1{ 2 "openapi": "3.0.0", 3 "info": { 4 "title": "Configuration affecting network reachability of a sidecar.", 5 "version": "v1beta1" 6 }, 7 "components": { 8 "schemas": { 9 "istio.networking.v1beta1.ClientTLSSettings": { 10 "description": "SSL/TLS related settings for upstream connections. See Envoy's [TLS context](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/auth/cert.proto.html) for more details. These settings are common to both HTTP and TCP upstreams.", 11 "type": "object", 12 "properties": { 13 "mode": { 14 "$ref": "#/components/schemas/istio.networking.v1beta1.ClientTLSSettings.TLSmode" 15 }, 16 "clientCertificate": { 17 "description": "REQUIRED if mode is `MUTUAL`. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is `ISTIO_MUTUAL`.", 18 "type": "string", 19 "format": "string" 20 }, 21 "privateKey": { 22 "description": "REQUIRED if mode is `MUTUAL`. The path to the file holding the client's private key. Should be empty if mode is `ISTIO_MUTUAL`.", 23 "type": "string", 24 "format": "string" 25 }, 26 "caCertificates": { 27 "description": "OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will not verify the server's certificate. Should be empty if mode is `ISTIO_MUTUAL`.", 28 "type": "string", 29 "format": "string" 30 }, 31 "subjectAltNames": { 32 "description": "A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. If specified, this list overrides the value of subject_alt_names from the ServiceEntry.", 33 "type": "array", 34 "items": { 35 "type": "string", 36 "format": "string" 37 } 38 }, 39 "sni": { 40 "description": "SNI string to present to the server during TLS handshake.", 41 "type": "string", 42 "format": "string" 43 } 44 } 45 }, 46 "istio.networking.v1beta1.PortSelector": { 47 "description": "PortSelector specifies the number of a port to be used for matching or selection for final routing.", 48 "type": "object", 49 "properties": { 50 "number": { 51 "description": "Valid port number", 52 "type": "integer" 53 } 54 } 55 }, 56 "istio.networking.v1beta1.ClientTLSSettings.TLSmode": { 57 "description": "TLS connection mode", 58 "type": "string", 59 "enum": [ 60 "DISABLE", 61 "SIMPLE", 62 "MUTUAL", 63 "ISTIO_MUTUAL" 64 ] 65 }, 66 "istio.networking.v1beta1.Port": { 67 "description": "Port describes the properties of a specific port of a service.", 68 "type": "object", 69 "properties": { 70 "number": { 71 "description": "A valid non-negative integer port number.", 72 "type": "integer" 73 }, 74 "name": { 75 "description": "Label assigned to the port.", 76 "type": "string", 77 "format": "string" 78 }, 79 "protocol": { 80 "description": "The protocol exposed on the port. MUST BE one of HTTP|HTTPS|GRPC|HTTP2|MONGO|TCP|TLS. TLS implies the connection will be routed based on the SNI header to the destination without terminating the TLS connection.", 81 "type": "string", 82 "format": "string" 83 } 84 } 85 }, 86 "istio.networking.v1beta1.ServerTLSSettings": { 87 "type": "object", 88 "properties": { 89 "mode": { 90 "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings.TLSmode" 91 }, 92 "privateKey": { 93 "description": "REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file holding the server's private key.", 94 "type": "string", 95 "format": "string" 96 }, 97 "caCertificates": { 98 "description": "REQUIRED if mode is `MUTUAL`. The path to a file containing certificate authority certificates to use in verifying a presented client side certificate.", 99 "type": "string", 100 "format": "string" 101 }, 102 "subjectAltNames": { 103 "description": "A list of alternate names to verify the subject identity in the certificate presented by the client.", 104 "type": "array", 105 "items": { 106 "type": "string", 107 "format": "string" 108 } 109 }, 110 "httpsRedirect": { 111 "description": "If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.", 112 "type": "boolean" 113 }, 114 "serverCertificate": { 115 "description": "REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file holding the server-side TLS certificate to use.", 116 "type": "string", 117 "format": "string" 118 }, 119 "credentialName": { 120 "description": "For gateways running on Kubernetes, the name of the secret that holds the TLS certs including the CA certificates. Applicable only on Kubernetes, and only if the dynamic credential fetching feature is enabled in the proxy by setting `ISTIO_META_USER_SDS` metadata variable. The secret (of type `generic`) should contain the following keys and values: `key: \u003cprivateKey\u003e`, `cert: \u003cserverCert\u003e`, `cacert: \u003cCACertificate\u003e`.", 121 "type": "string", 122 "format": "string" 123 }, 124 "verifyCertificateSpki": { 125 "description": "An optional list of base64-encoded SHA-256 hashes of the SKPIs of authorized client certificates. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.", 126 "type": "array", 127 "items": { 128 "type": "string", 129 "format": "string" 130 } 131 }, 132 "verifyCertificateHash": { 133 "description": "An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. Both simple and colon separated formats are acceptable. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.", 134 "type": "array", 135 "items": { 136 "type": "string", 137 "format": "string" 138 } 139 }, 140 "minProtocolVersion": { 141 "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings.TLSProtocol" 142 }, 143 "maxProtocolVersion": { 144 "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings.TLSProtocol" 145 }, 146 "cipherSuites": { 147 "description": "Optional: If specified, only support the specified cipher list. Otherwise default to the default cipher list supported by Envoy.", 148 "type": "array", 149 "items": { 150 "type": "string", 151 "format": "string" 152 } 153 } 154 } 155 }, 156 "istio.networking.v1beta1.ServerTLSSettings.TLSmode": { 157 "description": "TLS modes enforced by the proxy", 158 "type": "string", 159 "enum": [ 160 "PASSTHROUGH", 161 "SIMPLE", 162 "MUTUAL", 163 "AUTO_PASSTHROUGH", 164 "ISTIO_MUTUAL" 165 ] 166 }, 167 "istio.networking.v1beta1.ServerTLSSettings.TLSProtocol": { 168 "description": "TLS protocol versions.", 169 "type": "string", 170 "enum": [ 171 "TLS_AUTO", 172 "TLSV1_0", 173 "TLSV1_1", 174 "TLSV1_2", 175 "TLSV1_3" 176 ] 177 }, 178 "istio.networking.v1beta1.WorkloadSelector": { 179 "description": "`WorkloadSelector` specifies the criteria used to determine if the `Gateway`, `Sidecar`, or `EnvoyFilter` configuration can be applied to a proxy. The matching criteria includes the metadata associated with a proxy, workload instance info such as labels attached to the pod/VM, or any other info that the proxy provides to Istio during the initial handshake. If multiple conditions are specified, all conditions need to match in order for the workload instance to be selected. Currently, only label based selection mechanism is supported.", 180 "type": "object", 181 "properties": { 182 "labels": { 183 "description": "One or more labels that indicate a specific set of pods/VMs on which this `Sidecar` configuration should be applied. The scope of label search is restricted to the configuration namespace in which the the resource is present.", 184 "type": "object", 185 "additionalProperties": { 186 "type": "string", 187 "format": "string" 188 } 189 } 190 } 191 }, 192 "istio.networking.v1beta1.Sidecar": { 193 "description": "`Sidecar` describes the configuration of the sidecar proxy that mediates inbound and outbound communication of the workload instance to which it is attached.", 194 "type": "object", 195 "properties": { 196 "workloadSelector": { 197 "$ref": "#/components/schemas/istio.networking.v1beta1.WorkloadSelector" 198 }, 199 "ingress": { 200 "description": "Ingress specifies the configuration of the sidecar for processing inbound traffic to the attached workload instance. If omitted, Istio will automatically configure the sidecar based on the information about the workload obtained from the orchestration platform (e.g., exposed ports, services, etc.). If specified, inbound ports are configured if and only if the workload instance is associated with a service.", 201 "type": "array", 202 "items": { 203 "$ref": "#/components/schemas/istio.networking.v1beta1.IstioIngressListener" 204 } 205 }, 206 "egress": { 207 "description": "Egress specifies the configuration of the sidecar for processing outbound traffic from the attached workload instance to other services in the mesh. If not specified, inherits the system detected defaults from the namespace-wide or the global default Sidecar.", 208 "type": "array", 209 "items": { 210 "$ref": "#/components/schemas/istio.networking.v1beta1.IstioEgressListener" 211 } 212 }, 213 "outboundTrafficPolicy": { 214 "$ref": "#/components/schemas/istio.networking.v1beta1.OutboundTrafficPolicy" 215 }, 216 "localhost": { 217 "$ref": "#/components/schemas/istio.networking.v1beta1.Localhost" 218 } 219 } 220 }, 221 "istio.networking.v1beta1.IstioIngressListener": { 222 "description": "`IstioIngressListener` specifies the properties of an inbound traffic listener on the sidecar proxy attached to a workload instance.", 223 "type": "object", 224 "properties": { 225 "port": { 226 "$ref": "#/components/schemas/istio.networking.v1beta1.Port" 227 }, 228 "bind": { 229 "description": "The IP to which the listener should be bound. Must be in the format `x.x.x.x`. Unix domain socket addresses are not allowed in the bind field for ingress listeners. If omitted, Istio will automatically configure the defaults based on imported services and the workload instances to which this configuration is applied to.", 230 "type": "string", 231 "format": "string" 232 }, 233 "defaultEndpoint": { 234 "description": "The loopback IP endpoint or Unix domain socket to which traffic should be forwarded to. This configuration can be used to redirect traffic arriving at the bind `IP:Port` on the sidecar to a `localhost:port` or Unix domain socket where the application workload instance is listening for connections. Format should be `127.0.0.1:PORT` or `unix:///path/to/socket`", 235 "type": "string", 236 "format": "string" 237 }, 238 "captureMode": { 239 "$ref": "#/components/schemas/istio.networking.v1beta1.CaptureMode" 240 }, 241 "localhostClientTls": { 242 "$ref": "#/components/schemas/istio.networking.v1beta1.ClientTLSSettings" 243 } 244 } 245 }, 246 "istio.networking.v1beta1.IstioEgressListener": { 247 "description": "`IstioEgressListener` specifies the properties of an outbound traffic listener on the sidecar proxy attached to a workload instance.", 248 "type": "object", 249 "properties": { 250 "port": { 251 "$ref": "#/components/schemas/istio.networking.v1beta1.Port" 252 }, 253 "bind": { 254 "description": "The IP or the Unix domain socket to which the listener should be bound to. Port MUST be specified if bind is not empty. Format: `x.x.x.x` or `unix:///path/to/uds` or `unix://@foobar` (Linux abstract namespace). If omitted, Istio will automatically configure the defaults based on imported services, the workload instances to which this configuration is applied to and the captureMode. If captureMode is `NONE`, bind will default to 127.0.0.1.", 255 "type": "string", 256 "format": "string" 257 }, 258 "hosts": { 259 "description": "One or more service hosts exposed by the listener in `namespace/dnsName` format. Services in the specified namespace matching `dnsName` will be exposed. The corresponding service can be a service in the service registry (e.g., a Kubernetes or cloud foundry service) or a service specified using a `ServiceEntry` or `VirtualService` configuration. Any associated `DestinationRule` in the same namespace will also be used.", 260 "type": "array", 261 "items": { 262 "type": "string", 263 "format": "string" 264 } 265 }, 266 "captureMode": { 267 "$ref": "#/components/schemas/istio.networking.v1beta1.CaptureMode" 268 }, 269 "localhostServerTls": { 270 "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings" 271 } 272 } 273 }, 274 "istio.networking.v1beta1.OutboundTrafficPolicy": { 275 "description": "`OutboundTrafficPolicy` sets the default behavior of the sidecar for handling outbound traffic from the application. If your application uses one or more external services that are not known apriori, setting the policy to `ALLOW_ANY` will cause the sidecars to route any unknown traffic originating from the application to its requested destination. Users are strongly encouraged to use `ServiceEntry` configurations to explicitly declare any external dependencies, instead of using `ALLOW_ANY`, so that traffic to these services can be monitored.", 276 "type": "object", 277 "properties": { 278 "mode": { 279 "$ref": "#/components/schemas/istio.networking.v1beta1.OutboundTrafficPolicy.Mode" 280 }, 281 "egressProxy": { 282 "$ref": "#/components/schemas/istio.networking.v1beta1.Destination" 283 } 284 } 285 }, 286 "istio.networking.v1beta1.Localhost": { 287 "description": "`Localhost` describes the sidecar settings related to the communication between the sidecar and the workload it is attached to in a Kubernetes Pod or a VM. These settings apply by default to all ingress and egress listeners in a sidecar unless overridden.", 288 "type": "object", 289 "properties": { 290 "clientTls": { 291 "$ref": "#/components/schemas/istio.networking.v1beta1.ClientTLSSettings" 292 }, 293 "serverTls": { 294 "$ref": "#/components/schemas/istio.networking.v1beta1.ServerTLSSettings" 295 } 296 } 297 }, 298 "istio.networking.v1beta1.CaptureMode": { 299 "description": "`CaptureMode` describes how traffic to a listener is expected to be captured. Applicable only when the listener is bound to an IP.", 300 "type": "string", 301 "enum": [ 302 "DEFAULT", 303 "IPTABLES", 304 "NONE" 305 ] 306 }, 307 "istio.networking.v1beta1.OutboundTrafficPolicy.Mode": { 308 "type": "string", 309 "enum": [ 310 "REGISTRY_ONLY", 311 "ALLOW_ANY" 312 ] 313 }, 314 "istio.networking.v1beta1.Destination": { 315 "description": "Destination indicates the network addressable service to which the request/connection will be sent after processing a routing rule. The destination.host should unambiguously refer to a service in the service registry. Istio's service registry is composed of all the services found in the platform's service registry (e.g., Kubernetes services, Consul services), as well as services declared through the [ServiceEntry](https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry) resource.", 316 "type": "object", 317 "properties": { 318 "host": { 319 "description": "The name of a service from the service registry. Service names are looked up from the platform's service registry (e.g., Kubernetes services, Consul services, etc.) and from the hosts declared by [ServiceEntry](https://istio.io/docs/reference/config/networking/service-entry/#ServiceEntry). Traffic forwarded to destinations that are not found in either of the two, will be dropped.", 320 "type": "string", 321 "format": "string" 322 }, 323 "port": { 324 "$ref": "#/components/schemas/istio.networking.v1beta1.PortSelector" 325 }, 326 "subset": { 327 "description": "The name of a subset within the service. Applicable only to services within the mesh. The subset must be defined in a corresponding DestinationRule.", 328 "type": "string", 329 "format": "string" 330 } 331 } 332 } 333 } 334 } 335}