mesh/v1alpha1/config.proto (1,431 lines of code) (raw):
// Copyright 2017 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "mesh/v1alpha1/proxy.proto";
import "networking/v1alpha3/destination_rule.proto";
import "networking/v1alpha3/virtual_service.proto";
import "telemetry/v1alpha1/telemetry.proto";
// $title: Global Mesh Options
// $description: Configuration affecting the service mesh as a whole.
// $location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
// $weight: 20
// $mode: package
// Configuration affecting the service mesh as a whole.
package istio.mesh.v1alpha1;
option go_package="istio.io/api/mesh/v1alpha1";
// MeshConfig defines mesh-wide settings for the Istio service mesh.
message MeshConfig {
// Port on which Envoy should listen for all outbound traffic to other services.
// Default port is 15001.
int32 proxy_listen_port = 4;
// Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to.
// Default port is 15006.
int32 proxy_inbound_listen_port = 65;
// Port on which Envoy should listen for HTTP PROXY requests if set.
int32 proxy_http_port = 5;
// Connection timeout used by Envoy. (MUST BE >=1ms)
// Default timeout is 10s.
google.protobuf.Duration connect_timeout = 6;
// $hide_from_docs
// Automatic protocol detection uses a set of heuristics to
// determine whether the connection is using TLS or not (on the
// server side), as well as the application protocol being used
// (e.g., http vs tcp). These heuristics rely on the client sending
// the first bits of data. For server first protocols like MySQL,
// MongoDB, etc. Envoy will timeout on the protocol detection after
// the specified period, defaulting to non mTLS plain TCP
// traffic. Set this field to tweak the period that Envoy will wait
// for the client to send the first bits of data. (MUST BE >=1ms or
// 0s to disable). Default detection timeout is 0s (no timeout).
//
// Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit
// occasionally, and when they occur the result is typically broken traffic that may not
// recover on its own. Exceptionally high values might solve this, but injecting 60s delays
// onto new connections is generally not tenable anyways.
google.protobuf.Duration protocol_detection_timeout = 42;
// If set then set `SO_KEEPALIVE` on the socket to enable TCP Keepalives.
istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive tcp_keepalive = 28;
// Class of ingress resources to be processed by Istio ingress
// controller. This corresponds to the value of
// `kubernetes.io/ingress.class` annotation.
string ingress_class = 7;
// Name of the Kubernetes service used for the istio ingress controller.
// If no ingress controller is specified, the default value `istio-ingressgateway` is used.
string ingress_service = 8;
enum IngressControllerMode {
// Unspecified Istio ingress controller.
UNSPECIFIED = 0;
// Disables Istio ingress controller.
OFF = 1;
// Istio ingress controller will act on ingress resources that do not
// contain any annotation or whose annotations match the value
// specified in the ingressClass parameter described earlier. Use this
// mode if Istio ingress controller will be the default ingress
// controller for the entire Kubernetes cluster.
DEFAULT = 2;
// Istio ingress controller will only act on ingress resources whose
// annotations match the value specified in the ingressClass parameter
// described earlier. Use this mode if Istio ingress controller will be
// a secondary ingress controller (e.g., in addition to a
// cloud-provided ingress controller).
STRICT = 3;
}
// Defines whether to use Istio ingress controller for annotated or all ingress resources.
// Default mode is `STRICT`.
IngressControllerMode ingress_controller_mode = 9;
// Defines which gateway deployment to use as the Ingress controller. This field corresponds to
// the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
// By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
// `istio: ingressgateway` labels.
// It is recommended that this is the same value as ingressService.
string ingress_selector = 52;
// $hide_from_docs
enum AuthPolicy {
NONE = 0;
MUTUAL_TLS = 1;
}
// Flag to control generation of trace spans and request IDs.
// Requires a trace span collector defined in the proxy configuration.
bool enable_tracing = 12;
// File address for the proxy access log (e.g. /dev/stdout).
// Empty value disables access logging.
string access_log_file = 13;
// Format for the proxy access log
// Empty value results in proxy's default access log format
string access_log_format = 24;
enum AccessLogEncoding {
// text encoding for the proxy access log
TEXT = 0;
// json encoding for the proxy access log
JSON = 1;
}
// Encoding for the proxy access log (`TEXT` or `JSON`).
// Default value is `TEXT`.
AccessLogEncoding access_log_encoding = 27;
// This flag enables Envoy's gRPC Access Log Service.
// See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto)
// for details about Envoy's gRPC Access Log Service API.
// Default value is `false`.
bool enable_envoy_access_log_service = 40;
// This flag disables Envoy Listener logs.
// See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log)
// Istio Enables Envoy's listener access logs on "NoRoute" response flag.
// Default value is `false`.
bool disable_envoy_listener_log = 56;
// Default proxy config used by gateway and sidecars.
// In case of Kubernetes, the proxy config is applied once during the injection process,
// and remain constant for the duration of the pod. The rest of the mesh config can be changed
// at runtime and config gets distributed dynamically.
// On Kubernetes, this can be overridden on individual pods with the `proxy.istio.io/config` annotation.
ProxyConfig default_config = 14;
// `OutboundTrafficPolicy` sets the default behavior of the sidecar for
// handling unknown outbound traffic from the application.
message OutboundTrafficPolicy {
enum Mode {
// In `REGISTRY_ONLY` mode, unknown outbound traffic will be dropped.
// Traffic destinations must be explicitly declared into the service registry through `ServiceEntry` configurations.
//
// Note: Istio [does not offer an outbound traffic security policy](https://istio.io/latest/docs/ops/best-practices/security/#understand-traffic-capture-limitations).
// This option does not act as one, or as any form of an outbound firewall.
// Instead, this option exists primarily to offer users a way to detect missing `ServiceEntry` configurations by explicitly failing.
REGISTRY_ONLY = 0;
// In `ALLOW_ANY` mode, any traffic to unknown destinations will be allowed.
// Unknown destination traffic will have limited functionality, however, such as reduced observability.
// This mode allows users that do not have all possible egress destinations registered through `ServiceEntry` configurations to still connect
// to arbitrary destinations.
ALLOW_ANY = 1;
reserved 2;
reserved "VIRTUAL_SERVICE_ONLY";
}
Mode mode = 1;
}
// Set the default behavior of the sidecar for handling outbound
// traffic from the application.
//
// Can be overridden at a Sidecar level by setting the `OutboundTrafficPolicy` in the
// [Sidecar API](https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy).
//
// Default mode is `ALLOW_ANY`, which means outbound traffic to unknown destinations will be allowed.
OutboundTrafficPolicy outbound_traffic_policy = 17;
message InboundTrafficPolicy {
enum Mode {
// inbound traffic will be passed through to the destination listening
// on Pod IP. This matches the behavior without Istio enabled at all
// allowing proxy to be transparent.
PASSTHROUGH = 0;
// inbound traffic will be sent to the destinations listening on localhost.
LOCALHOST = 1;
}
Mode mode = 1;
}
// Set the default behavior of the sidecar for handling inbound
// traffic to the application. If your application listens on
// localhost, you will need to set this to `LOCALHOST`.
InboundTrafficPolicy inbound_traffic_policy = 66;
// ConfigSource describes a source of configuration data for networking
// rules, and other Istio configuration artifacts. Multiple data sources
// can be configured for a single control plane.
repeated ConfigSource config_sources = 22;
// This flag is used to enable mutual `TLS` automatically for service to service communication
// within the mesh, default true.
// If set to true, and a given service does not have a corresponding `DestinationRule` configured,
// or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side
// TLS configuration appropriately. More specifically,
// If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate
// for mutual `TLS` to connect to upstream.
// If upstream service is in plain text mode, use plain text.
// If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
// mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic.
// If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead.
google.protobuf.BoolValue enable_auto_mtls = 43;
// The trust domain corresponds to the trust root of a system.
// Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain)
string trust_domain = 26;
// The trust domain aliases represent the aliases of `trustDomain`.
// For example, if we have
// ```yaml
// trustDomain: td1
// trustDomainAliases: ["td2", "td3"]
// ```
// Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`,
// or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh.
repeated string trust_domain_aliases = 46;
message CertificateData {
oneof certificate_data {
// The PEM data of the certificate.
string pem = 1;
// The SPIFFE bundle endpoint URL that complies to:
// https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
// The endpoint should support authentication based on Web PKI:
// https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
// The certificate is retrieved from the endpoint.
string spiffe_bundle_url = 2;
}
// Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
// when Istiod is acting as RA(registration authority)
// If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.
repeated string cert_signers = 3;
// Optional. Specify the list of trust domains to which this trustAnchor data belongs.
// If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
// and its aliases.
// Note that we can have multiple trustAnchor data for a same trustDomain.
// In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
// If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
// If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
// If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
// If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
repeated string trust_domains = 4;
}
// The extra root certificates for workload-to-workload communication.
// The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
// are automatically added by Istiod.
// The CA certificate that signs the workload certificates is automatically added by Istio Agent.
repeated CertificateData ca_certificates = 58;
// The default value for the ServiceEntry.exportTo field and services
// imported through container registry integrations, e.g. this applies to
// Kubernetes Service resources. The value is a list of namespace names and
// reserved namespace aliases. The allowed namespace aliases are:
// ```
// * - All Namespaces
// . - Current Namespace
// ~ - No Namespace
// ```
// If not set the system will use "*" as the default value which implies that
// services are exported to all namespaces.
//
// `All namespaces` is a reasonable default for implementations that don't
// need to restrict access or visibility of services across namespace
// boundaries. If that requirement is present it is generally good practice to
// make the default `Current namespace` so that services are only visible
// within their own namespaces by default. Operators can then expand the
// visibility of services to other namespaces as needed. Use of `No Namespace`
// is expected to be rare but can have utility for deployments where
// dependency management needs to be precise even within the scope of a single
// namespace.
//
// For further discussion see the reference documentation for `ServiceEntry`,
// `Sidecar`, and `Gateway`.
repeated string default_service_export_to = 31;
// The default value for the VirtualService.exportTo field. Has the same
// syntax as `defaultServiceExportTo`.
//
// If not set the system will use "*" as the default value which implies that
// virtual services are exported to all namespaces
repeated string default_virtual_service_export_to = 32;
// The default value for the `DestinationRule.exportTo` field. Has the same
// syntax as `defaultServiceExportTo`.
//
// If not set the system will use "*" as the default value which implies that
// destination rules are exported to all namespaces
repeated string default_destination_rule_export_to = 33;
// The namespace to treat as the administrative root namespace for
// Istio configuration. When processing a leaf namespace Istio will search for
// declarations in that namespace first and if none are found it will
// search in the root namespace. Any matching declaration found in the root
// namespace is processed as if it were declared in the leaf namespace.
//
// The precise semantics of this processing are documented on each resource
// type.
string root_namespace = 34;
// Locality based load balancing distribution or failover settings.
// If unspecified, locality based load balancing will be enabled by default.
// However, this requires outlierDetection to actually take effect for a particular
// service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/
istio.networking.v1alpha3.LocalityLoadBalancerSetting locality_lb_setting = 35;
// Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS`
// Default refresh rate is `60s`.
google.protobuf.Duration dns_refresh_rate = 36;
// Default Policy for upgrading http1.1 connections to http2.
enum H2UpgradePolicy {
// Do not upgrade connections to http2.
DO_NOT_UPGRADE = 0;
// Upgrade the connections to http2.
UPGRADE = 1;
}
// Specify if http1.1 connections should be upgraded to http2 by default.
// if sidecar is installed on all pods in the mesh, then this should be set to `UPGRADE`.
// If one or more services or namespaces do not have sidecar(s), then this should be set to `DO_NOT_UPGRADE`.
// It can be enabled by destination using the `destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy` override.
H2UpgradePolicy h2_upgrade_policy = 41;
// Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
// network filters like TCP and Redis.
// By default, Istio emits statistics with the pattern `inbound|<port>|<port-name>|<service-FQDN>`.
// For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern.
//
// A Pattern can be composed of various pre-defined variables. The following variables are supported.
//
// - `%SERVICE%` - Will be substituted with short hostname of the service.
// - `%SERVICE_NAME%` - Will be substituted with name of the service.
// - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service.
// - `%SERVICE_PORT%` - Will be substituted with port of the service.
// - `%TARGET_PORT%` - Will be substituted with the target port of the service.
// - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service.
//
// Following are some examples of supported patterns for reviews:
//
// - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name.
// - `%SERVICE%` will use reviews.prod as the stats name.
string inbound_cluster_stat_name = 44;
// Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
// network filters like TCP and Redis.
// By default, Istio emits statistics with the pattern `outbound|<port>|<subsetname>|<service-FQDN>`.
// For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern.
//
// A Pattern can be composed of various pre-defined variables. The following variables are supported.
//
// - `%SERVICE%` - Will be substituted with short hostname of the service.
// - `%SERVICE_NAME%` - Will be substituted with name of the service.
// - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service.
// - `%SERVICE_PORT%` - Will be substituted with port of the service.
// - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service.
// - `%SUBSET_NAME%` - Will be substituted with subset.
//
// Following are some examples of supported patterns for reviews:
//
// - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name.
// - `%SERVICE%` will use reviews.prod as the stats name.
string outbound_cluster_stat_name = 45;
// $hide_from_docs
// Configure the provision of certificates.
//
// Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates.
repeated Certificate certificates = 47 [deprecated=true];
reserved 49;
reserved "thrift_config";
// $hide_from_docs
// Settings to be applied to select services.
//
// For example, the following configures all services in namespace "foo" as well as the
// "bar" service in namespace "baz" to be considered cluster-local:
//
// ```yaml
// serviceSettings:
// - settings:
// clusterLocal: true
// hosts:
// - "*.foo.svc.cluster.local"
// - "bar.baz.svc.cluster.local"
// ```
message ServiceSettings {
// Settings for the selected services.
message Settings {
// If true, specifies that the client and service endpoints must reside in the same cluster.
// By default, in multi-cluster deployments, the Istio control plane assumes all service
// endpoints to be reachable from any client in any of the clusters which are part of the
// mesh. This configuration option limits the set of service endpoints visible to a client
// to be cluster scoped.
//
// There are some common scenarios when this can be useful:
//
// - A service (or group of services) is inherently local to the cluster and has local storage
// for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
// - A mesh administrator wants to slowly migrate services to Istio. They might start by first
// having services cluster-local and then slowly transition them to mesh-wide. They could do
// this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
// (e.g. *.myns.svc.cluster.local).
//
// By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
// services in the kube-system namespace to be cluster-local, unless explicitly overridden here.
bool cluster_local = 1;
}
// The settings to apply to the selected services.
Settings settings = 1;
// The services to which the Settings should be applied. Services are selected using the hostname
// matching rules used by DestinationRule.
//
// For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local
repeated string hosts = 2;
}
// $hide_from_docs
// Settings to be applied to select services.
repeated ServiceSettings service_settings = 50;
// If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
// and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod
// and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
// This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and
// `prometheus.io/path` annotations.
// If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
// In this case, it is recommended to disable aggregation on that deployment with the
// `prometheus.istio.io/merge-metrics: "false"` annotation.
// If not specified, this will be enabled by default.
google.protobuf.BoolValue enable_prometheus_merge = 51;
// $hide_from_docs
// `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation
// at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination
// modes are used. This setting can be overridden at the host level via DestinationRule API.
// By default, `VerifyCertificateAtClient` is `true`.
//
// `CaCertificates`: If set, proxy verifies CA signature based on given CaCertificates. If unset,
// and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and
// `VerifyCertificateAtClient` is false, proxy will not verify the CA.
//
// `SubjectAltNames`: If set, proxy verifies subject alt names are present in the SAN. If unset,
// and `VerifyCertificateAtClient` is true, proxy uses host in destination rule to verify the SANs.
// If unset, and `VerifyCertificateAtClient` is false, proxy does not verify SANs.
//
// For SAN, client-side proxy will exact match host in `DestinationRule` as well as one level
// wildcard if the specified host in DestinationRule doesn't contain a wildcard.
// For example, if the host in `DestinationRule` is `x.y.com`, client-side proxy will
// match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate.
// For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example,
// if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches
// ``.x.y.com` suffix.
google.protobuf.BoolValue verify_certificate_at_client = 54 [deprecated=true];
message CA {
// REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
// Can be IP address or a fully qualified DNS name with port
// Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000
string address = 1;
// Use the tlsSettings to specify the tls mode to use.
// Regarding tlsSettings:
// - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
// DISABLE MODE can also be used for testing
// - TLS MUTUAL MODE be on by default. If the CA certificates
// (cert bundle to verify the CA server's certificate) is omitted, Istiod will
// use the system root certs to verify the CA server's certificate.
istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;
// timeout for forward CSR requests from Istiod to External CA
// Default: 10s
google.protobuf.Duration request_timeout = 3;
// Use istiodSide to specify CA Server integrate to Istiod side or Agent side
// Default: true
bool istiod_side = 4;
}
// $hide_from_docs
// If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA
// using the Istio CA gRPC API.
CA ca = 55;
message ExtensionProvider {
// REQUIRED. A unique name identifying the extension provider.
string name = 1;
// REQUIRED. Specifies detailed configuration for the extension provider.
oneof provider {
// Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.
EnvoyExternalAuthorizationHttpProvider envoy_ext_authz_http = 2;
// Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.
EnvoyExternalAuthorizationGrpcProvider envoy_ext_authz_grpc = 3;
// Configures a tracing provider that uses the Zipkin API.
ZipkinTracingProvider zipkin = 4;
// $hide_from_docs
// Configures a Lightstep tracing provider.
// Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027
LightstepTracingProvider lightstep = 5 [deprecated=true];
// Configures a Datadog tracing provider.
DatadogTracingProvider datadog = 6;
// Configures a Stackdriver provider.
StackdriverProvider stackdriver = 7;
// $hide_from_docs
// Configures an OpenCensusAgent tracing provider.
// Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/
OpenCensusAgentTracingProvider opencensus = 8 [deprecated=true];
// Configures a Apache SkyWalking provider.
SkyWalkingTracingProvider skywalking = 9;
// Configures an OpenTelemetry tracing provider.
OpenTelemetryTracingProvider opentelemetry = 15;
// Configures a Prometheus metrics provider.
PrometheusMetricsProvider prometheus = 10;
// Configures an Envoy File Access Log provider.
EnvoyFileAccessLogProvider envoy_file_access_log = 11;
// Configures an Envoy Access Logging Service provider for HTTP traffic.
EnvoyHttpGrpcV3LogProvider envoy_http_als = 12;
// Configures an Envoy Access Logging Service provider for TCP traffic.
EnvoyTcpGrpcV3LogProvider envoy_tcp_als = 13;
// Configures an Envoy Open Telemetry Access Logging Service provider.
EnvoyOpenTelemetryLogProvider envoy_otel_als = 14;
// Configures aggregate provider
AggregateProvider aggregate = 999;
// $hide_from_docs
// next id: 16
}
message EnvoyExternalAuthorizationRequestBody {
// Sets the maximum size of a message body that the ext-authz filter will hold in memory.
// If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
// Otherwise the request will be sent to the provider with a partial message.
// Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
// failOpen is set to true.
uint32 max_request_bytes = 1;
// When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
// The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
// A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
// indicating if the body data is partial.
bool allow_partial_message = 2;
// If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
// in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
// Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
// This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
bool pack_as_bytes = 3;
}
message EnvoyExternalAuthorizationHttpProvider {
// REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
// When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
// In this situation, the response sent back to the client will depend on the configured `failOpen` field.
google.protobuf.Duration timeout = 9;
// Sets a prefix to the value of authorization request header *Path*.
// For example, setting this to "/check" for an original user request at path "/admin" will cause the
// authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".
string path_prefix = 3;
// If true, the user request will be allowed even if the communication with the authorization service has failed,
// or if the authorization service has returned a HTTP 5xx error.
// Default is false and the request will be rejected with "Forbidden" response.
bool fail_open = 4;
// Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
// The default status is "403" (HTTP Forbidden).
string status_on_error = 5;
// DEPRECATED. Use includeRequestHeadersInCheck instead.
repeated string include_headers_in_check = 6 [deprecated=true];
// List of client request headers that should be included in the authorization request sent to the authorization service.
// Note that in addition to the headers specified here following headers are included by default:
// 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
// 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
// request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
// consequently the value of Content-Length of the authorization request reflects the size of its payload size.
//
// Exact, prefix and suffix matches are supported (similar to the
// [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
// except the presence match):
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
repeated string include_request_headers_in_check = 10;
// Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
// Key is the header name and value is the header value.
// Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
map<string, string> include_additional_headers_in_check = 11;
// If set, the client request body will be included in the authorization request sent to the authorization service.
EnvoyExternalAuthorizationRequestBody include_request_body_in_check = 12;
// List of headers from the authorization service that should be added or overridden in the original request and
// forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
// If not specified, the original request will not be modified and forwarded to backend as-is.
// Note, any existing headers will be overridden.
//
// Exact, prefix and suffix matches are supported (similar to the
// [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
// except the presence match):
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
repeated string headers_to_upstream_on_allow = 7;
// List of headers from the authorization service that should be forwarded to downstream when the authorization
// check result is not allowed (HTTP code other than 200).
// If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to
// the downstream.
// When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are
// automatically added.
// Note, the body from the authorization service is always included in the response to downstream.
//
// Exact, prefix and suffix matches are supported (similar to the
// [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
// except the presence match):
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
repeated string headers_to_downstream_on_deny = 8;
// List of headers from the authorization service that should be forwarded to downstream when the authorization
// check result is allowed (HTTP code 200).
// If not specified, the original response will not be modified and forwarded to downstream as-is.
// Note, any existing headers will be overridden.
//
// Exact, prefix and suffix matches are supported (similar to the
// [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
// except the presence match):
// - Exact match: "abc" will match on value "abc".
// - Prefix match: "abc*" will match on value "abc" and "abcd".
// - Suffix match: "*abc" will match on value "abc" and "xabc".
repeated string headers_to_downstream_on_allow = 13;
// $hide_from_docs
// Next available field number: 14
}
message EnvoyExternalAuthorizationGrpcProvider {
// REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
// When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
// In this situation, the response sent back to the client will depend on the configured `failOpen` field.
google.protobuf.Duration timeout = 5;
// If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
// or if the authorization service has returned a HTTP 5xx error.
// Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.
bool fail_open = 3;
// Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
// The default status is "403" (HTTP Forbidden).
string status_on_error = 4;
// If set, the client request body will be included in the authorization request sent to the authorization service.
EnvoyExternalAuthorizationRequestBody include_request_body_in_check = 6;
// $hide_from_docs
// Next available field number: 7
}
// Defines configuration for a Zipkin tracer.
message ZipkinTracingProvider {
// REQUIRED. Specifies the service that the Zipkin API.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// Optional. Controls the overall path length allowed in a reported span.
// NOTE: currently only controls max length of the path tag.
uint32 max_tag_length = 3;
// Optional. A 128 bit trace id will be used in Istio.
// If true, will result in a 64 bit trace id being used.
bool enable_64bit_trace_id = 4;
// Optional. Specifies the endpoint of Zipkin API.
// The default value is "/api/v2/spans".
string path = 5;
}
// Defines configuration for a Lightstep tracer.
// Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
// will generate OpenTelemetry-compatible configuration when using this option.
message LightstepTracingProvider {
// REQUIRED. Specifies the service for the Lightstep collector.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// The Lightstep access token.
string access_token = 3;
// Optional. Controls the overall path length allowed in a reported span.
// NOTE: currently only controls max length of the path tag.
uint32 max_tag_length = 4;
}
// Defines configuration for a Datadog tracer.
message DatadogTracingProvider {
// REQUIRED. Specifies the service for the Datadog agent.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// Optional. Controls the overall path length allowed in a reported span.
// NOTE: currently only controls max length of the path tag.
uint32 max_tag_length = 3;
}
// Defines configuration for a SkyWalking tracer.
message SkyWalkingTracingProvider {
// REQUIRED. Specifies the service for the SkyWalking receiver.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// Optional. The SkyWalking OAP access token.
string access_token = 3;
}
// Defines configuration for Stackdriver.
//
// WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
// alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
// driver in Envoy.
message StackdriverProvider {
// debug enables trace output to stdout.
// $hide_from_docs
bool debug = 1 [deprecated=true];
// The global default max number of attributes per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_attributes = 2 [deprecated=true];
// The global default max number of annotation events per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_annotations = 3 [deprecated=true];
// The global default max number of message events per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_message_events = 4 [deprecated=true];
// Optional. Controls the overall path length allowed in a reported span.
// NOTE: currently only controls max length of the path tag.
uint32 max_tag_length = 5;
message Logging {
// Collection of tag names and tag expressions to include in the log
// entry. Conflicts are resolved by the tag name by overriding previously
// supplied values.
//
// Example:
// labels:
// path: request.url_path
// foo: request.headers['x-foo']
map<string, string> labels = 1;
}
// Optional. Controls Stackdriver logging behavior.
Logging logging = 6;
}
// Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.
//
// WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
// OpenCensus providers CANNOT be changed during the course of proxy's lifetime due to a limitation
// in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
// may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
// configuration MUST be accompanied by a restart of all proxies that will use that configuration.
//
// NOTE: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
// alongside OpenCensus provider configuration.
message OpenCensusAgentTracingProvider {
// REQUIRED. Specifies the service for the OpenCensusAgent.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// TraceContext selects the context propagation headers used for
// distributed tracing.
enum TraceContext {
// $hide_from_docs
// Unspecified context. Should not be used for now, but added to reserve
// the 0 enum value if TraceContext is used outside of a repeated field.
UNSPECIFIED = 0;
// Use W3C Trace Context propagation using the `traceparent` HTTP header.
// See the
// [Trace Context documentation](https://www.w3.org/TR/trace-context/) for details.
W3C_TRACE_CONTEXT = 1;
// Use gRPC binary context propagation using the `grpc-trace-bin` http header.
GRPC_BIN = 2;
// Use Cloud Trace context propagation using the
// `X-Cloud-Trace-Context` http header.
CLOUD_TRACE_CONTEXT = 3;
// Use multi-header B3 context propagation using the `X-B3-TraceId`,
// `X-B3-SpanId`, and `X-B3-Sampled` HTTP headers. See
// [B3 header propagation README](https://github.com/openzipkin/b3-propagation)
// for details.
B3 = 4;
}
// Specifies the set of context propagation headers used for distributed
// tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified,
// the proxy will attempt to read each header for each request and will
// write all headers.
repeated TraceContext context = 3;
// Optional. Controls the overall path length allowed in a reported span.
// NOTE: currently only controls max length of the path tag.
uint32 max_tag_length = 4;
}
message PrometheusMetricsProvider {}
// Defines configuration for Envoy-based access logging that writes to
// local files (and/or standard streams).
message EnvoyFileAccessLogProvider {
// Path to a local file to write the access log entries.
// This may be used to write to streams, via `/dev/stderr` and `/dev/stdout`
// If unspecified, defaults to `/dev/stdout`.
string path = 1;
message LogFormat {
oneof log_format {
// Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
// used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
// provides more information.
//
// NOTE: Istio will insert a newline ('\n') on all formats (if missing).
//
// Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
string text = 1;
// JSON structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
// can be used as values for fields within the Struct. Values are rendered
// as strings, numbers, or boolean values, as appropriate
// (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is
// supported for some command operators (e.g. `FILTER_STATE` or `DYNAMIC_METADATA`).
// Use `labels: {}` for default envoy JSON log format.
//
// Example:
// ```
// labels:
// status: "%RESPONSE_CODE%"
// message: "%LOCAL_REPLY_BODY%"
// ```
google.protobuf.Struct labels = 2;
}
}
// Optional. Allows overriding of the default access log format.
LogFormat log_format = 2;
}
// Defines configuration for an Envoy [Access Logging Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als)
// integration for HTTP traffic.
message EnvoyHttpGrpcV3LogProvider {
// REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// Optional. The friendly name of the access log.
// Defaults:
// - "http_envoy_accesslog"
// - "listener_envoy_accesslog"
string log_name = 3;
// Optional. Additional filter state objects to log.
repeated string filter_state_objects_to_log = 4;
// Optional. Additional request headers to log.
repeated string additional_request_headers_to_log = 5;
// Optional. Additional response headers to log.
repeated string additional_response_headers_to_log = 6;
// Optional. Additional response trailers to log.
repeated string additional_response_trailers_to_log = 7;
}
// Defines configuration for an Envoy [Access Logging Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als)
// integration for TCP traffic.
message EnvoyTcpGrpcV3LogProvider {
// REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// Optional. The friendly name of the access log.
// Defaults:
// - "tcp_envoy_accesslog"
// - "listener_envoy_accesslog"
string log_name = 3;
// Optional. Additional filter state objects to log.
repeated string filter_state_objects_to_log = 4;
}
// Defines configuration for an Envoy [OpenTelemetry (gRPC) Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
message EnvoyOpenTelemetryLogProvider {
// REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// Optional. The friendly name of the access log.
// Defaults:
// - "otel_envoy_accesslog"
string log_name = 3;
// Optional. Format for the proxy access log
// Empty value results in proxy's default access log format, following Envoy access logging formatting.
LogFormat log_format = 4;
message LogFormat {
// Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
// used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
// provides more information.
// Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
// Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
string text = 1;
// Optional. Additional attributes that describe the specific event occurrence.
// Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
// can be used as values for fields within the Struct. Values are rendered
// as strings, numbers, or boolean values, as appropriate
// (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is
// supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
// Alias to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
//
// Example:
// ```
// labels:
// status: "%RESPONSE_CODE%"
// message: "%LOCAL_REPLY_BODY%"
// ```
google.protobuf.Struct labels = 2;
}
}
// Defines configuration for an OpenTelemetry tracing backend. Istio 1.16.1 or higher is needed.
message OpenTelemetryTracingProvider {
// REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// Optional. Controls the overall path length allowed in a reported span.
// NOTE: currently only controls max length of the path tag.
uint32 max_tag_length = 3;
// Optional. Specifies the configuration for exporting OTLP traces via HTTP.
// When empty, traces will be exported via gRPC.
//
// The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:
//
// 1. Add/change the OpenTelemetry extension provider in `MeshConfig`
// ```yaml
// - name: otel-tracing
// opentelemetry:
// port: 443
// service: my.olly-backend.com
// http:
// path: "/api/otlp/traces"
// timeout: 10s
// headers:
// - name: "my-custom-header"
// value: "some value"
// ```
//
// 2. Deploy a `ServiceEntry` for the observability back-end
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
// metadata:
// name: my-olly-backend
// spec:
// hosts:
// - my.olly-backend.com
// ports:
// - number: 443
// name: https-port
// protocol: HTTPS
// resolution: DNS
// location: MESH_EXTERNAL
// ---
// apiVersion: networking.istio.io/v1alpha3
// kind: DestinationRule
// metadata:
// name: my-olly-backend
// spec:
// host: my.olly-backend.com
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 443
// tls:
// mode: SIMPLE
// ```
HttpService http = 4;
// Optional. Specifies the configuration for exporting OTLP traces via GRPC.
// When empty, traces will check whether HTTP is set.
// If not, traces will use default GRPC configurations.
//
// The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC:
//
// 1. Add/change the OpenTelemetry extension provider in `MeshConfig`
// ```yaml
// - name: opentelemetry
// opentelemetry:
// port: 8090
// service: tracing.example.com
// grpc:
// timeout: 10s
// initialMetadata:
// - name: "Authentication"
// value: "token-xxxxx"
// ```
//
// 2. Deploy a `ServiceEntry` for the observability back-end
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: ServiceEntry
// metadata:
// name: tracing-grpc
// spec:
// hosts:
// - tracing.example.com
// ports:
// - number: 8090
// name: grpc-port
// protocol: GRPC
// resolution: DNS
// location: MESH_EXTERNAL
// ```
GrpcService grpc = 7;
// Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/)
// to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged
// according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge).
//
// The following example shows how to configure the Environment Resource Detector, that will
// read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`:
//
// ```yaml
// - name: otel-tracing
// opentelemetry:
// port: 443
// service: my.olly-backend.com
// resourceDetectors:
// environment: {}
// ```
ResourceDetectors resource_detectors = 5;
// Optional. Configure a [Sampler](https://opentelemetry.io/docs/specs/otel/trace/sdk/#sampler)
// to be used by the OpenTelemetry Tracer.
oneof sampling {
// The Dynatrace adaptive traffic management (ATM) sampler.
//
// Example configuration:
//
// ```yaml
// - name: otel-tracing
// opentelemetry:
// port: 443
// service: "{your-environment-id}.live.dynatrace.com"
// http:
// path: "/api/v2/otlp/v1/traces"
// timeout: 10s
// headers:
// - name: "Authorization"
// value: "Api-Token dt0c01."
// resourceDetectors:
// dynatrace: {}
// dynatraceSampler:
// tenant: "{your-environment-id}"
// clusterId: 1234
DynatraceSampler dynatrace_sampler = 6;
}
message DynatraceSampler {
// REQUIRED. The Dynatrace customer's tenant identifier.
//
// The value can be obtained from the Istio deployment page in Dynatrace.
string tenant = 1;
// REQUIRED. The identifier of the cluster in the Dynatrace platform.
// The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.
//
// The value can be obtained from the Istio deployment page in Dynatrace.
int32 cluster_id = 2;
// Optional. Number of sampled spans per minute to be used
// when the adaptive value cannot be obtained from the Dynatrace API.
//
// A default value of `1000` is used when:
//
// - `rootSpansPerMinute` is unset
// - `rootSpansPerMinute` is set to 0
uint32 root_spans_per_minute = 3;
// Optional. Dynatrace HTTP API to obtain sampling configuration.
//
// When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter
// (`service`, `port` and `http`), including the access token.
DynatraceApi http_service = 4;
message DynatraceApi {
// REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration.
// The format is `<Hostname>`, where `<Hostname>` is the fully qualified Dynatrace environment
// host name defined in the ServiceEntry.
//
// Example: "{your-environment-id}.live.dynatrace.com".
string service = 1;
// REQUIRED. Specifies the port of the service.
uint32 port = 2;
// REQUIRED. Specifies sampling configuration URI.
HttpService http = 3;
}
}
}
// Defines configuration for an HTTP service that can be used by an Extension Provider.
// that does communication via HTTP.
message HttpService {
// REQUIRED. Specifies the path on the service.
string path = 1;
// Optional. Specifies the timeout for the HTTP request.
// If not specified, the default is 3s.
google.protobuf.Duration timeout = 2;
// Optional. Allows specifying custom HTTP headers that will be added
// to each HTTP request sent.
repeated HttpHeader headers = 3;
}
message HttpHeader {
// REQUIRED. The HTTP header name.
string name = 1;
// REQUIRED. The HTTP header value.
string value = 2;
}
message ResourceDetectors {
EnvironmentResourceDetector environment = 1;
DynatraceResourceDetector dynatrace = 2;
// OpenTelemetry Environment Resource Detector.
// The resource detector reads attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`
// and adds them to the OpenTelemetry resource.
//
// See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable)
message EnvironmentResourceDetector { }
// Dynatrace Resource Detector.
// The resource detector reads from the Dynatrace enrichment files
// and adds host/process related attributes to the OpenTelemetry resource.
//
// See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files)
message DynatraceResourceDetector { }
}
// Defines configuration for an GRPC service that can be used by an Extension Provider.
// that does communication via GRPC.
message GrpcService {
// Optional. Specifies the timeout for the GRPC request.
google.protobuf.Duration timeout = 1;
// Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
// scenarios in which additional ad hoc authorization headers (e.g. “x-foo-bar: baz-key“) are to
// be injected.
repeated HttpHeader initial_metadata = 2;
}
// The following example configures zipkin-intranet provider for cluster-a, and cluster-c
// opentelemetry provider for cluster-b, zipkin provider for the rest.
// ```yaml
// aggregate:
// defaultProvider:
// name: zipkin
// uniqueProviders:
// - provider:
// name: zipkin-intranet
// clusters:
// - id: cluster-a
// - id: cluster-c
// - provider:
// name: opentelemetry
// clusters:
// - id: cluster-b
// - id: cluster-c
// ```
//
// NOTE: If a cluster refered different providers, the first provider refered will be used.
message AggregateProvider {
// REQUIRED. The default provider to use when no unique provider is matched.
istio.telemetry.v1alpha1.ProviderRef default_provider = 1;
// Optional. List of unique providers that override the default provider.
repeated UniqueProviderRef unique_providers = 2;
message UniqueProviderRef {
// REQUIRED. The unique provider to use when a proxy is matched.
istio.telemetry.v1alpha1.ProviderRef provider = 1;
// Optional. List of clusters that will use the provider.
repeated ClusterRef clusters = 2;
// TODO: maybe namespace and workload scope selector
// repeated string namespaces = 3;
// istio.type.v1beta1.WorkloadSelector selector = 4;
}
message ClusterRef {
// REQUIRE. Id of the cluster, will be used as proxy selector.
string id = 1;
// Optional. Name of the cluster, won't be used as selector currently, just for more readability.
string name = 2;
// Optional. Region of the cluster, won't be used as selector currently, just for more readability.
string region = 3;
}
}
}
// Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
// can be used with an extension provider to delegate the authorization decision to a custom authorization system.
repeated ExtensionProvider extension_providers = 57;
// Holds the name references to the providers that will be used by default
// in other Istio configuration resources if the provider is not specified.
//
// These names must match a provider defined in `extensionProviders` that is
// one of the supported tracing providers.
message DefaultProviders {
// Name of the default provider(s) for tracing.
repeated string tracing = 1;
// Name of the default provider(s) for metrics.
repeated string metrics = 2;
// Name of the default provider(s) for access logging.
repeated string access_logging = 3;
}
// Specifies extension providers to use by default in Istio configuration resources.
DefaultProviders default_providers = 60;
// A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
// computing configuration updates for sidecars. This can be used to reduce Istio's computational load
// by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
// If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
// Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
// The following example selects any namespace that matches either below:
// 1. The namespace has both of these labels: `env: prod` and `region: us-east1`
// 2. The namespace has label `app` equal to `cassandra` or `spark`.
// ```yaml
// discoverySelectors:
// - matchLabels:
// env: prod
// region: us-east1
// - matchExpressions:
// - key: app
// operator: In
// values:
// - cassandra
// - spark
// ```
// Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors)
// for additional detail on selector semantics.
repeated LabelSelector discovery_selectors = 59;
message ProxyPathNormalization {
enum NormalizationType {
// Apply default normalizations. Currently, this is BASE.
DEFAULT = 0;
// No normalization, paths are used as is.
NONE = 1;
// Normalize according to [RFC 3986](https://tools.ietf.org/html/rfc3986).
// For Envoy proxies, this is the [`normalize_path`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html) option.
// For example, `/a/../b` normalizes to `/b`.
BASE = 2;
// In addition to the `BASE` normalization, consecutive slashes are also merged.
// For example, `/a//b` normalizes to `a/b`.
MERGE_SLASHES = 3;
// In addition to normalization in `MERGE_SLASHES`, slash characters are UTF-8 decoded (case insensitive) prior to merging.
// This means `%2F`, `%2f`, `%5C`, and `%5c` sequences in the request path will be rewritten to `/` or `\`.
// For example, `/a%2f/b` normalizes to `a/b`.
DECODE_AND_MERGE_SLASHES = 4;
}
NormalizationType normalization = 1;
}
// ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
// normalized by the sidecars and gateways.
// The normalized paths will be used in all aspects through the requests' lifetime on the
// sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
// authorization policy match and enforcement in inbound direction (server proxy), and the URL
// path proxied to the upstream service.
// If not set, the NormalizationType.DEFAULT configuration will be used.
ProxyPathNormalization path_normalization = 61;
// Configure the default HTTP retry policy.
// The default number of retry attempts is set at 2 for these errors:
// "connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".
// Setting the number of attempts to 0 disables retry policy globally.
// This setting can be overridden on a per-host basis using the Virtual Service
// API.
// All settings in the retry policy except `perTryTimeout` can currently be
// configured globally via this field.
istio.networking.v1alpha3.HTTPRetry default_http_retry_policy = 62;
message TLSConfig {
// TLS protocol versions.
enum TLSProtocol {
// Automatically choose the optimal TLS version.
TLS_AUTO = 0;
// TLS version 1.2
TLSV1_2 = 1;
// TLS version 1.3
TLSV1_3 = 2;
}
// Optional: the minimum TLS protocol version. The default minimum
// TLS version will be TLS 1.2. As servers may not be Envoy and be
// set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
// minimum TLS version for clients may also be TLS 1.2.
// In the current Istio implementation, the maximum TLS protocol version
// is TLS 1.3.
TLSProtocol min_protocol_version = 1;
//
// Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
// If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to
// [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto).
repeated string ecdh_curves = 2;
//
// Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
// If not specified, the following cipher suites will be used:
// ```
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
// ECDHE-ECDSA-AES128-GCM-SHA256
// ECDHE-RSA-AES128-GCM-SHA256
// AES256-GCM-SHA384
// AES128-GCM-SHA256
// ```
repeated string cipher_suites = 3;
}
// The below configuration parameters can be used to specify TLSConfig for mesh traffic.
// For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:
// ```yaml
// meshConfig:
// meshMTLS:
// minProtocolVersion: TLSV1_3
// tlsDefaults:
// Note: applicable only for non ISTIO_MUTUAL scenarios
// ecdhCurves:
// - P-256
// - P-512
// ```
// Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.
//
// Note: Mesh mTLS does not respect ECDH curves.
TLSConfig mesh_mTLS = 63;
//
// Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
// Currently, this supports configuration of ecdhCurves and cipherSuites only.
// For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
TLSConfig tls_defaults = 64;
// $hide_from_docs
// Next available field number: 67
reserved 1;
reserved "mixer_check_server";
reserved 2;
reserved "mixer_report_server";
reserved 3;
reserved "disable_policy_checks";
reserved 48;
reserved "disable_mixer_http_reports";
reserved 25;
reserved "policy_check_fail_open";
reserved 30;
reserved "sidecar_to_telemetry_session_affinity";
reserved 10;
reserved "auth_policy";
reserved 11;
reserved "rds_refresh_delay";
reserved 15;
reserved 16;
reserved "mixer_address";
reserved 18;
reserved 19;
reserved "enable_client_side_policy_check";
reserved 20;
reserved "sds_uds_path";
reserved 21;
reserved "sds_refresh_delay";
reserved 23;
reserved "enable_sds_token_mount";
reserved 29;
reserved "sds_use_k8s_sa_jwt";
reserved 53;
reserved "termination_drain_duration";
reserved 37;
reserved "disable_report_batch";
reserved 38;
reserved "report_batch_max_entries";
reserved 39;
reserved "report_batch_max_time";
}
// Resource describes the source of configuration
enum Resource {
// Set to only receive service entries that are generated by the platform.
// These auto generated service entries are combination of services and endpoints
// that are generated by a specific platform e.g. k8
SERVICE_REGISTRY = 0;
}
// A label selector requirement is a selector that contains values, a key, and an operator that
// relates the key and values.
// Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.
message LabelSelector {
// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
// map is equivalent to an element of matchExpressions, whose key field is "key", the
// operator is "In", and the values array contains only "value". The requirements are ANDed.
// +optional
map<string, string> matchLabels = 1;
// matchExpressions is a list of label selector requirements. The requirements are ANDed.
// +optional
repeated LabelSelectorRequirement matchExpressions = 2;
}
// A label selector requirement is a selector that contains values, a key, and an operator that
// relates the key and values.
// Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.
message LabelSelectorRequirement {
// key is the label key that the selector applies to.
// +patchMergeKey=key
// +patchStrategy=merge
string key = 1;
// operator represents a key's relationship to a set of values.
// Valid operators are In, NotIn, Exists and DoesNotExist.
string operator = 2;
// values is an array of string values. If the operator is In or NotIn,
// the values array must be non-empty. If the operator is Exists or DoesNotExist,
// the values array must be empty. This array is replaced during a strategic
// merge patch.
// +optional
repeated string values = 3;
}
// ConfigSource describes information about a configuration store inside a
// mesh. A single control plane instance can interact with one or more data
// sources.
message ConfigSource {
// Address of the server implementing the Istio Mesh Configuration
// protocol (MCP). Can be IP address or a fully qualified DNS name.
// Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
// fs:/// to specify a file-based backend with absolute path to the directory.
string address = 1;
// Use the tlsSettings to specify the tls mode to use. If the MCP server
// uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
// mode as `ISTIO_MUTUAL`.
istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;
// Describes the source of configuration, if nothing is specified default is MCP
repeated Resource subscribed_resources = 3;
}
// $hide_from_docs
// Certificate configures the provision of a certificate and its key.
// Example 1: key and cert stored in a secret
// ```
// { secretName: galley-cert
// secretNamespace: istio-system
// dnsNames:
// - galley.istio-system.svc
// - galley.mydomain.com
// }
// ```
// Example 2: key and cert stored in a directory
// ```
// { dnsNames:
// - pilot.istio-system
// - pilot.istio-system.svc
// - pilot.mydomain.com
// }
// ```
message Certificate {
// Name of the secret the certificate and its key will be stored into.
// If it is empty, it will not be stored into a secret.
// Instead, the certificate and its key will be stored into a hard-coded directory.
string secret_name = 1;
// The DNS names for the certificate. A certificate may contain
// multiple DNS names.
repeated string dns_names = 2;
}