaemonSet component. + It is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). properties: affinity: - description: 'Affinity defines the Pod scheduling affinity - constraints: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity' + description: Defines the Pod scheduling affinity constraints. + See [Affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). properties: nodeAffinity: description: Describes node affinity scheduling rules @@ -989,24 +990,36 @@ spec: type: object type: object resources: - description: 'Resources define Kubernetes resources configuration: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: Defines Kubernetes resources' configuration. + See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). properties: limits: + description: The maximum amount of resources a container + is allowed to use. properties: cpu: + description: Specifies CPU resource allocation + (requests or limits) pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$ type: string memory: + description: Specifies memory resource allocation + (requests or limits). pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$ type: string type: object requests: + description: The minimum amount of resources ( such + as CPU and memory) a container needs to run. properties: cpu: + description: Specifies CPU resource allocation + (requests or limits) pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$ type: string memory: + description: Specifies memory resource allocation + (requests or limits). pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$ type: string type: object @@ -1016,65 +1029,83 @@ spec: - k8s type: object egressGateway: - description: EgressGateway defines configuration for Istio egressGateway. + description: Configures the Istio Egress Gateway component. properties: enabled: - description: Enables or disables the Istio egress gateway. + description: Enables or disables Istio Egress Gateway. type: boolean k8s: - description: Defines the Kubernetes resources configuration - for Istio egress gateway. + description: Defines the Kubernetes resources' configuration + for Istio Egress Gateway. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). properties: hpaSpec: - description: 'HPASpec defines configuration for HorizontalPodAutoscaler: - https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/' + description: Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). properties: maxReplicas: + description: Defines the minimum number of replicas + for the HorizontalPodAutoscaler. format: int32 maximum: 2147483647 minimum: 0 type: integer minReplicas: + description: Defines the maximum number of replicas + for the HorizontalPodAutoscaler. format: int32 maximum: 2147483647 minimum: 0 type: integer type: object resources: - description: 'Resources define Kubernetes resources configuration: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: Defines Kubernetes resources' configuration. + See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). properties: limits: + description: The maximum amount of resources a container + is allowed to use. properties: cpu: + description: Specifies CPU resource allocation + (requests or limits) pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$ type: string memory: + description: Specifies memory resource allocation + (requests or limits). pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$ type: string type: object requests: + description: The minimum amount of resources ( such + as CPU and memory) a container needs to run. properties: cpu: + description: Specifies CPU resource allocation + (requests or limits) pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$ type: string memory: + description: Specifies memory resource allocation + (requests or limits). pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$ type: string type: object type: object strategy: - description: 'Strategy defines configuration for rolling - updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment' + description: Defines the rolling updates strategy. See + [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). properties: rollingUpdate: - description: 'RollingUpdate defines configuration - for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment' + description: Defines the configuration for rolling + updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). properties: maxSurge: anyOf: - type: integer - type: string + description: Specifies the maximum number of Pods + that can be unavailable during the update process. + See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). pattern: ^[0-9]+%?$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1086,6 +1117,9 @@ spec: anyOf: - type: integer - type: string + description: Specifies the maximum number of Pods + that can be created over the desired number + of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1093,6 +1127,9 @@ spec: or an empty string rule: '(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)' + required: + - maxSurge + - maxUnavailable type: object required: - rollingUpdate @@ -1100,62 +1137,80 @@ spec: type: object type: object ingressGateway: - description: IngressGateway defines component configurations for - Istio Ingress Gateway + description: Configures the Istio Ingress Gateway component. properties: k8s: - description: KubernetesResourcesConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec + description: Defines the Kubernetes resources' configuration + for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). properties: hpaSpec: - description: 'HPASpec defines configuration for HorizontalPodAutoscaler: - https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/' + description: Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). properties: maxReplicas: + description: Defines the minimum number of replicas + for the HorizontalPodAutoscaler. format: int32 maximum: 2147483647 minimum: 0 type: integer minReplicas: + description: Defines the maximum number of replicas + for the HorizontalPodAutoscaler. format: int32 maximum: 2147483647 minimum: 0 type: integer type: object resources: - description: 'Resources define Kubernetes resources configuration: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: Defines Kubernetes resources' configuration. + See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). properties: limits: + description: The maximum amount of resources a container + is allowed to use. properties: cpu: + description: Specifies CPU resource allocation + (requests or limits) pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$ type: string memory: + description: Specifies memory resource allocation + (requests or limits). pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$ type: string type: object requests: + description: The minimum amount of resources ( such + as CPU and memory) a container needs to run. properties: cpu: + description: Specifies CPU resource allocation + (requests or limits) pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$ type: string memory: + description: Specifies memory resource allocation + (requests or limits). pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$ type: string type: object type: object strategy: - description: 'Strategy defines configuration for rolling - updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment' + description: Defines the rolling updates strategy. See + [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). properties: rollingUpdate: - description: 'RollingUpdate defines configuration - for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment' + description: Defines the configuration for rolling + updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). properties: maxSurge: anyOf: - type: integer - type: string + description: Specifies the maximum number of Pods + that can be unavailable during the update process. + See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). pattern: ^[0-9]+%?$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1167,6 +1222,9 @@ spec: anyOf: - type: integer - type: string + description: Specifies the maximum number of Pods + that can be created over the desired number + of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1174,6 +1232,9 @@ spec: or an empty string rule: '(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)' + required: + - maxSurge + - maxUnavailable type: object required: - rollingUpdate @@ -1183,61 +1244,80 @@ spec: - k8s type: object pilot: - description: Pilot defines component configuration for Istiod + description: Configures the Istio Pilot component. properties: k8s: - description: KubernetesResourcesConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec + description: Defines the Kubernetes resources' configuration + for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). properties: hpaSpec: - description: 'HPASpec defines configuration for HorizontalPodAutoscaler: - https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/' + description: Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). properties: maxReplicas: + description: Defines the minimum number of replicas + for the HorizontalPodAutoscaler. format: int32 maximum: 2147483647 minimum: 0 type: integer minReplicas: + description: Defines the maximum number of replicas + for the HorizontalPodAutoscaler. format: int32 maximum: 2147483647 minimum: 0 type: integer type: object resources: - description: 'Resources define Kubernetes resources configuration: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: Defines Kubernetes resources' configuration. + See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). properties: limits: + description: The maximum amount of resources a container + is allowed to use. properties: cpu: + description: Specifies CPU resource allocation + (requests or limits) pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$ type: string memory: + description: Specifies memory resource allocation + (requests or limits). pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$ type: string type: object requests: + description: The minimum amount of resources ( such + as CPU and memory) a container needs to run. properties: cpu: + description: Specifies CPU resource allocation + (requests or limits) pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$ type: string memory: + description: Specifies memory resource allocation + (requests or limits). pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$ type: string type: object type: object strategy: - description: 'Strategy defines configuration for rolling - updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment' + description: Defines the rolling updates strategy. See + [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). properties: rollingUpdate: - description: 'RollingUpdate defines configuration - for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment' + description: Defines the configuration for rolling + updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). properties: maxSurge: anyOf: - type: integer - type: string + description: Specifies the maximum number of Pods + that can be unavailable during the update process. + See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). pattern: ^[0-9]+%?$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1249,6 +1329,9 @@ spec: anyOf: - type: integer - type: string + description: Specifies the maximum number of Pods + that can be created over the desired number + of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1256,6 +1339,9 @@ spec: or an empty string rule: '(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)' + required: + - maxSurge + - maxUnavailable type: object required: - rollingUpdate @@ -1265,31 +1351,42 @@ spec: - k8s type: object proxy: - description: Proxy defines component configuration for Istio proxy - sidecar + description: Configures the Istio sidecar proxy component. properties: k8s: - description: ProxyK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec + description: '**ProxyK8sConfig** is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).' properties: resources: - description: 'Resources define Kubernetes resources configuration: - https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/' + description: Defines Kubernetes resources' configuration. + See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). properties: limits: + description: The maximum amount of resources a container + is allowed to use. properties: cpu: + description: Specifies CPU resource allocation + (requests or limits) pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$ type: string memory: + description: Specifies memory resource allocation + (requests or limits). pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$ type: string type: object requests: + description: The minimum amount of resources ( such + as CPU and memory) a container needs to run. properties: cpu: + description: Specifies CPU resource allocation + (requests or limits) pattern: ^([0-9]+m?|[0-9]\.[0-9]{1,3})$ type: string memory: + description: Specifies memory resource allocation + (requests or limits). pattern: ^[0-9]+(((\.[0-9]+)?(E|P|T|G|M|k|Ei|Pi|Ti|Gi|Mi|Ki|m)?)|(e[0-9]+))$ type: string type: object @@ -1300,98 +1397,97 @@ spec: type: object type: object config: - description: Defines configuration of the Istio installation. + description: Configures the Istio installation. properties: authorizers: description: Defines a list of external authorization providers. items: description: |- - Authorizer defines an external authorization provider configuration. + Defines an external authorization provider's configuration. The defined authorizer can be referenced by name in an AuthorizationPolicy with action CUSTOM to enforce requests to be authorized by the external authorization service. properties: headers: - description: Specifies headers to be included, added or - forwarded during authorization. + description: Specifies the headers included, added, or forwarded + during authorization. properties: inCheck: - description: Defines headers to be included or added + description: Defines the headers to be included or added in check authorization request. properties: add: additionalProperties: type: string description: |- - Set of additional fixed headers that should be included in the authorization request sent to the authorization service. - The Key is the header name and value is the header value. - Note that client request of the same key or headers specified in `Include` will be overridden. + Specifies a set of additional fixed headers that included in the authorization request sent to the authorization service. + The key is the header name and value is the header value. + Client request of the same key or headers specified in `Include` are overridden. type: object include: description: |- - List of client request headers that should be included in the authorization request sent to the authorization service. - Note that in addition to the headers specified here, the following headers are included by default: - 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent. - 2. *Content-Length* will be set to 0, and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by include_request_body_in_check setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. + Lists client request headers included in the authorization request sent to the authorization service. + In addition to the headers specified here, the following headers are included by default: + - *Host*, *Method*, *Path*, and *Content-Length* are automatically sent. + - *Content-Length* is set to `0`, and the request does have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. items: type: string type: array type: object toDownstream: - description: Defines headers to be forwarded to the - downstream (the client). + description: Defines the headers to be forwarded to + the downstream (the client). properties: onAllow: description: |- - List of headers from the authorization service that should be forwarded to downstream when the authorization check result is allowed (HTTP code 200). - If not specified, the original response will not be modified and forwarded to downstream as-is. - Note, any existing headers will be overridden. + Lists headers from the authorization service forwarded to downstream when the authorization check result is allowed (HTTP code `200`). + If not specified, the original request is forwarded to the backend unmodified. + Any existing headers are overridden. items: type: string type: array onDeny: description: |- - List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200). - If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to the downstream. - When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added. - Note, the body from the authorization service is always included in the response to downstream. + Lists headers from the authorization service forwarded to downstream when the authorization check result is not allowed (HTTP code is other than `200`). + If not specified, all the authorization response headers, except *Authority (Host)*, are included in the response to the downstream. + When a header is included in this list, the following headers are automatically added: *Path*, *Status*, *Content-Length*, *WWWAuthenticate*, and *Location*. + The body from the authorization service is always included in the response to downstream. items: type: string type: array type: object toUpstream: - description: Defines headers to be forwarded to the - upstream (to the backend service). + description: Defines the headers to be forwarded to + the upstream (to the backend service). properties: onAllow: description: |- - List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200). - If not specified, the original request will not be modified and forwarded to backend as-is. - Note, any existing headers will be overridden. + Lists headers from the authorization service added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code `200`). + If not specified, the original request is forwarded to the backend unmodified. + Any existing headers are overridden. items: type: string type: array type: object type: object name: - description: A unique name identifying the extension authorization + description: Specifies a unique name identifying the authorization provider. type: string pathPrefix: description: |- - Specifies the prefix which will be included in the request sent to the authorization service. - The prefix might be constructed with special characters (e.g., "/test?original_path="). + Specifies the prefix which included in the request sent to the authorization service. + The prefix might be constructed with special characters (for example, `/test?original_path=`). type: string port: - description: Specifies the port of the service. + description: Specifies the port of the Service. format: int32 type: integer service: description: |- - Specifies the service that implements the Envoy ext_authz HTTP authorization service. - The format is "[Namespace/]Hostname". - The specification of "Namespace" is required only when it is insufficient to unambiguously resolve a service in the service registry. - The "Hostname" is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry. - The recommended format is "[Namespace/]Hostname". + Specifies the service that implements the Envoy `ext_authz` HTTP authorization service. + The recommended format is `[Namespace/]Hostname`. + Specify the namespace if it is required to unambiguously resolve a service in the service registry. + The host name refers to the fully qualified host name of a service defined by either a Kubernetes Service or a ServiceEntry. type: string timeout: description: Specifies the timeout for the HTTP authorization @@ -1400,12 +1496,13 @@ spec: required: - name - port + - service type: object type: array gatewayExternalTrafficPolicy: description: |- - Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are "Local" or "Cluster". The external traffic policy set to "Local" preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution. - WARNING: Switching `externalTrafficPolicy` may result in a temporal increase in request delay. Make sure that this is acceptable. + Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are `"Local"` or `"Cluster"`. The external traffic policy set to `"Local"` preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution. + WARNING: Switching **externalTrafficPolicy** may result in a temporal increase in request delay. Make sure that this is acceptable. enum: - Local - Cluster @@ -1420,13 +1517,13 @@ spec: description: Defines the telemetry configuration of Istio. properties: metrics: - description: Istio telemetry configuration related to metrics + description: Configures Istio telemetry metrics. properties: prometheusMerge: description: |- - Defines whether the prometheusMerge feature is enabled. If yes, appropriate prometheus.io annotations will be added to all data plane pods to set up scraping. - If these annotations already exist, they will be overwritten. With this option, the Envoy sidecar will merge Istio’s metrics with the application metrics. - The merged metrics will be scraped from :15020/stats/prometheus. + Defines whether the **prometheusMerge** feature is enabled. If it is, appropriate prometheus.io annotations are added to all data plane Pods to set up scraping. + If these annotations already exist, they are overwritten. With this option, the Envoy sidecar merges Istio’s metrics with the application metrics. + The merged metrics are scraped from `:15020/stats/prometheus`. type: boolean type: object type: object @@ -1443,14 +1540,19 @@ spec: type: boolean enableMultiNetworkDiscoverGatewayAPI: type: boolean + required: + - enableAlphaGatewayAPI + - enableMultiNetworkDiscoverGatewayAPI type: object + required: + - pilot type: object type: object status: - description: Status represents the current state of the Istio installation. + description: Defines the current state of the Istio installation. properties: conditions: - description: ' Conditions associated with IstioStatus.' + description: Contains conditions associated with **IstioStatus**. items: description: Condition contains details for one aspect of the current state of this API Resource. @@ -1507,12 +1609,12 @@ spec: type: object type: array description: - description: Description of Istio status. + description: Describes the Istio status. type: string state: - description: |- - State signifies the current state of CustomObject. Value - can be one of ("Ready", "Processing", "Error", "Deleting", "Warning"). + description: Signifies the current state of the Istio custom resource. + Possible values are `Ready`, `Processing`, `Error`, `Deleting`, + or `Warning`. enum: - Processing - Deleting diff --git a/crd-ref-docs/templates/gv_list.tpl b/crd-ref-docs/templates/gv_list.tpl index e0cef43384..33d2466810 100644 --- a/crd-ref-docs/templates/gv_list.tpl +++ b/crd-ref-docs/templates/gv_list.tpl @@ -35,7 +35,7 @@ The following tables list all the possible parameters of a given resource togeth ### APIVersions {{- range $groupVersions }} -- {{ markdownRenderGVLink . }} +- {{ .GroupVersionString }} {{- end -}} {{ range $groupVersions }} diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index a33e4b4cbc..e88f01f53e 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -31,14 +31,14 @@ spec: The following tables list all the possible parameters of a given resource together with their descriptions. ### APIVersions -- [operator.kyma-project.io/v1alpha2](#operatorkyma-projectiov1alpha2) +- operator.kyma-project.io/v1alpha2 ### Resource Types - [Istio](#istio) ### Authorizer -Authorizer defines an external authorization provider configuration. +Defines an external authorization provider's configuration. The defined authorizer can be referenced by name in an AuthorizationPolicy with action CUSTOM to enforce requests to be authorized by the external authorization service. @@ -47,46 +47,50 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **name**
string | A unique name identifying the extension authorization provider. | Required
| -| **service**
string | Specifies the service that implements the Envoy ext_authz HTTP authorization service.
The format is "[Namespace/]Hostname".
The specification of "Namespace" is required only when it is insufficient to unambiguously resolve a service in the service registry.
The "Hostname" is a fully qualified host name of a service defined by the Kubernetes service or ServiceEntry.
The recommended format is "[Namespace/]Hostname". | Optional | -| **port**
integer | Specifies the port of the service. | Required
| -| **headers**
[Headers](#headers) | Specifies headers to be included, added or forwarded during authorization. | Optional | -| **pathPrefix**
string | Specifies the prefix which will be included in the request sent to the authorization service.
The prefix might be constructed with special characters (e.g., "/test?original_path="). | Optional
| +| **name**
string | Specifies a unique name identifying the authorization provider. | Required
| +| **service**
string | Specifies the service that implements the Envoy `ext_authz` HTTP authorization service.
The recommended format is `[Namespace/]Hostname`.
Specify the namespace if it is required to unambiguously resolve a service in the service registry.
The host name refers to the fully qualified host name of a service defined by either a Kubernetes Service or a ServiceEntry. | Optional | +| **port**
integer | Specifies the port of the Service. | Required
| +| **headers**
[Headers](#headers) | Specifies the headers included, added, or forwarded during authorization. | Optional | +| **pathPrefix**
string | Specifies the prefix which included in the request sent to the authorization service.
The prefix might be constructed with special characters (for example, `/test?original_path=`). | Optional
| | **timeout**
[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#duration-v1-meta) | Specifies the timeout for the HTTP authorization request to the external service. | Optional
| ### CniComponent -CniComponent defines configuration for CNI Istio component. +Configures the Istio CNI DaemonSet component. Appears in: - [Components](#components) | Field | Description | Validation | | --- | --- | --- | -| **k8s**
[CniK8sConfig](#cnik8sconfig) | CniK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec | Required
| +| **k8s**
[CniK8sConfig](#cnik8sconfig) | Configures the Istio CNI DaemonSet component. It is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). | Required
| ### CniK8sConfig +Configures the Istio CNI DaemonSet component. It is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). + Appears in: - [CniComponent](#cnicomponent) | Field | Description | Validation | | --- | --- | --- | -| **affinity**
[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#affinity-v1-core) | Affinity defines the Pod scheduling affinity constraints: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | Optional
| -| **resources**
[Resources](#resources) | Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Optional
| +| **affinity**
[Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#affinity-v1-core) | Defines the Pod scheduling affinity constraints. See [Affinity and anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). | Optional
| +| **resources**
[Resources](#resources) | Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). | Optional
| ### Components +Configures Istio components. + Appears in: - [IstioSpec](#istiospec) | Field | Description | Validation | | --- | --- | --- | -| **pilot**
[IstioComponent](#istiocomponent) | Pilot defines component configuration for Istiod | Optional | -| **ingressGateway**
[IstioComponent](#istiocomponent) | IngressGateway defines component configurations for Istio Ingress Gateway | Optional | -| **cni**
[CniComponent](#cnicomponent) | Cni defines component configuration for Istio CNI DaemonSet | Optional | -| **proxy**
[ProxyComponent](#proxycomponent) | Proxy defines component configuration for Istio proxy sidecar | Optional | -| **egressGateway**
[EgressGateway](#egressgateway) | | Optional
| +| **pilot**
[IstioComponent](#istiocomponent) | Configures the Istio Pilot component. | Optional | +| **ingressGateway**
[IstioComponent](#istiocomponent) | Configures the Istio Ingress Gateway component. | Optional | +| **cni**
[CniComponent](#cnicomponent) | Configures the Istio CNI DaemonSet component. | Optional | +| **proxy**
[ProxyComponent](#proxycomponent) | Configures the Istio sidecar proxy component. | Optional | +| **egressGateway**
[EgressGateway](#egressgateway) | Configures the Istio Egress Gateway component. | Optional
| ### ConditionReason @@ -97,26 +101,26 @@ Appears in: | Field | Description | | --- | --- | -| **ReconcileSucceeded** | Reconciliation finished with full success.
| +| **ReconcileSucceeded** | Reconciliation finished successfully.
| | **ReconcileUnknown** | Reconciliation is in progress or failed previously.
| | **ReconcileRequeued** | Reconciliation is requeued to be tried again later.
| | **ReconcileFailed** | Reconciliation failed.
| | **ValidationFailed** | Reconciliation did not happen as validation of Istio Custom Resource failed.
| -| **OlderCRExists** | Reconciliation did not happen as there exists an older Istio Custom Resource.
| +| **OlderCRExists** | Reconciliation did not happen because an older Istio CR exists.
| | **OldestCRNotFound** | Reconciliation did not happen as the oldest Istio Custom Resource could not be found.
| -| **IstioInstallNotNeeded** | Istio installtion is not needed.
| +| **IstioInstallNotNeeded** | Istio installation is not needed.
| | **IstioInstallSucceeded** | Istio installation or uninstallation succeeded.
| | **IstioUninstallSucceeded** | Istio uninstallation succeeded.
| | **IstioInstallUninstallFailed** | Istio installation or uninstallation failed.
| -| **IstioCustomResourceMisconfigured** | Istio Custom Resource has invalid configuration.
| -| **IstioCustomResourcesDangling** | Istio Custom Resources are blocking Istio uninstallation.
| +| **IstioCustomResourceMisconfigured** | The Istio custom resource has invalid configuration.
| +| **IstioCustomResourcesDangling** | Istio custom resources are blocking Istio uninstallation.
| | **IstioVersionUpdateNotAllowed** | Istio version update is not allowed.
| -| **CustomResourcesReconcileSucceeded** | Custom resources reconciliation succeeded.
| -| **CustomResourcesReconcileFailed** | Custom resources reconciliation failed.
| +| **CustomResourcesReconcileSucceeded** | Reconciliation of custom resources succeeded.
| +| **CustomResourcesReconcileFailed** | Reconciliation of custom resources failed.
| | **ProxySidecarRestartSucceeded** | Proxy sidecar restart succeeded.
| | **ProxySidecarRestartFailed** | Proxy sidecar restart failed.
| | **ProxySidecarRestartPartiallySucceeded** | Proxy sidecar restart partially succeeded.
| -| **ProxySidecarManualRestartRequired** | Proxy sidecar manual restart is required.
| +| **ProxySidecarManualRestartRequired** | A manual restart of the proxy sidecar is required for some workloads.
| | **IngressGatewayRestartSucceeded** | Istio ingress gateway restart succeeded.
| | **IngressGatewayRestartFailed** | Istio ingress gateway restart failed.
| | **EgressGatewayRestartSucceeded** | Istio egress gateway restart succeeded.
| @@ -128,7 +132,7 @@ Appears in: ### Config -Config is the configuration for the Istio installation. +Configures the Istio installation. Appears in: - [IstioSpec](#istiospec) @@ -137,20 +141,20 @@ Appears in: | --- | --- | --- | | **numTrustedProxies**
integer | Defines the number of trusted proxies deployed in front of the Istio gateway proxy. | Maximum: 4.294967295e+09
Minimum: 0
| | **authorizers**
[Authorizer](#authorizer) array | Defines a list of external authorization providers. | Optional | -| **gatewayExternalTrafficPolicy**
string | Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are "Local" or "Cluster". The external traffic policy set to "Local" preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
WARNING: Switching `externalTrafficPolicy` may result in a temporal increase in request delay. Make sure that this is acceptable. | Enum: [Local Cluster]
Optional
| +| **gatewayExternalTrafficPolicy**
string | Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are `"Local"` or `"Cluster"`. The external traffic policy set to `"Local"` preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
WARNING: Switching **externalTrafficPolicy** may result in a temporal increase in request delay. Make sure that this is acceptable. | Enum: [Local Cluster]
Optional
| | **telemetry**
[Telemetry](#telemetry) | Defines the telemetry configuration of Istio. | Optional
| ### EgressGateway -EgressGateway defines configuration for Istio egressGateway. +Configures the Istio Egress Gateway component. Appears in: - [Components](#components) | Field | Description | Validation | | --- | --- | --- | -| **k8s**
[KubernetesResourcesConfig](#kubernetesresourcesconfig) | Defines the Kubernetes resources configuration for Istio egress gateway. | Optional
| -| **enabled**
boolean | Enables or disables the Istio egress gateway. | Optional
| +| **k8s**
[KubernetesResourcesConfig](#kubernetesresourcesconfig) | Defines the Kubernetes resources' configuration for Istio Egress Gateway. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). | Optional
| +| **enabled**
boolean | Enables or disables Istio Egress Gateway. | Optional
| ### Experimental @@ -164,59 +168,67 @@ Appears in: ### HPASpec -HPASpec defines configuration for HorizontalPodAutoscaler. +Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). Appears in: - [KubernetesResourcesConfig](#kubernetesresourcesconfig) | Field | Description | Validation | | --- | --- | --- | -| **maxReplicas**
integer | | Maximum: 2.147483647e+09
Minimum: 0
| -| **minReplicas**
integer | | Maximum: 2.147483647e+09
Minimum: 0
| +| **maxReplicas**
integer | Defines the minimum number of replicas for the HorizontalPodAutoscaler. | Maximum: 2.147483647e+09
Minimum: 0
| +| **minReplicas**
integer | Defines the maximum number of replicas for the HorizontalPodAutoscaler. | Maximum: 2.147483647e+09
Minimum: 0
| ### Headers +Specifies headers included, added, or forwarded during authorization. +Exact, prefix, and suffix matches are supported, similar to the syntax used in AuthorizationPolicy rules (excluding the presence match): +- Exact match: `abc` matches the value `abc`. +- Prefix match: `abc*` matches the values `abc` and `abcd`. +- Suffix match: `*abc` matches the values `abc` and `xabc`. + Appears in: - [Authorizer](#authorizer) | Field | Description | Validation | | --- | --- | --- | -| **inCheck**
[InCheck](#incheck) | Defines headers to be included or added in check authorization request. | Optional | -| **toUpstream**
[ToUpstream](#toupstream) | Defines headers to be forwarded to the upstream (to the backend service). | Optional | -| **toDownstream**
[ToDownstream](#todownstream) | Defines headers to be forwarded to the downstream (the client). | Optional | +| **inCheck**
[InCheck](#incheck) | Defines the headers to be included or added in check authorization request. | Optional | +| **toUpstream**
[ToUpstream](#toupstream) | Defines the headers to be forwarded to the upstream (to the backend service). | Optional | +| **toDownstream**
[ToDownstream](#todownstream) | Defines the headers to be forwarded to the downstream (the client). | Optional | ### InCheck +Defines the headers to be included or added in check authorization request. + Appears in: - [Headers](#headers) | Field | Description | Validation | | --- | --- | --- | -| **include**
string array | List of client request headers that should be included in the authorization request sent to the authorization service.
Note that in addition to the headers specified here, the following headers are included by default:
1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
2. *Content-Length* will be set to 0, and the request will not have a message body. However, the authorization request can include the buffered client request body (controlled by include_request_body_in_check setting), consequently the value of Content-Length of the authorization request reflects the size of its payload size. | Optional | -| **add**
object (keys:string, values:string) | Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
The Key is the header name and value is the header value.
Note that client request of the same key or headers specified in `Include` will be overridden. | Optional | +| **include**
string array | Lists client request headers included in the authorization request sent to the authorization service.
In addition to the headers specified here, the following headers are included by default:
- *Host*, *Method*, *Path*, and *Content-Length* are automatically sent.
- *Content-Length* is set to `0`, and the request does have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. | Optional | +| **add**
object (keys:string, values:string) | Specifies a set of additional fixed headers that included in the authorization request sent to the authorization service.
The key is the header name and value is the header value.
Client request of the same key or headers specified in `Include` are overridden. | Optional | ### Istio -Istio contains Istio CR specification and current status. +Contains the Istio custom resource's specification and its current status. | Field | Description | Validation | | --- | --- | --- | | **apiVersion**
string | `operator.kyma-project.io/v1alpha2` | Optional | | **kind**
string | `Istio` | Optional | | **metadata**
[ObjectMeta](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#objectmeta-v1-meta) | For more information on the metadata fields, see Kubernetes API documentation. | Optional | -| **spec**
[IstioSpec](#istiospec) | Spec defines the desired state of the Istio installation. | Optional | -| **status**
[IstioStatus](#istiostatus) | Status represents the current state of the Istio installation. | Optional | +| **spec**
[IstioSpec](#istiospec) | Defines the desired state of the Istio installation. | Optional | +| **status**
[IstioStatus](#istiostatus) | Defines the current state of the Istio installation. | Optional | ### IstioComponent -IstioComponent defines configuration for generic Istio component (ingress gateway, istiod). +Defines the configuration for the generic Istio components, that is, Istio Ingress gateway and istiod. Appears in: - [Components](#components) | Field | Description | Validation | | --- | --- | --- | -| **k8s**
[KubernetesResourcesConfig](#kubernetesresourcesconfig) | | Required
| +| **k8s**
[KubernetesResourcesConfig](#kubernetesresourcesconfig) | Defines the Kubernetes resources' configuration for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). | Required
| ### IstioSpec @@ -227,27 +239,27 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **config**
[Config](#config) | Defines configuration of the Istio installation. | Optional
| -| **components**
[Components](#components) | Defines configuration of Istio components. | Optional
| +| **config**
[Config](#config) | Configures the Istio installation. | Optional
| +| **components**
[Components](#components) | Configures Istio components. | Optional
| | **experimental**
[Experimental](#experimental) | Defines experimental configuration options. | Optional
| -| **compatibilityMode**
boolean | Enables compatibility mode for Istio installation. | Optional
| +| **compatibilityMode**
boolean | Enables the compatibility mode for the Istio installation. | Optional
| ### IstioStatus -IstioStatus defines the observed state of IstioCR. +Defines the observed state of the Istio custom resource. Appears in: - [Istio](#istio) | Field | Description | Validation | | --- | --- | --- | -| **state**
[State](#state) | State signifies the current state of CustomObject. Value
can be one of ("Ready", "Processing", "Error", "Deleting", "Warning"). | Enum: [Processing Deleting Ready Error Warning]
Required
| -| **conditions**
[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#condition-v1-meta) | Conditions associated with IstioStatus. | Optional | -| **description**
string | Description of Istio status. | Optional | +| **state**
[State](#state) | Signifies the current state of the Istio custom resource. Possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`. | Enum: [Processing Deleting Ready Error Warning]
Required
| +| **conditions**
[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#condition-v1-meta) | Contains conditions associated with **IstioStatus**. | Optional | +| **description**
string | Describes the Istio status. | Optional | ### KubernetesResourcesConfig -KubernetesResourcesConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec +Defines Kubernetes-level configuration options for Istio components. It's a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). Appears in: - [EgressGateway](#egressgateway) @@ -255,18 +267,20 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **hpaSpec**
[HPASpec](#hpaspec) | HPASpec defines configuration for HorizontalPodAutoscaler: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ | Optional
| -| **strategy**
[Strategy](#strategy) | Strategy defines configuration for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment | Optional
| -| **resources**
[Resources](#resources) | Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ | Optional
| +| **hpaSpec**
[HPASpec](#hpaspec) | Configures the [HorizontalPodAutoscaler](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/). | Optional
| +| **strategy**
[Strategy](#strategy) | Defines the rolling updates strategy. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). | Optional
| +| **resources**
[Resources](#resources) | Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). | Optional
| ### Metrics +Configures Istio telemetry metrics. + Appears in: - [Telemetry](#telemetry) | Field | Description | Validation | | --- | --- | --- | -| **prometheusMerge**
boolean | Defines whether the prometheusMerge feature is enabled. If yes, appropriate prometheus.io annotations will be added to all data plane pods to set up scraping.
If these annotations already exist, they will be overwritten. With this option, the Envoy sidecar will merge Istio’s metrics with the application metrics.
The merged metrics will be scraped from :15020/stats/prometheus. | Optional
| +| **prometheusMerge**
boolean | Defines whether the **prometheusMerge** feature is enabled. If it is, appropriate prometheus.io annotations are added to all data plane Pods to set up scraping.
If these annotations already exist, they are overwritten. With this option, the Envoy sidecar merges Istio’s metrics with the application metrics.
The merged metrics are scraped from `:15020/stats/prometheus`. | Optional
| ### PilotFeatures @@ -280,40 +294,42 @@ Appears in: ### ProxyComponent -ProxyComponent defines configuration for Istio proxies. +Configures the Istio sidecar proxy component. Appears in: - [Components](#components) | Field | Description | Validation | | --- | --- | --- | -| **k8s**
[ProxyK8sConfig](#proxyk8sconfig) | | Required
| +| **k8s**
[ProxyK8sConfig](#proxyk8sconfig) | **ProxyK8sConfig** is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). | Required
| ### ProxyK8sConfig -ProxyK8sConfig is a subset of https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec +**ProxyK8sConfig** is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). Appears in: - [ProxyComponent](#proxycomponent) | Field | Description | Validation | | --- | --- | --- | -| **resources**
[Resources](#resources) | | Optional | +| **resources**
[Resources](#resources) | Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). | Optional | ### ResourceClaims +Defines CPU and memory resource requirements for Kubernetes containers and Pods. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). + Appears in: - [Resources](#resources) | Field | Description | Validation | | --- | --- | --- | -| **cpu**
string | | Pattern: `^([0-9]+m?\|[0-9]\.[0-9]\{1,3\})$`
| -| **memory**
string | | Pattern: `^[0-9]+(((\.[0-9]+)?(E\|P\|T\|G\|M\|k\|Ei\|Pi\|Ti\|Gi\|Mi\|Ki\|m)?)\|(e[0-9]+))$`
| +| **cpu**
string | Specifies CPU resource allocation (requests or limits) | Pattern: `^([0-9]+m?\|[0-9]\.[0-9]\{1,3\})$`
| +| **memory**
string | Specifies memory resource allocation (requests or limits). | Pattern: `^[0-9]+(((\.[0-9]+)?(E\|P\|T\|G\|M\|k\|Ei\|Pi\|Ti\|Gi\|Mi\|Ki\|m)?)\|(e[0-9]+))$`
| ### Resources -Resources define Kubernetes resources configuration: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). Appears in: - [CniK8sConfig](#cnik8sconfig) @@ -322,23 +338,26 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **limits**
[ResourceClaims](#resourceclaims) | | Optional | -| **requests**
[ResourceClaims](#resourceclaims) | | Optional | +| **limits**
[ResourceClaims](#resourceclaims) | The maximum amount of resources a container is allowed to use. | Optional | +| **requests**
[ResourceClaims](#resourceclaims) | The minimum amount of resources ( such as CPU and memory) a container needs to run. | Optional | ### RollingUpdate -RollingUpdate defines configuration for rolling updates: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment +Defines the configuration for rolling updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). Appears in: - [Strategy](#strategy) | Field | Description | Validation | | --- | --- | --- | -| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | | Pattern: `^[0-9]+%?$`
XIntOrString: \{\}
| -| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | | Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString: \{\}
| +| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Pattern: `^[0-9]+%?$`
XIntOrString: \{\}
| +| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString: \{\}
| ### State +Signifies the current state of the Istio custom resource. +The possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`. + Underlying type: string Appears in: @@ -346,48 +365,54 @@ Appears in: | Field | Description | | --- | --- | -| **Ready** | Ready is reported when the Istio installation / upgrade process has completed successfully.
| -| **Processing** | Processing is reported when the Istio installation / upgrade process is in progress.
| -| **Error** | Error is reported when the Istio installation / upgrade process has failed.
| -| **Deleting** | Deleting is reported when the Istio installation / upgrade process is being deleted.
| -| **Warning** | Warning is reported when the Istio installation / upgrade process has completed with warnings.
This state warrants user attention, as some features may not work as expected.
| +| **Ready** | Istio installation or upgrade process has completed successfully.
| +| **Processing** | Istio installation or upgrade process is in progress.
| +| **Error** | Istio installation or upgrade process has failed.
| +| **Deleting** | The Istio custom resource is being deleted.
| +| **Warning** | Istio installation or upgrade process has completed with warnings.
This state warrants user attention, as some features may not work as expected.
| ### Strategy -Strategy defines rolling update strategy. +Defines the rolling updates strategy. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). Appears in: - [KubernetesResourcesConfig](#kubernetesresourcesconfig) | Field | Description | Validation | | --- | --- | --- | -| **rollingUpdate**
[RollingUpdate](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#rollingupdatedeployment-v1-apps) | | Required
| +| **rollingUpdate**
[RollingUpdate](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#rollingupdatedeployment-v1-apps) | Defines the configuration for rolling updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). | Required
| ### Telemetry +Configures Istio telemetry. + Appears in: - [Config](#config) | Field | Description | Validation | | --- | --- | --- | -| **metrics**
[Metrics](#metrics) | Istio telemetry configuration related to metrics | Optional
| +| **metrics**
[Metrics](#metrics) | Configures Istio telemetry metrics. | Optional
| ### ToDownstream +Defines the headers to be forwarded to the downstream (the client). + Appears in: - [Headers](#headers) | Field | Description | Validation | | --- | --- | --- | -| **onAllow**
string array | List of headers from the authorization service that should be forwarded to downstream when the authorization check result is allowed (HTTP code 200).
If not specified, the original response will not be modified and forwarded to downstream as-is.
Note, any existing headers will be overridden. | Optional | -| **onDeny**
string array | List of headers from the authorization service that should be forwarded to downstream when the authorization check result is not allowed (HTTP code other than 200).
If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to the downstream.
When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added.
Note, the body from the authorization service is always included in the response to downstream. | Optional | +| **onAllow**
string array | Lists headers from the authorization service forwarded to downstream when the authorization check result is allowed (HTTP code `200`).
If not specified, the original request is forwarded to the backend unmodified.
Any existing headers are overridden. | Optional | +| **onDeny**
string array | Lists headers from the authorization service forwarded to downstream when the authorization check result is not allowed (HTTP code is other than `200`).
If not specified, all the authorization response headers, except *Authority (Host)*, are included in the response to the downstream.
When a header is included in this list, the following headers are automatically added: *Path*, *Status*, *Content-Length*, *WWWAuthenticate*, and *Location*.
The body from the authorization service is always included in the response to downstream. | Optional | ### ToUpstream +Defines the headers to be forwarded to the upstream (to the backend service). + Appears in: - [Headers](#headers) | Field | Description | Validation | | --- | --- | --- | -| **onAllow**
string array | List of headers from the authorization service that should be added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
If not specified, the original request will not be modified and forwarded to backend as-is.
Note, any existing headers will be overridden. | Optional | +| **onAllow**
string array | Lists headers from the authorization service added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code `200`).
If not specified, the original request is forwarded to the backend unmodified.
Any existing headers are overridden. | Optional | From f67742a6d87a0fe349d73dda8a7d66a26a35e95c Mon Sep 17 00:00:00 2001 From: Natalia Sitko <80401180+nataliasitko@users.noreply.github.com> Date: Mon, 1 Dec 2025 13:33:42 +0100 Subject: [PATCH 02/19] Apply suggestions from code review Co-authored-by: Iwona Langer --- api/v1alpha2/authorizers.go | 6 +++--- api/v1alpha2/istio_structs.go | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/api/v1alpha2/authorizers.go b/api/v1alpha2/authorizers.go index 30edb4d338..163b047cfc 100644 --- a/api/v1alpha2/authorizers.go +++ b/api/v1alpha2/authorizers.go @@ -25,7 +25,7 @@ type Authorizer struct { // Specifies the headers included, added, or forwarded during authorization. Headers *Headers `json:"headers,omitempty"` - // Specifies the prefix which included in the request sent to the authorization service. + // Specifies the prefix included in the request sent to the authorization service. // The prefix might be constructed with special characters (for example, `/test?original_path=`). // +kubebuilder:validation:Optional PathPrefix *string `json:"pathPrefix,omitempty"` @@ -56,10 +56,10 @@ type InCheck struct { // Lists client request headers included in the authorization request sent to the authorization service. // In addition to the headers specified here, the following headers are included by default: // - *Host*, *Method*, *Path*, and *Content-Length* are automatically sent. - // - *Content-Length* is set to `0`, and the request does have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. + // - *Content-Length* is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. Include []string `json:"include,omitempty"` - // Specifies a set of additional fixed headers that included in the authorization request sent to the authorization service. + // Specifies a set of additional fixed headers included in the authorization request sent to the authorization service. // The key is the header name and value is the header value. // Client request of the same key or headers specified in `Include` are overridden. Add map[string]string `json:"add,omitempty"` diff --git a/api/v1alpha2/istio_structs.go b/api/v1alpha2/istio_structs.go index c8ad9b1db7..7fd7962130 100644 --- a/api/v1alpha2/istio_structs.go +++ b/api/v1alpha2/istio_structs.go @@ -130,7 +130,7 @@ type RollingUpdate struct { type Resources struct { // The maximum amount of resources a container is allowed to use. Limits *ResourceClaims `json:"limits,omitempty"` - // The minimum amount of resources ( such as CPU and memory) a container needs to run. + // The minimum amount of resources (such as CPU and memory) a container needs to run. Requests *ResourceClaims `json:"requests,omitempty"` } From b4ec97e46bd5b53462faeda4efa928775863cad3 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Mon, 1 Dec 2025 13:51:20 +0100 Subject: [PATCH 03/19] apply review suggestions --- api/v1alpha2/istio_structs.go | 2 +- api/v1alpha2/istio_types.go | 11 +++++++---- docs/user/plug-in-ca-cert.md | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 40 insertions(+), 5 deletions(-) create mode 100644 docs/user/plug-in-ca-cert.md diff --git a/api/v1alpha2/istio_structs.go b/api/v1alpha2/istio_structs.go index 7fd7962130..63fb3d0f18 100644 --- a/api/v1alpha2/istio_structs.go +++ b/api/v1alpha2/istio_structs.go @@ -29,7 +29,7 @@ type Config struct { // Configures Istio components. type Components struct { - // Configures the Istio Pilot component. + // Configures the Istiod component. Pilot *IstioComponent `json:"pilot,omitempty"` // Configures the Istio Ingress Gateway component. IngressGateway *IstioComponent `json:"ingressGateway,omitempty"` diff --git a/api/v1alpha2/istio_types.go b/api/v1alpha2/istio_types.go index a57c4e7f06..254d184bc5 100644 --- a/api/v1alpha2/istio_types.go +++ b/api/v1alpha2/istio_types.go @@ -20,7 +20,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) -// Signifies the current state of the Istio custom resource. +// Signifies the current state of the Istio custom resource. // The possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`. type State string type ConditionType string @@ -147,9 +147,12 @@ const ( ConditionReasonIngressTargetingUserResourceDetectionFailedMessage = "Resource targeting Istio Ingress Gateway detection failed" ) +// Couples a condition's reason with its message. type ReasonWithMessage struct { - Reason ConditionReason - Message string + // Contains the reason for setting up a condition. + Reason ConditionReason `json:"reason"` + // Describes the reason. + Message string `json:"message"` } // IstioSpec describes the desired specification for installing or updating Istio. @@ -209,4 +212,4 @@ type IstioStatus struct { //nolint:gochecknoinits // this is a scaffolded file. TODO: remove init function func init() { SchemeBuilder.Register(&Istio{}, &IstioList{}) -} \ No newline at end of file +} diff --git a/docs/user/plug-in-ca-cert.md b/docs/user/plug-in-ca-cert.md new file mode 100644 index 0000000000..5c5b62a07b --- /dev/null +++ b/docs/user/plug-in-ca-cert.md @@ -0,0 +1,32 @@ +# Configure Istio CA with Custom Certificates +For enhanced security, replace Istio's default self-signed certificates with administrator-provided certificates. + + +## Context + +By default, Istio generates its own self-signed root certificate and uses it to sign workload certificates. However, for production environments, you should use a proper Certificate Authority hierarchy for better security. + +- Root CA: Runs offline on a secure machine +- Intermediate CAs: Issued by the Root CA to each Istio cluster +- Workload Certificates: Signed by the cluster's intermediate CA + +For more information, see [Plug in CA Certificates](https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/). + +## Prerequisites + + +## Procedure + +1. Obtain the root certificate and key //how //maybe it's a prereq + +2. For each cluster, obtain an intermediate certificate and key for the Istio CA //how //maybe it's a prere + +3. In each cluster, create a secret cacerts including all the input files `ca-cert.pem`, `ca-key.pem`, `root-cert.pem` and `cert-chain.pem`. For example, for cluster1: + + ```bash + kubectl create secret generic cacerts -n istio-system \ + --from-file=cluster1/ca-cert.pem \ + --from-file=cluster1/ca-key.pem \ + --from-file=cluster1/root-cert.pem \ + --from-file=cluster1/cert-chain.pem + ``` \ No newline at end of file From 4b444918ed2df0e624cb50b32cf4a0f25edf691f Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Mon, 1 Dec 2025 13:54:00 +0100 Subject: [PATCH 04/19] remove draft file --- docs/user/plug-in-ca-cert.md | 32 -------------------------------- 1 file changed, 32 deletions(-) delete mode 100644 docs/user/plug-in-ca-cert.md diff --git a/docs/user/plug-in-ca-cert.md b/docs/user/plug-in-ca-cert.md deleted file mode 100644 index 5c5b62a07b..0000000000 --- a/docs/user/plug-in-ca-cert.md +++ /dev/null @@ -1,32 +0,0 @@ -# Configure Istio CA with Custom Certificates -For enhanced security, replace Istio's default self-signed certificates with administrator-provided certificates. - - -## Context - -By default, Istio generates its own self-signed root certificate and uses it to sign workload certificates. However, for production environments, you should use a proper Certificate Authority hierarchy for better security. - -- Root CA: Runs offline on a secure machine -- Intermediate CAs: Issued by the Root CA to each Istio cluster -- Workload Certificates: Signed by the cluster's intermediate CA - -For more information, see [Plug in CA Certificates](https://istio.io/latest/docs/tasks/security/cert-management/plugin-ca-cert/). - -## Prerequisites - - -## Procedure - -1. Obtain the root certificate and key //how //maybe it's a prereq - -2. For each cluster, obtain an intermediate certificate and key for the Istio CA //how //maybe it's a prere - -3. In each cluster, create a secret cacerts including all the input files `ca-cert.pem`, `ca-key.pem`, `root-cert.pem` and `cert-chain.pem`. For example, for cluster1: - - ```bash - kubectl create secret generic cacerts -n istio-system \ - --from-file=cluster1/ca-cert.pem \ - --from-file=cluster1/ca-key.pem \ - --from-file=cluster1/root-cert.pem \ - --from-file=cluster1/cert-chain.pem - ``` \ No newline at end of file From 1268b806b762ad636ac5b4bf6eac938080a47b24 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Tue, 2 Dec 2025 08:25:27 +0100 Subject: [PATCH 05/19] remove link to not displayed field --- crd-ref-docs/config.yaml | 3 +++ docs/user/04-00-istio-custom-resource.md | 12 ++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/crd-ref-docs/config.yaml b/crd-ref-docs/config.yaml index d51a383941..a5d34cf3c2 100644 --- a/crd-ref-docs/config.yaml +++ b/crd-ref-docs/config.yaml @@ -10,3 +10,6 @@ render: - name: RollingUpdate package: "github.com/kyma-project/istio/operator/api/v1alpha2" link: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#rollingupdatedeployment-v1-apps + - name: ReasonWithMessage + package: "github.com/kyma-project/istio/operator/api/v1alpha2" + link: \ No newline at end of file diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index e88f01f53e..28778aac56 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -51,7 +51,7 @@ Appears in: | **service**
string | Specifies the service that implements the Envoy `ext_authz` HTTP authorization service.
The recommended format is `[Namespace/]Hostname`.
Specify the namespace if it is required to unambiguously resolve a service in the service registry.
The host name refers to the fully qualified host name of a service defined by either a Kubernetes Service or a ServiceEntry. | Optional | | **port**
integer | Specifies the port of the Service. | Required
| | **headers**
[Headers](#headers) | Specifies the headers included, added, or forwarded during authorization. | Optional | -| **pathPrefix**
string | Specifies the prefix which included in the request sent to the authorization service.
The prefix might be constructed with special characters (for example, `/test?original_path=`). | Optional
| +| **pathPrefix**
string | Specifies the prefix included in the request sent to the authorization service.
The prefix might be constructed with special characters (for example, `/test?original_path=`). | Optional
| | **timeout**
[Duration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#duration-v1-meta) | Specifies the timeout for the HTTP authorization request to the external service. | Optional
| ### CniComponent @@ -86,7 +86,7 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **pilot**
[IstioComponent](#istiocomponent) | Configures the Istio Pilot component. | Optional | +| **pilot**
[IstioComponent](#istiocomponent) | Configures the Istiod component. | Optional | | **ingressGateway**
[IstioComponent](#istiocomponent) | Configures the Istio Ingress Gateway component. | Optional | | **cni**
[CniComponent](#cnicomponent) | Configures the Istio CNI DaemonSet component. | Optional | | **proxy**
[ProxyComponent](#proxycomponent) | Configures the Istio sidecar proxy component. | Optional | @@ -97,7 +97,7 @@ Appears in: Underlying type: string Appears in: -- [ReasonWithMessage](#reasonwithmessage) +- ReasonWithMessage | Field | Description | | --- | --- | @@ -204,8 +204,8 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **include**
string array | Lists client request headers included in the authorization request sent to the authorization service.
In addition to the headers specified here, the following headers are included by default:
- *Host*, *Method*, *Path*, and *Content-Length* are automatically sent.
- *Content-Length* is set to `0`, and the request does have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. | Optional | -| **add**
object (keys:string, values:string) | Specifies a set of additional fixed headers that included in the authorization request sent to the authorization service.
The key is the header name and value is the header value.
Client request of the same key or headers specified in `Include` are overridden. | Optional | +| **include**
string array | Lists client request headers included in the authorization request sent to the authorization service.
In addition to the headers specified here, the following headers are included by default:
- *Host*, *Method*, *Path*, and *Content-Length* are automatically sent.
- *Content-Length* is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. | Optional | +| **add**
object (keys:string, values:string) | Specifies a set of additional fixed headers included in the authorization request sent to the authorization service.
The key is the header name and value is the header value.
Client request of the same key or headers specified in `Include` are overridden. | Optional | ### Istio @@ -339,7 +339,7 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | | **limits**
[ResourceClaims](#resourceclaims) | The maximum amount of resources a container is allowed to use. | Optional | -| **requests**
[ResourceClaims](#resourceclaims) | The minimum amount of resources ( such as CPU and memory) a container needs to run. | Optional | +| **requests**
[ResourceClaims](#resourceclaims) | The minimum amount of resources (such as CPU and memory) a container needs to run. | Optional | ### RollingUpdate From b23ae22b9cf3457db0c9d7526633da236ab3b1de Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Tue, 2 Dec 2025 09:02:49 +0100 Subject: [PATCH 06/19] fix types file --- .../bases/operator.kyma-project.io_istios.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/config/crd/bases/operator.kyma-project.io_istios.yaml b/config/crd/bases/operator.kyma-project.io_istios.yaml index 93242a9374..6ac441b928 100644 --- a/config/crd/bases/operator.kyma-project.io_istios.yaml +++ b/config/crd/bases/operator.kyma-project.io_istios.yaml @@ -1009,7 +1009,7 @@ spec: type: string type: object requests: - description: The minimum amount of resources ( such + description: The minimum amount of resources (such as CPU and memory) a container needs to run. properties: cpu: @@ -1076,7 +1076,7 @@ spec: type: string type: object requests: - description: The minimum amount of resources ( such + description: The minimum amount of resources (such as CPU and memory) a container needs to run. properties: cpu: @@ -1181,7 +1181,7 @@ spec: type: string type: object requests: - description: The minimum amount of resources ( such + description: The minimum amount of resources (such as CPU and memory) a container needs to run. properties: cpu: @@ -1244,7 +1244,7 @@ spec: - k8s type: object pilot: - description: Configures the Istio Pilot component. + description: Configures the Istiod component. properties: k8s: description: Defines the Kubernetes resources' configuration @@ -1288,7 +1288,7 @@ spec: type: string type: object requests: - description: The minimum amount of resources ( such + description: The minimum amount of resources (such as CPU and memory) a container needs to run. properties: cpu: @@ -1376,7 +1376,7 @@ spec: type: string type: object requests: - description: The minimum amount of resources ( such + description: The minimum amount of resources (such as CPU and memory) a container needs to run. properties: cpu: @@ -1419,7 +1419,7 @@ spec: additionalProperties: type: string description: |- - Specifies a set of additional fixed headers that included in the authorization request sent to the authorization service. + Specifies a set of additional fixed headers included in the authorization request sent to the authorization service. The key is the header name and value is the header value. Client request of the same key or headers specified in `Include` are overridden. type: object @@ -1428,7 +1428,7 @@ spec: Lists client request headers included in the authorization request sent to the authorization service. In addition to the headers specified here, the following headers are included by default: - *Host*, *Method*, *Path*, and *Content-Length* are automatically sent. - - *Content-Length* is set to `0`, and the request does have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. + - *Content-Length* is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. items: type: string type: array @@ -1475,7 +1475,7 @@ spec: type: string pathPrefix: description: |- - Specifies the prefix which included in the request sent to the authorization service. + Specifies the prefix included in the request sent to the authorization service. The prefix might be constructed with special characters (for example, `/test?original_path=`). type: string port: From 6abc21d8732b814fb0ed5c4acaaa44ab0b81d8ef Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Tue, 2 Dec 2025 09:59:06 +0100 Subject: [PATCH 07/19] fix templates --- Makefile | 7 ++++--- crd-ref-docs/templates/type.tpl | 10 ++++++++-- docs/user/04-00-istio-custom-resource.md | 14 +++++++------- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index 27f5c7b30c..7c10996214 100644 --- a/Makefile +++ b/Makefile @@ -302,7 +302,8 @@ generate-crd-docs: bin/crd-ref-docs ## Generate CRD reference docs --config=crd-ref-docs/config.yaml \ --templates-dir=crd-ref-docs/templates \ --max-depth=25 - # Replace Optional: \{\} and Required: \{\} with Optional and Required - sed -i'' -e 's/Optional: \\{\\}/Optional/g' docs/user/04-00-istio-custom-resource.md - sed -i'' -e 's/Required: \\{\\}/Required/g' docs/user/04-00-istio-custom-resource.md + # Replace Optional: `\{\}` and Required: `\{\}` with Optional and Required + sed -i'' -e 's/Optional: `\\{\\}`/Optional/g' docs/user/04-00-istio-custom-resource.md + sed -i'' -e 's/Required: `\\{\\}`/Required/g' docs/user/04-00-istio-custom-resource.md + sed -i'' -e 's/XIntOrString: `\\{\\}`/XIntOrString/g' docs/user/04-00-istio-custom-resource.md rm docs/user/04-00-istio-custom-resource.md-e diff --git a/crd-ref-docs/templates/type.tpl b/crd-ref-docs/templates/type.tpl index 4635e59344..6d24dbad1a 100644 --- a/crd-ref-docs/templates/type.tpl +++ b/crd-ref-docs/templates/type.tpl @@ -13,7 +13,7 @@ Underlying type: {{ markdownRenderTypeLink $type.UnderlyingType }} {{ if $type.Validation }} Validation: {{- range $type.Validation }} -- {{ . }} +- {{ if hasPrefix "Pattern: " . }}{{ else }}{{ . | replace ": " ": `"}}`{{ end }} {{- end }} {{ end -}} {{ if $type.References }} @@ -32,7 +32,13 @@ Appears in: {{ end -}} {{ range $type.Members -}} -| **{{ .Name }}**
{{ markdownRenderType .Type }} | {{ template "type_members" . }} | {{ if .Validation }}{{ range .Validation -}} {{ markdownRenderFieldDoc . }}
{{ end }}{{ else }}Optional{{ end }} | +| **{{ .Name }}**
{{ markdownRenderType .Type }} | {{ template "type_members" . }} | {{ if .Validation -}} + {{- range .Validation -}} + {{- markdownRenderFieldDoc . | replace ": " ": `" | printf "%s`" | replace "``" "`" }}
+ {{- end -}} +{{- else -}} + Optional +{{- end }} | {{ end -}} {{ end -}} diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index 28778aac56..2e4bde98cc 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -139,9 +139,9 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **numTrustedProxies**
integer | Defines the number of trusted proxies deployed in front of the Istio gateway proxy. | Maximum: 4.294967295e+09
Minimum: 0
| +| **numTrustedProxies**
integer | Defines the number of trusted proxies deployed in front of the Istio gateway proxy. | Maximum: `4.294967295e+09`
Minimum: `0`
| | **authorizers**
[Authorizer](#authorizer) array | Defines a list of external authorization providers. | Optional | -| **gatewayExternalTrafficPolicy**
string | Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are `"Local"` or `"Cluster"`. The external traffic policy set to `"Local"` preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
WARNING: Switching **externalTrafficPolicy** may result in a temporal increase in request delay. Make sure that this is acceptable. | Enum: [Local Cluster]
Optional
| +| **gatewayExternalTrafficPolicy**
string | Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are `"Local"` or `"Cluster"`. The external traffic policy set to `"Local"` preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
WARNING: Switching **externalTrafficPolicy** may result in a temporal increase in request delay. Make sure that this is acceptable. | Enum: `[Local Cluster]`
Optional
| | **telemetry**
[Telemetry](#telemetry) | Defines the telemetry configuration of Istio. | Optional
| ### EgressGateway @@ -175,8 +175,8 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **maxReplicas**
integer | Defines the minimum number of replicas for the HorizontalPodAutoscaler. | Maximum: 2.147483647e+09
Minimum: 0
| -| **minReplicas**
integer | Defines the maximum number of replicas for the HorizontalPodAutoscaler. | Maximum: 2.147483647e+09
Minimum: 0
| +| **maxReplicas**
integer | Defines the minimum number of replicas for the HorizontalPodAutoscaler. | Maximum: `2.147483647e+09`
Minimum: `0`
| +| **minReplicas**
integer | Defines the maximum number of replicas for the HorizontalPodAutoscaler. | Maximum: `2.147483647e+09`
Minimum: `0`
| ### Headers @@ -253,7 +253,7 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **state**
[State](#state) | Signifies the current state of the Istio custom resource. Possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`. | Enum: [Processing Deleting Ready Error Warning]
Required
| +| **state**
[State](#state) | Signifies the current state of the Istio custom resource. Possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`. | Enum: `[Processing Deleting Ready Error Warning]`
Required
| | **conditions**
[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#condition-v1-meta) | Contains conditions associated with **IstioStatus**. | Optional | | **description**
string | Describes the Istio status. | Optional | @@ -350,8 +350,8 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Pattern: `^[0-9]+%?$`
XIntOrString: \{\}
| -| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString: \{\}
| +| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Pattern: `^[0-9]+%?$`
XIntOrString
| +| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString
| ### State From 4ea6a07039de3a629f0eb8cc39dda1d9e9ae5c78 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Tue, 2 Dec 2025 10:33:45 +0100 Subject: [PATCH 08/19] remove comment --- Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile b/Makefile index 7c10996214..e629058faa 100644 --- a/Makefile +++ b/Makefile @@ -302,7 +302,6 @@ generate-crd-docs: bin/crd-ref-docs ## Generate CRD reference docs --config=crd-ref-docs/config.yaml \ --templates-dir=crd-ref-docs/templates \ --max-depth=25 - # Replace Optional: `\{\}` and Required: `\{\}` with Optional and Required sed -i'' -e 's/Optional: `\\{\\}`/Optional/g' docs/user/04-00-istio-custom-resource.md sed -i'' -e 's/Required: `\\{\\}`/Required/g' docs/user/04-00-istio-custom-resource.md sed -i'' -e 's/XIntOrString: `\\{\\}`/XIntOrString/g' docs/user/04-00-istio-custom-resource.md From b069c743e5293cc9a18a2ff3973451436cdc6ede Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Tue, 2 Dec 2025 16:33:35 +0100 Subject: [PATCH 09/19] fix templates --- Makefile | 4 ++-- crd-ref-docs/templates/type.tpl | 10 ++-------- docs/user/04-00-istio-custom-resource.md | 14 +++++++------- 3 files changed, 11 insertions(+), 17 deletions(-) diff --git a/Makefile b/Makefile index e629058faa..2cde3d24c3 100644 --- a/Makefile +++ b/Makefile @@ -302,7 +302,7 @@ generate-crd-docs: bin/crd-ref-docs ## Generate CRD reference docs --config=crd-ref-docs/config.yaml \ --templates-dir=crd-ref-docs/templates \ --max-depth=25 - sed -i'' -e 's/Optional: `\\{\\}`/Optional/g' docs/user/04-00-istio-custom-resource.md - sed -i'' -e 's/Required: `\\{\\}`/Required/g' docs/user/04-00-istio-custom-resource.md + sed -i'' -e 's/Optional: \\{\\}/Optional/g' docs/user/04-00-istio-custom-resource.md + sed -i'' -e 's/Required: \\{\\}/Required/g' docs/user/04-00-istio-custom-resource.md sed -i'' -e 's/XIntOrString: `\\{\\}`/XIntOrString/g' docs/user/04-00-istio-custom-resource.md rm docs/user/04-00-istio-custom-resource.md-e diff --git a/crd-ref-docs/templates/type.tpl b/crd-ref-docs/templates/type.tpl index 6d24dbad1a..4635e59344 100644 --- a/crd-ref-docs/templates/type.tpl +++ b/crd-ref-docs/templates/type.tpl @@ -13,7 +13,7 @@ Underlying type: {{ markdownRenderTypeLink $type.UnderlyingType }} {{ if $type.Validation }} Validation: {{- range $type.Validation }} -- {{ if hasPrefix "Pattern: " . }}{{ else }}{{ . | replace ": " ": `"}}`{{ end }} +- {{ . }} {{- end }} {{ end -}} {{ if $type.References }} @@ -32,13 +32,7 @@ Appears in: {{ end -}} {{ range $type.Members -}} -| **{{ .Name }}**
{{ markdownRenderType .Type }} | {{ template "type_members" . }} | {{ if .Validation -}} - {{- range .Validation -}} - {{- markdownRenderFieldDoc . | replace ": " ": `" | printf "%s`" | replace "``" "`" }}
- {{- end -}} -{{- else -}} - Optional -{{- end }} | +| **{{ .Name }}**
{{ markdownRenderType .Type }} | {{ template "type_members" . }} | {{ if .Validation }}{{ range .Validation -}} {{ markdownRenderFieldDoc . }}
{{ end }}{{ else }}Optional{{ end }} | {{ end -}} {{ end -}} diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index 2e4bde98cc..28778aac56 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -139,9 +139,9 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **numTrustedProxies**
integer | Defines the number of trusted proxies deployed in front of the Istio gateway proxy. | Maximum: `4.294967295e+09`
Minimum: `0`
| +| **numTrustedProxies**
integer | Defines the number of trusted proxies deployed in front of the Istio gateway proxy. | Maximum: 4.294967295e+09
Minimum: 0
| | **authorizers**
[Authorizer](#authorizer) array | Defines a list of external authorization providers. | Optional | -| **gatewayExternalTrafficPolicy**
string | Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are `"Local"` or `"Cluster"`. The external traffic policy set to `"Local"` preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
WARNING: Switching **externalTrafficPolicy** may result in a temporal increase in request delay. Make sure that this is acceptable. | Enum: `[Local Cluster]`
Optional
| +| **gatewayExternalTrafficPolicy**
string | Defines the external traffic policy for the Istio Ingress Gateway Service. Valid configurations are `"Local"` or `"Cluster"`. The external traffic policy set to `"Local"` preserves the client IP in the request, but also introduces the risk of unbalanced traffic distribution.
WARNING: Switching **externalTrafficPolicy** may result in a temporal increase in request delay. Make sure that this is acceptable. | Enum: [Local Cluster]
Optional
| | **telemetry**
[Telemetry](#telemetry) | Defines the telemetry configuration of Istio. | Optional
| ### EgressGateway @@ -175,8 +175,8 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **maxReplicas**
integer | Defines the minimum number of replicas for the HorizontalPodAutoscaler. | Maximum: `2.147483647e+09`
Minimum: `0`
| -| **minReplicas**
integer | Defines the maximum number of replicas for the HorizontalPodAutoscaler. | Maximum: `2.147483647e+09`
Minimum: `0`
| +| **maxReplicas**
integer | Defines the minimum number of replicas for the HorizontalPodAutoscaler. | Maximum: 2.147483647e+09
Minimum: 0
| +| **minReplicas**
integer | Defines the maximum number of replicas for the HorizontalPodAutoscaler. | Maximum: 2.147483647e+09
Minimum: 0
| ### Headers @@ -253,7 +253,7 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **state**
[State](#state) | Signifies the current state of the Istio custom resource. Possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`. | Enum: `[Processing Deleting Ready Error Warning]`
Required
| +| **state**
[State](#state) | Signifies the current state of the Istio custom resource. Possible values are `Ready`, `Processing`, `Error`, `Deleting`, or `Warning`. | Enum: [Processing Deleting Ready Error Warning]
Required
| | **conditions**
[Condition](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#condition-v1-meta) | Contains conditions associated with **IstioStatus**. | Optional | | **description**
string | Describes the Istio status. | Optional | @@ -350,8 +350,8 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Pattern: `^[0-9]+%?$`
XIntOrString
| -| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString
| +| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Pattern: `^[0-9]+%?$`
XIntOrString: \{\}
| +| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString: \{\}
| ### State From 0fa4f0018813ecd2b3514c3a9041eb707c755a67 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Tue, 2 Dec 2025 16:37:32 +0100 Subject: [PATCH 10/19] remove reasonswith fiels --- Makefile | 2 ++ crd-ref-docs/config.yaml | 5 +---- docs/user/04-00-istio-custom-resource.md | 5 ----- 3 files changed, 3 insertions(+), 9 deletions(-) diff --git a/Makefile b/Makefile index 2cde3d24c3..492f37c7ee 100644 --- a/Makefile +++ b/Makefile @@ -305,4 +305,6 @@ generate-crd-docs: bin/crd-ref-docs ## Generate CRD reference docs sed -i'' -e 's/Optional: \\{\\}/Optional/g' docs/user/04-00-istio-custom-resource.md sed -i'' -e 's/Required: \\{\\}/Required/g' docs/user/04-00-istio-custom-resource.md sed -i'' -e 's/XIntOrString: `\\{\\}`/XIntOrString/g' docs/user/04-00-istio-custom-resource.md + sed -i'' -e '1N;$!N;/\n.*ReasonWithMessage/!P;D' docs/user/04-00-istio-custom-resource.md + sed -i'' -e '/ReasonWithMessage/d' docs/user/04-00-istio-custom-resource.md rm docs/user/04-00-istio-custom-resource.md-e diff --git a/crd-ref-docs/config.yaml b/crd-ref-docs/config.yaml index a5d34cf3c2..e533ea4487 100644 --- a/crd-ref-docs/config.yaml +++ b/crd-ref-docs/config.yaml @@ -9,7 +9,4 @@ render: knownTypes: - name: RollingUpdate package: "github.com/kyma-project/istio/operator/api/v1alpha2" - link: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#rollingupdatedeployment-v1-apps - - name: ReasonWithMessage - package: "github.com/kyma-project/istio/operator/api/v1alpha2" - link: \ No newline at end of file + link: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#rollingupdatedeployment-v1-apps \ No newline at end of file diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index 1f72f88450..3d9a989ac5 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -96,9 +96,6 @@ Appears in: Underlying type: string -Appears in: -- ReasonWithMessage - | Field | Description | | --- | --- | | **ReconcileSucceeded** | Reconciliation finished successfully.
| @@ -415,5 +412,3 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **onAllow**
string array | Lists headers from the authorization service added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code `200`).
If not specified, the original request is forwarded to the backend unmodified.
Any existing headers are overridden. | Optional | - From 4533a7086a164d51d8dbb07a318993b9294617e0 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Tue, 2 Dec 2025 16:41:40 +0100 Subject: [PATCH 11/19] add -f --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 492f37c7ee..9e45be7c98 100644 --- a/Makefile +++ b/Makefile @@ -307,4 +307,4 @@ generate-crd-docs: bin/crd-ref-docs ## Generate CRD reference docs sed -i'' -e 's/XIntOrString: `\\{\\}`/XIntOrString/g' docs/user/04-00-istio-custom-resource.md sed -i'' -e '1N;$!N;/\n.*ReasonWithMessage/!P;D' docs/user/04-00-istio-custom-resource.md sed -i'' -e '/ReasonWithMessage/d' docs/user/04-00-istio-custom-resource.md - rm docs/user/04-00-istio-custom-resource.md-e + rm -f docs/user/04-00-istio-custom-resource.md-e From 2c34bf103f40df8792efef4f5a76909e42987453 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Tue, 2 Dec 2025 17:02:07 +0100 Subject: [PATCH 12/19] Retrigger CI From 339410995a07596a49391de85794ce53e04474f6 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Wed, 3 Dec 2025 09:03:49 +0100 Subject: [PATCH 13/19] fix sed --- Makefile | 4 ++-- docs/user/04-00-istio-custom-resource.md | 6 ++++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/Makefile b/Makefile index 9e45be7c98..71b28158cd 100644 --- a/Makefile +++ b/Makefile @@ -304,7 +304,7 @@ generate-crd-docs: bin/crd-ref-docs ## Generate CRD reference docs --max-depth=25 sed -i'' -e 's/Optional: \\{\\}/Optional/g' docs/user/04-00-istio-custom-resource.md sed -i'' -e 's/Required: \\{\\}/Required/g' docs/user/04-00-istio-custom-resource.md - sed -i'' -e 's/XIntOrString: `\\{\\}`/XIntOrString/g' docs/user/04-00-istio-custom-resource.md - sed -i'' -e '1N;$!N;/\n.*ReasonWithMessage/!P;D' docs/user/04-00-istio-custom-resource.md + sed -i'' -e 's/XIntOrString: \\{\\}/XIntOrString/g' docs/user/04-00-istio-custom-resource.md + sed -i'' -e '1N;$$!N;/\n.*ReasonWithMessage/!P;D' docs/user/04-00-istio-custom-resource.md sed -i'' -e '/ReasonWithMessage/d' docs/user/04-00-istio-custom-resource.md rm -f docs/user/04-00-istio-custom-resource.md-e diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index 3d9a989ac5..7c5ac47299 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -348,8 +348,8 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Pattern: `^[0-9]+%?$`
XIntOrString: \{\}
| -| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString: \{\}
| +| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Pattern: `^[0-9]+%?$`
XIntOrString
| +| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString
| ### State @@ -412,3 +412,5 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | +| **onAllow**
string array | Lists headers from the authorization service added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code `200`).
If not specified, the original request is forwarded to the backend unmodified.
Any existing headers are overridden. | Optional | + From 0a051db99c9083fb2fbfb6ca5120d3d3047f8bb0 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Wed, 3 Dec 2025 09:52:38 +0100 Subject: [PATCH 14/19] add missing fields --- api/v1alpha2/experimental.go | 5 +++++ config/crd/bases/operator.kyma-project.io_istios.yaml | 3 +++ docs/user/04-00-istio-custom-resource.md | 10 +++++++--- 3 files changed, 15 insertions(+), 3 deletions(-) diff --git a/api/v1alpha2/experimental.go b/api/v1alpha2/experimental.go index 2190c82995..b5ce6dcc88 100644 --- a/api/v1alpha2/experimental.go +++ b/api/v1alpha2/experimental.go @@ -1,6 +1,8 @@ package v1alpha2 +// Defines experimental features. type Experimental struct { + // Defines experimental features for Istio Pilot. PilotFeatures `json:"pilot"` // Enables dual-stack support. @@ -11,7 +13,10 @@ type Experimental struct { EnableAmbient *bool `json:"enableAmbient,omitempty"` } +// Defines experimental features for Istio Pilot. type PilotFeatures struct { + // Defines alpha Gateway API support. EnableAlphaGatewayAPI bool `json:"enableAlphaGatewayAPI"` + // Enables multi-network discovery for Gateway API. EnableMultiNetworkDiscoverGatewayAPI bool `json:"enableMultiNetworkDiscoverGatewayAPI"` } diff --git a/config/crd/bases/operator.kyma-project.io_istios.yaml b/config/crd/bases/operator.kyma-project.io_istios.yaml index ff00d0c77e..4c26d195f9 100644 --- a/config/crd/bases/operator.kyma-project.io_istios.yaml +++ b/config/crd/bases/operator.kyma-project.io_istios.yaml @@ -1538,10 +1538,13 @@ spec: description: Enables dual-stack support. type: boolean pilot: + description: Defines experimental features for Istio Pilot. properties: enableAlphaGatewayAPI: + description: Defines alpha Gateway API support. type: boolean enableMultiNetworkDiscoverGatewayAPI: + description: Enables multi-network discovery for Gateway API. type: boolean required: - enableAlphaGatewayAPI diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index 7c5ac47299..fe171aedff 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -155,12 +155,14 @@ Appears in: ### Experimental +Defines experimental features. + Appears in: - [IstioSpec](#istiospec) | Field | Description | Validation | | --- | --- | --- | -| **pilot**
[PilotFeatures](#pilotfeatures) | | Optional | +| **pilot**
[PilotFeatures](#pilotfeatures) | Defines experimental features for Istio Pilot. | Optional | | **enableDualStack**
boolean | Enables dual-stack support. | Optional
| | **enableAmbient**
boolean | Enables ambient mode support. | Optional
| @@ -282,13 +284,15 @@ Appears in: ### PilotFeatures +Defines experimental features for Istio Pilot. + Appears in: - [Experimental](#experimental) | Field | Description | Validation | | --- | --- | --- | -| **enableAlphaGatewayAPI**
boolean | | Optional | -| **enableMultiNetworkDiscoverGatewayAPI**
boolean | | Optional | +| **enableAlphaGatewayAPI**
boolean | Defines alpha Gateway API support. | Optional | +| **enableMultiNetworkDiscoverGatewayAPI**
boolean | Enables multi-network discovery for Gateway API. | Optional | ### ProxyComponent From a7a9403c55cde1f5e7b1e17a6e1d1354477f43ea Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Mon, 8 Dec 2025 13:42:06 +0100 Subject: [PATCH 15/19] update kubebuilder annotations --- api/v1alpha2/authorizers.go | 7 ++++--- api/v1alpha2/istio_structs.go | 7 ++++--- config/crd/bases/operator.kyma-project.io_istios.yaml | 10 ---------- 3 files changed, 8 insertions(+), 16 deletions(-) diff --git a/api/v1alpha2/authorizers.go b/api/v1alpha2/authorizers.go index 163b047cfc..390a293afa 100644 --- a/api/v1alpha2/authorizers.go +++ b/api/v1alpha2/authorizers.go @@ -14,8 +14,9 @@ type Authorizer struct { // Specifies the service that implements the Envoy `ext_authz` HTTP authorization service. // The recommended format is `[Namespace/]Hostname`. - // Specify the namespace if it is required to unambiguously resolve a service in the service registry. + // Specify the namespace if it is required to unambiguously resolve a service in the service registry. // The host name refers to the fully qualified host name of a service defined by either a Kubernetes Service or a ServiceEntry. + // +kubebuilder:validation:Optional Service string `json:"service"` // Specifies the port of the Service. @@ -65,7 +66,7 @@ type InCheck struct { Add map[string]string `json:"add,omitempty"` } -// Defines the headers to be forwarded to the upstream (to the backend service). +// Defines the headers to be forwarded to the upstream (to the backend service). type ToUpstream struct { // Lists headers from the authorization service added or overridden in the original request and forwarded to the upstream when the authorization check result is allowed (HTTP code `200`). // If not specified, the original request is forwarded to the backend unmodified. @@ -85,4 +86,4 @@ type ToDownstream struct { // When a header is included in this list, the following headers are automatically added: *Path*, *Status*, *Content-Length*, *WWWAuthenticate*, and *Location*. // The body from the authorization service is always included in the response to downstream. OnDeny []string `json:"onDeny,omitempty"` -} \ No newline at end of file +} diff --git a/api/v1alpha2/istio_structs.go b/api/v1alpha2/istio_structs.go index 63fb3d0f18..0b207d74c8 100644 --- a/api/v1alpha2/istio_structs.go +++ b/api/v1alpha2/istio_structs.go @@ -6,7 +6,6 @@ import ( ) // Configures the Istio installation. -// +kubebuilder:validation:Optional type Config struct { // Defines the number of trusted proxies deployed in front of the Istio gateway proxy. // +kubebuilder:validation:Minimum=0 @@ -115,6 +114,7 @@ type Strategy struct { // Defines the configuration for rolling updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). type RollingUpdate struct { // Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). + // +kubebuilder:validation:Optional // +kubebuilder:validation:XIntOrString // +kubebuilder:validation:Pattern=`^[0-9]+%?$` // +kubebuilder:validation:XValidation:rule="(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)",message="must not be negative, more than 2147483647 or an empty string" @@ -123,13 +123,14 @@ type RollingUpdate struct { // +kubebuilder:validation:XIntOrString // +kubebuilder:validation:Pattern="^((100|[0-9]{1,2})%|[0-9]+)$" // +kubebuilder:validation:XValidation:rule="(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)",message="must not be negative, more than 2147483647 or an empty string" + // +kubebuilder:validation:Optional MaxUnavailable *intstr.IntOrString `json:"maxUnavailable" protobuf:"bytes,1,opt,name=maxUnavailable"` } // Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). type Resources struct { // The maximum amount of resources a container is allowed to use. - Limits *ResourceClaims `json:"limits,omitempty"` + Limits *ResourceClaims `json:"limits,omitempty"` // The minimum amount of resources (such as CPU and memory) a container needs to run. Requests *ResourceClaims `json:"requests,omitempty"` } @@ -152,4 +153,4 @@ type EgressGateway struct { // Enables or disables Istio Egress Gateway. // +kubebuilder:validation:Optional Enabled *bool `json:"enabled,omitempty"` -} \ No newline at end of file +} diff --git a/config/crd/bases/operator.kyma-project.io_istios.yaml b/config/crd/bases/operator.kyma-project.io_istios.yaml index 4c26d195f9..da8a0e8e77 100644 --- a/config/crd/bases/operator.kyma-project.io_istios.yaml +++ b/config/crd/bases/operator.kyma-project.io_istios.yaml @@ -1127,9 +1127,6 @@ spec: or an empty string rule: '(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)' - required: - - maxSurge - - maxUnavailable type: object required: - rollingUpdate @@ -1232,9 +1229,6 @@ spec: or an empty string rule: '(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)' - required: - - maxSurge - - maxUnavailable type: object required: - rollingUpdate @@ -1339,9 +1333,6 @@ spec: or an empty string rule: '(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)' - required: - - maxSurge - - maxUnavailable type: object required: - rollingUpdate @@ -1496,7 +1487,6 @@ spec: required: - name - port - - service type: object type: array gatewayExternalTrafficPolicy: From 38947e0ec3dbf2384a8d812ae6ebb0b088a45849 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Mon, 8 Dec 2025 13:52:29 +0100 Subject: [PATCH 16/19] add crd --- docs/user/04-00-istio-custom-resource.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index 39d5485085..cceb082be7 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -48,7 +48,7 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | | **name**
string | Specifies a unique name identifying the authorization provider. | Required
| -| **service**
string | Specifies the service that implements the Envoy `ext_authz` HTTP authorization service.
The recommended format is `[Namespace/]Hostname`.
Specify the namespace if it is required to unambiguously resolve a service in the service registry.
The host name refers to the fully qualified host name of a service defined by either a Kubernetes Service or a ServiceEntry. | Optional | +| **service**
string | Specifies the service that implements the Envoy `ext_authz` HTTP authorization service.
The recommended format is `[Namespace/]Hostname`.
Specify the namespace if it is required to unambiguously resolve a service in the service registry.
The host name refers to the fully qualified host name of a service defined by either a Kubernetes Service or a ServiceEntry. | Optional
| | **port**
integer | Specifies the port of the Service. | Required
| | **headers**
[Headers](#headers) | Specifies the headers included, added, or forwarded during authorization. | Optional | | **pathPrefix**
string | Specifies the prefix included in the request sent to the authorization service.
The prefix might be constructed with special characters (for example, `/test?original_path=`). | Optional
| @@ -79,8 +79,6 @@ Appears in: ### Components -Configures Istio components. - Appears in: - [IstioSpec](#istiospec) @@ -353,8 +351,8 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Pattern: `^[0-9]+%?$`
XIntOrString
| -| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString
| +| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Optional
Pattern: `^[0-9]+%?$`
XIntOrString
| +| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Optional
Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString
| ### State From 040d9063afad2287336b456e98f822f2d6c99020 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Mon, 8 Dec 2025 14:04:27 +0100 Subject: [PATCH 17/19] add missing annotations --- api/v1alpha2/experimental.go | 3 +++ config/crd/bases/operator.kyma-project.io_istios.yaml | 5 ----- docs/user/04-00-istio-custom-resource.md | 6 +++--- 3 files changed, 6 insertions(+), 8 deletions(-) diff --git a/api/v1alpha2/experimental.go b/api/v1alpha2/experimental.go index b5ce6dcc88..f019e08555 100644 --- a/api/v1alpha2/experimental.go +++ b/api/v1alpha2/experimental.go @@ -3,6 +3,7 @@ package v1alpha2 // Defines experimental features. type Experimental struct { // Defines experimental features for Istio Pilot. + // +kubebuilder:validation:Optional PilotFeatures `json:"pilot"` // Enables dual-stack support. @@ -16,7 +17,9 @@ type Experimental struct { // Defines experimental features for Istio Pilot. type PilotFeatures struct { // Defines alpha Gateway API support. + // +kubebuilder:validation:Optional EnableAlphaGatewayAPI bool `json:"enableAlphaGatewayAPI"` // Enables multi-network discovery for Gateway API. + // +kubebuilder:validation:Optional EnableMultiNetworkDiscoverGatewayAPI bool `json:"enableMultiNetworkDiscoverGatewayAPI"` } diff --git a/config/crd/bases/operator.kyma-project.io_istios.yaml b/config/crd/bases/operator.kyma-project.io_istios.yaml index a0732f8c71..6fa631903a 100644 --- a/config/crd/bases/operator.kyma-project.io_istios.yaml +++ b/config/crd/bases/operator.kyma-project.io_istios.yaml @@ -1548,12 +1548,7 @@ spec: enableMultiNetworkDiscoverGatewayAPI: description: Enables multi-network discovery for Gateway API. type: boolean - required: - - enableAlphaGatewayAPI - - enableMultiNetworkDiscoverGatewayAPI type: object - required: - - pilot type: object type: object status: diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index cceb082be7..0b0a173a2d 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -161,7 +161,7 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **pilot**
[PilotFeatures](#pilotfeatures) | Defines experimental features for Istio Pilot. | Optional | +| **pilot**
[PilotFeatures](#pilotfeatures) | Defines experimental features for Istio Pilot. | Optional
| | **enableDualStack**
boolean | Enables dual-stack support. | Optional
| | **enableAmbient**
boolean | Enables ambient mode support. | Optional
| @@ -290,8 +290,8 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **enableAlphaGatewayAPI**
boolean | Defines alpha Gateway API support. | Optional | -| **enableMultiNetworkDiscoverGatewayAPI**
boolean | Enables multi-network discovery for Gateway API. | Optional | +| **enableAlphaGatewayAPI**
boolean | Defines alpha Gateway API support. | Optional
| +| **enableMultiNetworkDiscoverGatewayAPI**
boolean | Enables multi-network discovery for Gateway API. | Optional
| ### ProxyComponent From 63520bba13fd6e824cd9fb83374d006121bacfaa Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Mon, 8 Dec 2025 14:34:19 +0100 Subject: [PATCH 18/19] formatting fix --- api/v1alpha2/authorizers.go | 8 ++++---- api/v1alpha2/istio_structs.go | 4 ++-- config/crd/bases/operator.kyma-project.io_istios.yaml | 10 +++++----- docs/user/04-00-istio-custom-resource.md | 8 ++++---- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/api/v1alpha2/authorizers.go b/api/v1alpha2/authorizers.go index 390a293afa..a93dbbb8be 100644 --- a/api/v1alpha2/authorizers.go +++ b/api/v1alpha2/authorizers.go @@ -56,8 +56,8 @@ type Headers struct { type InCheck struct { // Lists client request headers included in the authorization request sent to the authorization service. // In addition to the headers specified here, the following headers are included by default: - // - *Host*, *Method*, *Path*, and *Content-Length* are automatically sent. - // - *Content-Length* is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. + // - **Host**, **Method**, **Path**, and **Content-Length** are automatically sent. + // - **Content-Length** is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. Include []string `json:"include,omitempty"` // Specifies a set of additional fixed headers included in the authorization request sent to the authorization service. @@ -82,8 +82,8 @@ type ToDownstream struct { OnAllow []string `json:"onAllow,omitempty"` // Lists headers from the authorization service forwarded to downstream when the authorization check result is not allowed (HTTP code is other than `200`). - // If not specified, all the authorization response headers, except *Authority (Host)*, are included in the response to the downstream. - // When a header is included in this list, the following headers are automatically added: *Path*, *Status*, *Content-Length*, *WWWAuthenticate*, and *Location*. + // If not specified, all the authorization response headers, except **Authority (Host)**, are included in the response to the downstream. + // When a header is included in this list, the following headers are automatically added: **Path**, **Status**, **Content-Length**, **WWWAuthenticate**, and **Location**. // The body from the authorization service is always included in the response to downstream. OnDeny []string `json:"onDeny,omitempty"` } diff --git a/api/v1alpha2/istio_structs.go b/api/v1alpha2/istio_structs.go index d1b8f16a5c..7c81871145 100644 --- a/api/v1alpha2/istio_structs.go +++ b/api/v1alpha2/istio_structs.go @@ -79,12 +79,12 @@ type KubernetesResourcesConfig struct { // Configures the Istio sidecar proxy component. type ProxyComponent struct { - // **ProxyK8sConfig** is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). + // Contains a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). // +kubebuilder:validation:Required K8S *ProxyK8sConfig `json:"k8s"` } -// **ProxyK8sConfig** is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). +// Contains a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). type ProxyK8sConfig struct { // Defines Kubernetes resources' configuration. See [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). Resources *Resources `json:"resources,omitempty"` diff --git a/config/crd/bases/operator.kyma-project.io_istios.yaml b/config/crd/bases/operator.kyma-project.io_istios.yaml index 6fa631903a..d6f066932a 100644 --- a/config/crd/bases/operator.kyma-project.io_istios.yaml +++ b/config/crd/bases/operator.kyma-project.io_istios.yaml @@ -1345,7 +1345,7 @@ spec: description: Configures the Istio sidecar proxy component. properties: k8s: - description: '**ProxyK8sConfig** is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec).' + description: Contains a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). properties: resources: description: Defines Kubernetes resources' configuration. @@ -1418,8 +1418,8 @@ spec: description: |- Lists client request headers included in the authorization request sent to the authorization service. In addition to the headers specified here, the following headers are included by default: - - *Host*, *Method*, *Path*, and *Content-Length* are automatically sent. - - *Content-Length* is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. + - **Host**, **Method**, **Path**, and **Content-Length** are automatically sent. + - **Content-Length** is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. items: type: string type: array @@ -1439,8 +1439,8 @@ spec: onDeny: description: |- Lists headers from the authorization service forwarded to downstream when the authorization check result is not allowed (HTTP code is other than `200`). - If not specified, all the authorization response headers, except *Authority (Host)*, are included in the response to the downstream. - When a header is included in this list, the following headers are automatically added: *Path*, *Status*, *Content-Length*, *WWWAuthenticate*, and *Location*. + If not specified, all the authorization response headers, except **Authority (Host)**, are included in the response to the downstream. + When a header is included in this list, the following headers are automatically added: **Path**, **Status**, **Content-Length**, **WWWAuthenticate**, and **Location**. The body from the authorization service is always included in the response to downstream. items: type: string diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index 0b0a173a2d..c75fc663fd 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -203,7 +203,7 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **include**
string array | Lists client request headers included in the authorization request sent to the authorization service.
In addition to the headers specified here, the following headers are included by default:
- *Host*, *Method*, *Path*, and *Content-Length* are automatically sent.
- *Content-Length* is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. | Optional | +| **include**
string array | Lists client request headers included in the authorization request sent to the authorization service.
In addition to the headers specified here, the following headers are included by default:
- **Host**, **Method**, **Path**, and **Content-Length** are automatically sent.
- **Content-Length** is set to `0`, and the request doesn't have a message body. However, the authorization request can include the buffered client request body (controlled by the **include_request_body_in_check** setting), consequently the **Content-Length** value of the authorization request reflects its payload size. | Optional | | **add**
object (keys:string, values:string) | Specifies a set of additional fixed headers included in the authorization request sent to the authorization service.
The key is the header name and value is the header value.
Client request of the same key or headers specified in `Include` are overridden. | Optional | ### Istio @@ -302,11 +302,11 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **k8s**
[ProxyK8sConfig](#proxyk8sconfig) | **ProxyK8sConfig** is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). | Required
| +| **k8s**
[ProxyK8sConfig](#proxyk8sconfig) | Contains a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). | Required
| ### ProxyK8sConfig -**ProxyK8sConfig** is a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). +Contains a subset of [KubernetesResourcesSpec](https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec). Appears in: - [ProxyComponent](#proxycomponent) @@ -404,7 +404,7 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | | **onAllow**
string array | Lists headers from the authorization service forwarded to downstream when the authorization check result is allowed (HTTP code `200`).
If not specified, the original request is forwarded to the backend unmodified.
Any existing headers are overridden. | Optional | -| **onDeny**
string array | Lists headers from the authorization service forwarded to downstream when the authorization check result is not allowed (HTTP code is other than `200`).
If not specified, all the authorization response headers, except *Authority (Host)*, are included in the response to the downstream.
When a header is included in this list, the following headers are automatically added: *Path*, *Status*, *Content-Length*, *WWWAuthenticate*, and *Location*.
The body from the authorization service is always included in the response to downstream. | Optional | +| **onDeny**
string array | Lists headers from the authorization service forwarded to downstream when the authorization check result is not allowed (HTTP code is other than `200`).
If not specified, all the authorization response headers, except **Authority (Host)**, are included in the response to the downstream.
When a header is included in this list, the following headers are automatically added: **Path**, **Status**, **Content-Length**, **WWWAuthenticate**, and **Location**.
The body from the authorization service is always included in the response to downstream. | Optional | ### ToUpstream From f58a95df74c43f55e695ab68ab36615c8f0fd535 Mon Sep 17 00:00:00 2001 From: Natalia Sitko Date: Mon, 8 Dec 2025 15:58:45 +0100 Subject: [PATCH 19/19] update crd descriptions --- api/v1alpha2/istio_structs.go | 4 ++-- .../operator.kyma-project.io_istios.yaml | 24 +++++++++---------- docs/user/04-00-istio-custom-resource.md | 4 ++-- 3 files changed, 16 insertions(+), 16 deletions(-) diff --git a/api/v1alpha2/istio_structs.go b/api/v1alpha2/istio_structs.go index 7c81871145..93702aca6d 100644 --- a/api/v1alpha2/istio_structs.go +++ b/api/v1alpha2/istio_structs.go @@ -136,13 +136,13 @@ type Strategy struct { // Defines the configuration for rolling updates. See [Rolling Update Deployment](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#rolling-update-deployment). type RollingUpdate struct { - // Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). + // Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). // +kubebuilder:validation:Optional // +kubebuilder:validation:XIntOrString // +kubebuilder:validation:Pattern=`^[0-9]+%?$` // +kubebuilder:validation:XValidation:rule="(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)",message="must not be negative, more than 2147483647 or an empty string" MaxSurge *intstr.IntOrString `json:"maxSurge" protobuf:"bytes,2,opt,name=maxSurge"` - // Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) + // Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) // +kubebuilder:validation:XIntOrString // +kubebuilder:validation:Pattern="^((100|[0-9]{1,2})%|[0-9]+)$" // +kubebuilder:validation:XValidation:rule="(type(self) == int ? self >= 0 && self <= 2147483647: self.size() >= 0)",message="must not be negative, more than 2147483647 or an empty string" diff --git a/config/crd/bases/operator.kyma-project.io_istios.yaml b/config/crd/bases/operator.kyma-project.io_istios.yaml index d6f066932a..72a543310f 100644 --- a/config/crd/bases/operator.kyma-project.io_istios.yaml +++ b/config/crd/bases/operator.kyma-project.io_istios.yaml @@ -1104,8 +1104,8 @@ spec: - type: integer - type: string description: Specifies the maximum number of Pods - that can be unavailable during the update process. - See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). + that can be created over the desired number + of Pods. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). pattern: ^[0-9]+%?$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1118,8 +1118,8 @@ spec: - type: integer - type: string description: Specifies the maximum number of Pods - that can be created over the desired number - of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) + that can be unavailable during the update process. + See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1206,8 +1206,8 @@ spec: - type: integer - type: string description: Specifies the maximum number of Pods - that can be unavailable during the update process. - See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). + that can be created over the desired number + of Pods. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). pattern: ^[0-9]+%?$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1220,8 +1220,8 @@ spec: - type: integer - type: string description: Specifies the maximum number of Pods - that can be created over the desired number - of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) + that can be unavailable during the update process. + See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1310,8 +1310,8 @@ spec: - type: integer - type: string description: Specifies the maximum number of Pods - that can be unavailable during the update process. - See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). + that can be created over the desired number + of Pods. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). pattern: ^[0-9]+%?$ x-kubernetes-int-or-string: true x-kubernetes-validations: @@ -1324,8 +1324,8 @@ spec: - type: integer - type: string description: Specifies the maximum number of Pods - that can be created over the desired number - of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) + that can be unavailable during the update process. + See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) pattern: ^((100|[0-9]{1,2})%|[0-9]+)$ x-kubernetes-int-or-string: true x-kubernetes-validations: diff --git a/docs/user/04-00-istio-custom-resource.md b/docs/user/04-00-istio-custom-resource.md index c75fc663fd..f71c49f939 100644 --- a/docs/user/04-00-istio-custom-resource.md +++ b/docs/user/04-00-istio-custom-resource.md @@ -351,8 +351,8 @@ Appears in: | Field | Description | Validation | | --- | --- | --- | -| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Optional
Pattern: `^[0-9]+%?$`
XIntOrString
| -| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Optional
Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString
| +| **maxSurge**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be created over the desired number of Pods. See [Max Surge](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-surge). | Optional
Pattern: `^[0-9]+%?$`
XIntOrString
| +| **maxUnavailable**
[IntOrString](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.33/#intorstring-intstr-util) | Specifies the maximum number of Pods that can be unavailable during the update process. See [Max Unavailable](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#max-unavailable) | Optional
Pattern: `^((100\|[0-9]\{1,2\})%\|[0-9]+)$`
XIntOrString
| ### State