starred/holos
1
0
Fork 0
mirror of https://github.com/holos-run/holos.git synced 2026-03-19 00:37:45 +00:00
Code Issues Packages Projects Releases 10 Wiki Activity

Compare commits

base: starred:v0.48.1
Branches Tags
starred:main starred:dependabot/go_modules/go_modules-a258281abc starred:dependabot/npm_and_yarn/doc/website/npm_and_yarn-495cad6dbb starred:dependabot/npm_and_yarn/doc/website/npm_and_yarn-31e1e7acf6 starred:jeff/v1alpha6-executor starred:jeff/435-examples starred:jeff/gemini-compare starred:jeff/compile-backup starred:jeff/xcue starred:jeff/command starred:kubeslice starred:jeff/406-unify-values starred:gl/embed-timoni-for-tests starred:jeff/378-kargo-topic starred:gl/helm-values-test-fixes starred:test starred:jeff/370-private-helm-repositories starred:jeff/371-helm-sdk starred:jeff/readme starred:jeff/327-brew-install starred:release starred:gl/311-setup-and-hello-holos starred:301-docs-structure-refactor starred:jeff/225-ko-release starred:jeff/try-holos
starred:v0.106.0 starred:v0.105.1 starred:v0.105.0 starred:v0.104.3 starred:v0.104.2 starred:v0.104.1 starred:v0.104.0 starred:v0.103.0 starred:v0.102.5 starred:v0.102.4 starred:v0.102.3 starred:v0.102.2 starred:v0.102.1 starred:v0.102.0 starred:v0.1.1 starred:v0.1.0 starred:v0.101.8 starred:v0.101.7 starred:v0.101.6 starred:v0.101.5 starred:v0.101.4 starred:v0.101.3 starred:v0.101.2 starred:v0.101.1 starred:v0.101.0 starred:v0.100.1 starred:v0.100.0 starred:v0.99.3 starred:v0.99.2 starred:v0.99.1 starred:v0.99.0 starred:v0.98.2 starred:v0.98.1 starred:v0.98.0 starred:v0.97.3 starred:v0.97.2 starred:v0.97.1 starred:v0.97.0 starred:v0.96.0 starred:v0.95.3 starred:v0.95.2 starred:v0.95.1 starred:v0.95.0 starred:v0.94.0 starred:v0.93.4 starred:v0.93.3 starred:v0.93.2 starred:v0.93.1 starred:v0.93.0 starred:v0.92.0 starred:v0.91.1 starred:v0.91.0 starred:v0.90.0 starred:v0.89.1 starred:v0.89.0 starred:v0.87.2 starred:v0.87.1 starred:v0.87.0 starred:v0.86.0 starred:v0.85.1 starred:v0.85.0 starred:v0.84.1 starred:v0.84.0 starred:v0.83.1 starred:v0.83.0 starred:v0.82.2 starred:v0.82.1 starred:v0.81.2 starred:v0.81.0 starred:v0.80.2 starred:v0.80.1 starred:v0.80.0 starred:v0.79.0 starred:v0.78.0 starred:v0.77.0 starred:v0.76.1 starred:v0.76.0 starred:v0.75.1 starred:v0.75.0 starred:v0.74.0 starred:v0.73.3 starred:v0.73.1 starred:v0.73.0 starred:v0.72.1 starred:v0.70.4 starred:v0.70.1 starred:v0.70.0 starred:v0.69.0 starred:v0.68.1 starred:v0.68.0 starred:v0.67.0 starred:v0.66.0 starred:v0.65.2 starred:v0.65.1 starred:v0.65.0 starred:v0.64.5 starred:v0.64.4 starred:v0.64.3 starred:v0.64.2 starred:v0.64.1 starred:v0.64.0 starred:v0.63.5 starred:v0.63.4 starred:v0.63.3 starred:v0.63.2 starred:v0.63.1 starred:v0.63.0 starred:v0.62.1 starred:v0.62.0 starred:v0.61.7 starred:v0.61.6 starred:v0.61.5 starred:v0.61.4 starred:v0.61.3 starred:v0.61.1 starred:v0.61.0 starred:v0.60.4 starred:v0.60.3 starred:v0.60.2 starred:v0.60.1 starred:v0.60.0 starred:v0.59.0 starred:v0.58.3 starred:v0.58.2 starred:v0.58.1 starred:v0.58.0 starred:v0.57.0 starred:v0.56.0 starred:v0.55.4 starred:v0.55.3 starred:v0.55.2 starred:v0.55.1 starred:v0.55.0 starred:v0.54.1 starred:v0.53.4 starred:v0.53.3 starred:v0.53.2 starred:v0.53.1 starred:v0.52.0 starred:v0.51.2 starred:v0.51.1 starred:v0.51.0 starred:v0.50.2 starred:v0.50.1 starred:v0.50.0 starred:v0.49.7 starred:v0.49.6 starred:v0.49.5 starred:v0.49.4 starred:v0.49.3 starred:v0.49.2 starred:v0.49.1 starred:v0.49.0 starred:v0.48.3 starred:v0.48.2 starred:v0.48.1 starred:v0.48.0 starred:v0.47.2 starred:v0.47.1 starred:v0.47.0 starred:v0.46.3 starred:v0.46.2 starred:v0.46.1 starred:v0.46.0 starred:v0.45.3 starred:v0.45.2 starred:v0.45.1 starred:v0.45.0 starred:v0.44.0 starred:v0.43.2 starred:v0.43.1 starred:v0.43.0 starred:v0.42.1 starred:v0.42.0 starred:v0.41.0 starred:v0.40.4 starred:v0.40.3 starred:v0.40.2 starred:v0.40.1 starred:v0.40.0
...
compare: starred:v0.49.0
Branches Tags
starred:dependabot/go_modules/go_modules-a258281abc starred:dependabot/npm_and_yarn/doc/website/npm_and_yarn-495cad6dbb starred:main starred:dependabot/npm_and_yarn/doc/website/npm_and_yarn-31e1e7acf6 starred:jeff/v1alpha6-executor starred:jeff/435-examples starred:jeff/gemini-compare starred:jeff/compile-backup starred:jeff/xcue starred:jeff/command starred:kubeslice starred:jeff/406-unify-values starred:gl/embed-timoni-for-tests starred:jeff/378-kargo-topic starred:gl/helm-values-test-fixes starred:test starred:jeff/370-private-helm-repositories starred:jeff/371-helm-sdk starred:jeff/readme starred:jeff/327-brew-install starred:release starred:gl/311-setup-and-hello-holos starred:301-docs-structure-refactor starred:jeff/225-ko-release starred:jeff/try-holos
starred:v0.106.0 starred:v0.105.1 starred:v0.105.0 starred:v0.104.3 starred:v0.104.2 starred:v0.104.1 starred:v0.104.0 starred:v0.103.0 starred:v0.102.5 starred:v0.102.4 starred:v0.102.3 starred:v0.102.2 starred:v0.102.1 starred:v0.102.0 starred:v0.1.1 starred:v0.1.0 starred:v0.101.8 starred:v0.101.7 starred:v0.101.6 starred:v0.101.5 starred:v0.101.4 starred:v0.101.3 starred:v0.101.2 starred:v0.101.1 starred:v0.101.0 starred:v0.100.1 starred:v0.100.0 starred:v0.99.3 starred:v0.99.2 starred:v0.99.1 starred:v0.99.0 starred:v0.98.2 starred:v0.98.1 starred:v0.98.0 starred:v0.97.3 starred:v0.97.2 starred:v0.97.1 starred:v0.97.0 starred:v0.96.0 starred:v0.95.3 starred:v0.95.2 starred:v0.95.1 starred:v0.95.0 starred:v0.94.0 starred:v0.93.4 starred:v0.93.3 starred:v0.93.2 starred:v0.93.1 starred:v0.93.0 starred:v0.92.0 starred:v0.91.1 starred:v0.91.0 starred:v0.90.0 starred:v0.89.1 starred:v0.89.0 starred:v0.87.2 starred:v0.87.1 starred:v0.87.0 starred:v0.86.0 starred:v0.85.1 starred:v0.85.0 starred:v0.84.1 starred:v0.84.0 starred:v0.83.1 starred:v0.83.0 starred:v0.82.2 starred:v0.82.1 starred:v0.81.2 starred:v0.81.0 starred:v0.80.2 starred:v0.80.1 starred:v0.80.0 starred:v0.79.0 starred:v0.78.0 starred:v0.77.0 starred:v0.76.1 starred:v0.76.0 starred:v0.75.1 starred:v0.75.0 starred:v0.74.0 starred:v0.73.3 starred:v0.73.1 starred:v0.73.0 starred:v0.72.1 starred:v0.70.4 starred:v0.70.1 starred:v0.70.0 starred:v0.69.0 starred:v0.68.1 starred:v0.68.0 starred:v0.67.0 starred:v0.66.0 starred:v0.65.2 starred:v0.65.1 starred:v0.65.0 starred:v0.64.5 starred:v0.64.4 starred:v0.64.3 starred:v0.64.2 starred:v0.64.1 starred:v0.64.0 starred:v0.63.5 starred:v0.63.4 starred:v0.63.3 starred:v0.63.2 starred:v0.63.1 starred:v0.63.0 starred:v0.62.1 starred:v0.62.0 starred:v0.61.7 starred:v0.61.6 starred:v0.61.5 starred:v0.61.4 starred:v0.61.3 starred:v0.61.1 starred:v0.61.0 starred:v0.60.4 starred:v0.60.3 starred:v0.60.2 starred:v0.60.1 starred:v0.60.0 starred:v0.59.0 starred:v0.58.3 starred:v0.58.2 starred:v0.58.1 starred:v0.58.0 starred:v0.57.0 starred:v0.56.0 starred:v0.55.4 starred:v0.55.3 starred:v0.55.2 starred:v0.55.1 starred:v0.55.0 starred:v0.54.1 starred:v0.53.4 starred:v0.53.3 starred:v0.53.2 starred:v0.53.1 starred:v0.52.0 starred:v0.51.2 starred:v0.51.1 starred:v0.51.0 starred:v0.50.2 starred:v0.50.1 starred:v0.50.0 starred:v0.49.7 starred:v0.49.6 starred:v0.49.5 starred:v0.49.4 starred:v0.49.3 starred:v0.49.2 starred:v0.49.1 starred:v0.49.0 starred:v0.48.3 starred:v0.48.2 starred:v0.48.1 starred:v0.48.0 starred:v0.47.2 starred:v0.47.1 starred:v0.47.0 starred:v0.46.3 starred:v0.46.2 starred:v0.46.1 starred:v0.46.0 starred:v0.45.3 starred:v0.45.2 starred:v0.45.1 starred:v0.45.0 starred:v0.44.0 starred:v0.43.2 starred:v0.43.1 starred:v0.43.0 starred:v0.42.1 starred:v0.42.0 starred:v0.41.0 starred:v0.40.4 starred:v0.40.3 starred:v0.40.2 starred:v0.40.1 starred:v0.40.0

10 Commits
v0.48.1 ... v0.49.0

Author SHA1 Message Date
Jeff McCune
9c42cf9109 (#30) Import istio crds into cue definitions 
❯ timoni mod vendor crds -f ~/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
10:30AM INF schemas vendored: extensions.istio.io/wasmplugin/v1alpha1
10:30AM INF schemas vendored: install.istio.io/istiooperator/v1alpha1
10:30AM INF schemas vendored: networking.istio.io/destinationrule/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/destinationrule/v1beta1
10:30AM INF schemas vendored: networking.istio.io/envoyfilter/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/gateway/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/gateway/v1beta1
10:30AM INF schemas vendored: networking.istio.io/proxyconfig/v1beta1
10:30AM INF schemas vendored: networking.istio.io/serviceentry/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/serviceentry/v1beta1
10:30AM INF schemas vendored: networking.istio.io/sidecar/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/sidecar/v1beta1
10:30AM INF schemas vendored: networking.istio.io/virtualservice/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/virtualservice/v1beta1
10:30AM INF schemas vendored: networking.istio.io/workloadentry/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/workloadentry/v1beta1
10:30AM INF schemas vendored: networking.istio.io/workloadgroup/v1alpha3
10:30AM INF schemas vendored: networking.istio.io/workloadgroup/v1beta1
10:30AM INF schemas vendored: security.istio.io/authorizationpolicy/v1
10:30AM INF schemas vendored: security.istio.io/authorizationpolicy/v1beta1
10:30AM INF schemas vendored: security.istio.io/peerauthentication/v1beta1
10:30AM INF schemas vendored: security.istio.io/requestauthentication/v1
10:30AM INF schemas vendored: security.istio.io/requestauthentication/v1beta1
10:30AM INF schemas vendored: telemetry.istio.io/telemetry/v1alpha1
 2024-03-01 10:31:52 -08:00
Jeff McCune
3fce5188a2 (#30) Add holos cue instance prod-mesh-istio-base 
This patch installs the istio base helm chart from upstream which
includes the custom resource definitions.
 2024-03-01 10:28:54 -08:00
Jeff McCune
fde88ad5eb (#30) Add #DependsOn struct to unify dependencies 
Using a list to merge dependencies through the tree from root to leaf is
challenging.  This patch uses a #DependsOn struct instead then builds
the list of dependencies for flux from the struct field values.
 2024-03-01 10:13:55 -08:00
Jeff McCune
7a8d30f833 (#30) Mesh istio-system istio-ingress namespaces 
Need to be in place with privileged pod security policies.
 2024-03-01 09:35:57 -08:00
Jeff McCune
8987442b91 (#27) Add cert-manager ExternalSecret cloudflare-api-token-secret 
This enables the dns01 letsencrypt acme solver and is heavily used in
the reference platform.

Secret migrated from Vault using:

```bash
vault kv get -format=json -field data kv/k8s/ns/cert-manager/cloudflare-api-token-secret \
  | holos create secret --namespace cert-manager cloudflare-api-token-secret --data-stdin --append-hash=false
```
 2024-03-01 08:44:06 -08:00
Jeff McCune
a6af3a46cf (#27) Manage SecretStore with platform namespaces 
It makes sense to manage the SecretStore along with the Namespace in the
platform namespaces holos component.  Otherwise, the first component
that needs an ExternalSecret also needs to manage a SecretStore, which
creates an artificial dependency for subesequent components that also
need a SecretStore in the same namespace.

Best to just have all components depend on the namespaces component.
 2024-03-01 08:05:00 -08:00
Jeff McCune
71d545a883 (#27) Add cert-manager LetsEncrypt issuers 
This patch partially adds the Let's Encrypt issuers.  The platform data
expands to take a contact email and a cloudflare login email.

The external secret needs to be added next.
 2024-02-29 21:40:55 -08:00
Jeff McCune
044d3082d9 (#27) Add cert-manager custom resource definitions 
Without this patch the cert-manager component is missing the custom
resource definitions.

This patch adds them using the helm installCRDs value.
 2024-02-29 20:46:42 -08:00
Jeff McCune
c2d5c4ad36 (#27) Add cert-manager to the mesh collection 
Straight-forward helm install with no customization.

This patch also adds a "Skip" output kind which allows intermediate cue
files in the tree to signal holos to skip over the instance.  This
enables constraints to be added at intermediate layers without build
errors.
 2024-02-29 16:50:27 -08:00
Jeff McCune
ab03ef1052 (#27) Refactor top level schema 
Remove content and contentType top level keys, deprecated in favor of
apiObjects.

Clarify toward the use of #CollectionName instead of project name.
 2024-02-29 15:48:54 -08:00
49 changed files with 11067 additions and 76 deletions
Expand all files Collapse all files

2
.golangci.yaml Normal file
View File

@@ -0,0 +1,2 @@
run:
timeout: 5m

42
cmd/holos/testdata/constraints.txt vendored Normal file
View File

@@ -0,0 +1,42 @@
# Want support for intermediary constraints
exec holos build ./foo/... --log-level debug
stdout '^bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b$'
stderr 'processing holos component kind Skip'
-- cue.mod --
package holos
-- foo/constraints.cue --
package holos
metadata: name: "jeff"
-- foo/bar/bar.cue --
package holos
#KubernetesObjects & {
apiObjectMap: foo: bar: "bf2bc7f9-9ba0-4f9e-9bd2-9a205627eb0b"
}
-- schema.cue --
package holos
cluster: string @tag(cluster, string)
// #OutputTypeMeta is shared among all output types
#OutputTypeMeta: {
apiVersion: "holos.run/v1alpha1"
kind: #KubernetesObjects.kind | #NoOutput.kind
metadata: name: string
}
#KubernetesObjects: {
#OutputTypeMeta
kind: "KubernetesObjects"
apiObjectMap: {...}
}
#NoOutput: {
#OutputTypeMeta
kind: string | *"Skip"
metadata: name: string | *"skipped"
}
#NoOutput & {}

1310
docs/examples/cue.mod/gen/acme.cert-manager.io/challenge/v1/types_gen.cue Normal file
View File

File diff suppressed because it is too large Load Diff

82
docs/examples/cue.mod/gen/acme.cert-manager.io/order/v1/types_gen.cue Normal file
View File

@@ -0,0 +1,82 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
package v1
import "strings"
// Order is a type to represent an Order with an ACME server
#Order: {
// APIVersion defines the versioned schema of this representation
// of an object. Servers should convert recognized schemas to the
// latest internal value, and may reject unrecognized values.
// More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
apiVersion: "acme.cert-manager.io/v1"
// Kind is a string value representing the REST resource this
// object represents. Servers may infer this from the endpoint
// the client submits requests to. Cannot be updated. In
// CamelCase. More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
kind: "Order"
metadata: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
spec!: #OrderSpec
}
#OrderSpec: {
// CommonName is the common name as specified on the DER encoded
// CSR. If specified, this value must also be present in
// `dnsNames` or `ipAddresses`. This field must match the
// corresponding field on the DER encoded CSR.
commonName?: string
// DNSNames is a list of DNS names that should be included as part
// of the Order validation process. This field must match the
// corresponding field on the DER encoded CSR.
dnsNames?: [...string]
// Duration is the duration for the not after date for the
// requested certificate. this is set on order creation as pe the
// ACME spec.
duration?: string
// IPAddresses is a list of IP addresses that should be included
// as part of the Order validation process. This field must match
// the corresponding field on the DER encoded CSR.
ipAddresses?: [...string]
// IssuerRef references a properly configured ACME-type Issuer
// which should be used to create this Order. If the Issuer does
// not exist, processing will be retried. If the Issuer is not an
// 'ACME' Issuer, an error will be returned and the Order will be
// marked as failed.
issuerRef: {
// Group of the resource being referred to.
group?: string
// Kind of the resource being referred to.
kind?: string
// Name of the resource being referred to.
name: string
}
// Certificate signing request bytes in DER encoding. This will be
// used when finalizing the order. This field must be set on the
// order.
request: string
}

422
docs/examples/cue.mod/gen/cert-manager.io/certificate/v1/types_gen.cue Normal file
View File

@@ -0,0 +1,422 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
package v1
import "strings"
// A Certificate resource should be created to ensure an up to
// date and signed X.509 certificate is stored in the Kubernetes
// Secret resource named in `spec.secretName`.
// The stored certificate will be renewed before it expires (as
// configured by `spec.renewBefore`).
#Certificate: {
// APIVersion defines the versioned schema of this representation
// of an object. Servers should convert recognized schemas to the
// latest internal value, and may reject unrecognized values.
// More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
apiVersion: "cert-manager.io/v1"
// Kind is a string value representing the REST resource this
// object represents. Servers may infer this from the endpoint
// the client submits requests to. Cannot be updated. In
// CamelCase. More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
kind: "Certificate"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
// Specification of the desired state of the Certificate resource.
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
spec!: #CertificateSpec
}
// Specification of the desired state of the Certificate resource.
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
#CertificateSpec: {
// Defines extra output formats of the private key and signed
// certificate chain to be written to this Certificate's target
// Secret.
// This is an Alpha Feature and is only enabled with the
// `--feature-gates=AdditionalCertificateOutputFormats=true`
// option set on both the controller and webhook components.
additionalOutputFormats?: [...{
// Type is the name of the format type that should be written to
// the Certificate's target Secret.
type: "DER" | "CombinedPEM"
}]
// Requested common name X509 certificate subject attribute. More
// info:
// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
// NOTE: TLS clients will ignore this value when any subject
// alternative name is set (see
// https://tools.ietf.org/html/rfc6125#section-6.4.4).
// Should have a length of 64 characters or fewer to avoid
// generating invalid CSRs. Cannot be set if the `literalSubject`
// field is set.
commonName?: string
// Requested DNS subject alternative names.
dnsNames?: [...string]
// Requested 'duration' (i.e. lifetime) of the Certificate. Note
// that the issuer may choose to ignore the requested duration,
// just like any other requested attribute.
// If unset, this defaults to 90 days. Minimum accepted duration
// is 1 hour. Value must be in units accepted by Go
// time.ParseDuration https://golang.org/pkg/time/#ParseDuration.
duration?: string
// Requested email subject alternative names.
emailAddresses?: [...string]
// Whether the KeyUsage and ExtKeyUsage extensions should be set
// in the encoded CSR.
// This option defaults to true, and should only be disabled if
// the target issuer does not support CSRs with these X509
// KeyUsage/ ExtKeyUsage extensions.
encodeUsagesInRequest?: bool
// Requested IP address subject alternative names.
ipAddresses?: [...string]
// Requested basic constraints isCA value. The isCA value is used
// to set the `isCA` field on the created CertificateRequest
// resources. Note that the issuer may choose to ignore the
// requested isCA value, just like any other requested attribute.
// If true, this will automatically add the `cert sign` usage to
// the list of requested `usages`.
isCA?: bool
// Reference to the issuer responsible for issuing the
// certificate. If the issuer is namespace-scoped, it must be in
// the same namespace as the Certificate. If the issuer is
// cluster-scoped, it can be used from any namespace.
// The `name` field of the reference must always be specified.
issuerRef: {
// Group of the resource being referred to.
group?: string
// Kind of the resource being referred to.
kind?: string
// Name of the resource being referred to.
name: string
}
// Additional keystore output formats to be stored in the
// Certificate's Secret.
keystores?: {
// JKS configures options for storing a JKS keystore in the
// `spec.secretName` Secret resource.
jks?: {
// Create enables JKS keystore creation for the Certificate. If
// true, a file named `keystore.jks` will be created in the
// target Secret resource, encrypted using the password stored in
// `passwordSecretRef`. The keystore file will be updated
// immediately. If the issuer provided a CA certificate, a file
// named `truststore.jks` will also be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef` containing the issuing Certificate
// Authority
create: bool
// PasswordSecretRef is a reference to a key in a Secret resource
// containing the password used to encrypt the JKS keystore.
passwordSecretRef: {
// The key of the entry in the Secret resource's `data` field to
// be used. Some instances of this field may be defaulted, in
// others it may be required.
key?: string
// Name of the resource being referred to. More info:
// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
name: string
}
}
// PKCS12 configures options for storing a PKCS12 keystore in the
// `spec.secretName` Secret resource.
pkcs12?: {
// Create enables PKCS12 keystore creation for the Certificate. If
// true, a file named `keystore.p12` will be created in the
// target Secret resource, encrypted using the password stored in
// `passwordSecretRef`. The keystore file will be updated
// immediately. If the issuer provided a CA certificate, a file
// named `truststore.p12` will also be created in the target
// Secret resource, encrypted using the password stored in
// `passwordSecretRef` containing the issuing Certificate
// Authority
create: bool
// PasswordSecretRef is a reference to a key in a Secret resource
// containing the password used to encrypt the PKCS12 keystore.
passwordSecretRef: {
// The key of the entry in the Secret resource's `data` field to
// be used. Some instances of this field may be defaulted, in
// others it may be required.
key?: string
// Name of the resource being referred to. More info:
// https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
name: string
}
// Profile specifies the key and certificate encryption algorithms
// and the HMAC algorithm used to create the PKCS12 keystore.
// Default value is `LegacyRC2` for backward compatibility.
// If provided, allowed values are: `LegacyRC2`: Deprecated. Not
// supported by default in OpenSSL 3 or Java 20. `LegacyDES`:
// Less secure algorithm. Use this option for maximal
// compatibility. `Modern2023`: Secure algorithm. Use this option
// in case you have to always use secure algorithms (eg. because
// of company policy). Please note that the security of the
// algorithm is not that important in reality, because the
// unencrypted certificate and private key are also stored in the
// Secret.
profile?: "LegacyRC2" | "LegacyDES" | "Modern2023"
}
}
// Requested X.509 certificate subject, represented using the LDAP
// "String Representation of a Distinguished Name" [1].
// Important: the LDAP string format also specifies the order of
// the attributes in the subject, this is important when issuing
// certs for LDAP authentication. Example:
// `CN=foo,DC=corp,DC=example,DC=com` More info [1]:
// https://datatracker.ietf.org/doc/html/rfc4514 More info:
// https://github.com/cert-manager/cert-manager/issues/3203 More
// info: https://github.com/cert-manager/cert-manager/issues/4424
// Cannot be set if the `subject` or `commonName` field is set.
// This is an Alpha Feature and is only enabled with the
// `--feature-gates=LiteralCertificateSubject=true` option set on
// both the controller and webhook components.
literalSubject?: string
// x.509 certificate NameConstraint extension which MUST NOT be
// used in a non-CA certificate. More Info:
// https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.10
// This is an Alpha Feature and is only enabled with the
// `--feature-gates=NameConstraints=true` option set on both the
// controller and webhook components.
nameConstraints?: {
// if true then the name constraints are marked critical.
critical?: bool
// Excluded contains the constraints which must be disallowed. Any
// name matching a restriction in the excluded field is invalid
// regardless of information appearing in the permitted
excluded?: {
// DNSDomains is a list of DNS domains that are permitted or
// excluded.
dnsDomains?: [...string]
// EmailAddresses is a list of Email Addresses that are permitted
// or excluded.
emailAddresses?: [...string]
// IPRanges is a list of IP Ranges that are permitted or excluded.
// This should be a valid CIDR notation.
ipRanges?: [...string]
// URIDomains is a list of URI domains that are permitted or
// excluded.
uriDomains?: [...string]
}
// Permitted contains the constraints in which the names must be
// located.
permitted?: {
// DNSDomains is a list of DNS domains that are permitted or
// excluded.
dnsDomains?: [...string]
// EmailAddresses is a list of Email Addresses that are permitted
// or excluded.
emailAddresses?: [...string]
// IPRanges is a list of IP Ranges that are permitted or excluded.
// This should be a valid CIDR notation.
ipRanges?: [...string]
// URIDomains is a list of URI domains that are permitted or
// excluded.
uriDomains?: [...string]
}
}
// `otherNames` is an escape hatch for SAN that allows any type.
// We currently restrict the support to string like otherNames,
// cf RFC 5280 p 37 Any UTF8 String valued otherName can be
// passed with by setting the keys oid: x.x.x.x and UTF8Value:
// somevalue for `otherName`. Most commonly this would be UPN set
// with oid: 1.3.6.1.4.1.311.20.2.3 You should ensure that any
// OID passed is valid for the UTF8String type as we do not
// explicitly validate this.
otherNames?: [...{
// OID is the object identifier for the otherName SAN. The object
// identifier must be expressed as a dotted string, for example,
// "1.2.840.113556.1.4.221".
oid?: string
// utf8Value is the string value of the otherName SAN. The
// utf8Value accepts any valid UTF8 string to set as value for
// the otherName SAN.
utf8Value?: string
}]
// Private key options. These include the key algorithm and size,
// the used encoding and the rotation policy.
privateKey?: {
// Algorithm is the private key algorithm of the corresponding
// private key for this certificate.
// If provided, allowed values are either `RSA`, `ECDSA` or
// `Ed25519`. If `algorithm` is specified and `size` is not
// provided, key size of 2048 will be used for `RSA` key
// algorithm and key size of 256 will be used for `ECDSA` key
// algorithm. key size is ignored when using the `Ed25519` key
// algorithm.
algorithm?: "RSA" | "ECDSA" | "Ed25519"
// The private key cryptography standards (PKCS) encoding for this
// certificate's private key to be encoded in.
// If provided, allowed values are `PKCS1` and `PKCS8` standing
// for PKCS#1 and PKCS#8, respectively. Defaults to `PKCS1` if
// not specified.
encoding?: "PKCS1" | "PKCS8"
// RotationPolicy controls how private keys should be regenerated
// when a re-issuance is being processed.
// If set to `Never`, a private key will only be generated if one
// does not already exist in the target `spec.secretName`. If one
// does exists but it does not have the correct algorithm or
// size, a warning will be raised to await user intervention. If
// set to `Always`, a private key matching the specified
// requirements will be generated whenever a re-issuance occurs.
// Default is `Never` for backward compatibility.
rotationPolicy?: "Never" | "Always"
// Size is the key bit size of the corresponding private key for
// this certificate.
// If `algorithm` is set to `RSA`, valid values are `2048`, `4096`
// or `8192`, and will default to `2048` if not specified. If
// `algorithm` is set to `ECDSA`, valid values are `256`, `384`
// or `521`, and will default to `256` if not specified. If
// `algorithm` is set to `Ed25519`, Size is ignored. No other
// values are allowed.
size?: int
}
// How long before the currently issued certificate's expiry
// cert-manager should renew the certificate. For example, if a
// certificate is valid for 60 minutes, and `renewBefore=10m`,
// cert-manager will begin to attempt to renew the certificate 50
// minutes after it was issued (i.e. when there are 10 minutes
// remaining until the certificate is no longer valid).
// NOTE: The actual lifetime of the issued certificate is used to
// determine the renewal time. If an issuer returns a certificate
// with a different lifetime than the one requested, cert-manager
// will use the lifetime of the issued certificate.
// If unset, this defaults to 1/3 of the issued certificate's
// lifetime. Minimum accepted value is 5 minutes. Value must be
// in units accepted by Go time.ParseDuration
// https://golang.org/pkg/time/#ParseDuration.
renewBefore?: string
// The maximum number of CertificateRequest revisions that are
// maintained in the Certificate's history. Each revision
// represents a single `CertificateRequest` created by this
// Certificate, either when it was created, renewed, or Spec was
// changed. Revisions will be removed by oldest first if the
// number of revisions exceeds this number.
// If set, revisionHistoryLimit must be a value of `1` or greater.
// If unset (`nil`), revisions will not be garbage collected.
// Default value is `nil`.
revisionHistoryLimit?: int
// Name of the Secret resource that will be automatically created
// and managed by this Certificate resource. It will be populated
// with a private key and certificate, signed by the denoted
// issuer. The Secret resource lives in the same namespace as the
// Certificate resource.
secretName: string
// Defines annotations and labels to be copied to the
// Certificate's Secret. Labels and annotations on the Secret
// will be changed as they appear on the SecretTemplate when
// added or removed. SecretTemplate annotations are added in
// conjunction with, and cannot overwrite, the base set of
// annotations cert-manager sets on the Certificate's Secret.
secretTemplate?: {
// Annotations is a key value map to be copied to the target
// Kubernetes Secret.
annotations?: {
[string]: string
}
// Labels is a key value map to be copied to the target Kubernetes
// Secret.
labels?: {
[string]: string
}
}
// Requested set of X509 certificate subject attributes. More
// info:
// https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.6
// The common name attribute is specified separately in the
// `commonName` field. Cannot be set if the `literalSubject`
// field is set.
subject?: {
// Countries to be used on the Certificate.
countries?: [...string]
// Cities to be used on the Certificate.
localities?: [...string]
// Organizational Units to be used on the Certificate.
organizationalUnits?: [...string]
// Organizations to be used on the Certificate.
organizations?: [...string]
// Postal codes to be used on the Certificate.
postalCodes?: [...string]
// State/Provinces to be used on the Certificate.
provinces?: [...string]
// Serial number to be used on the Certificate.
serialNumber?: string
// Street addresses to be used on the Certificate.
streetAddresses?: [...string]
}
// Requested URI subject alternative names.
uris?: [...string]
// Requested key usages and extended key usages. These usages are
// used to set the `usages` field on the created
// CertificateRequest resources. If `encodeUsagesInRequest` is
// unset or set to `true`, the usages will additionally be
// encoded in the `request` field which contains the CSR blob.
// If unset, defaults to `digital signature` and `key
// encipherment`.
usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
}

127
docs/examples/cue.mod/gen/cert-manager.io/certificaterequest/v1/types_gen.cue Normal file
View File

@@ -0,0 +1,127 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-certmanager/prod-mesh-certmanager.gen.yaml
package v1
import "strings"
// A CertificateRequest is used to request a signed certificate
// from one of the configured issuers.
// All fields within the CertificateRequest's `spec` are immutable
// after creation. A CertificateRequest will either succeed or
// fail, as denoted by its `Ready` status condition and its
// `status.failureTime` field.
// A CertificateRequest is a one-shot resource, meaning it
// represents a single point in time request for a certificate
// and cannot be re-used.
#CertificateRequest: {
// APIVersion defines the versioned schema of this representation
// of an object. Servers should convert recognized schemas to the
// latest internal value, and may reject unrecognized values.
// More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
apiVersion: "cert-manager.io/v1"
// Kind is a string value representing the REST resource this
// object represents. Servers may infer this from the endpoint
// the client submits requests to. Cannot be updated. In
// CamelCase. More info:
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
kind: "CertificateRequest"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
// Specification of the desired state of the CertificateRequest
// resource.
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
spec!: #CertificateRequestSpec
}
// Specification of the desired state of the CertificateRequest
// resource.
// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
#CertificateRequestSpec: {
// Requested 'duration' (i.e. lifetime) of the Certificate. Note
// that the issuer may choose to ignore the requested duration,
// just like any other requested attribute.
duration?: string
// Extra contains extra attributes of the user that created the
// CertificateRequest. Populated by the cert-manager webhook on
// creation and immutable.
extra?: {
[string]: [...string]
}
// Groups contains group membership of the user that created the
// CertificateRequest. Populated by the cert-manager webhook on
// creation and immutable.
groups?: [...string]
// Requested basic constraints isCA value. Note that the issuer
// may choose to ignore the requested isCA value, just like any
// other requested attribute.
// NOTE: If the CSR in the `Request` field has a BasicConstraints
// extension, it must have the same isCA value as specified here.
// If true, this will automatically add the `cert sign` usage to
// the list of requested `usages`.
isCA?: bool
// Reference to the issuer responsible for issuing the
// certificate. If the issuer is namespace-scoped, it must be in
// the same namespace as the Certificate. If the issuer is
// cluster-scoped, it can be used from any namespace.
// The `name` field of the reference must always be specified.
issuerRef: {
// Group of the resource being referred to.
group?: string
// Kind of the resource being referred to.
kind?: string
// Name of the resource being referred to.
name: string
}
// The PEM-encoded X.509 certificate signing request to be
// submitted to the issuer for signing.
// If the CSR has a BasicConstraints extension, its isCA attribute
// must match the `isCA` value of this CertificateRequest. If the
// CSR has a KeyUsage extension, its key usages must match the
// key usages in the `usages` field of this CertificateRequest.
// If the CSR has a ExtKeyUsage extension, its extended key
// usages must match the extended key usages in the `usages`
// field of this CertificateRequest.
request: string
// UID contains the uid of the user that created the
// CertificateRequest. Populated by the cert-manager webhook on
// creation and immutable.
uid?: string
// Requested key usages and extended key usages.
// NOTE: If the CSR in the `Request` field has uses the KeyUsage
// or ExtKeyUsage extension, these extensions must have the same
// values as specified here without any additional values.
// If unset, defaults to `digital signature` and `key
// encipherment`.
usages?: [..."signing" | "digital signature" | "content commitment" | "key encipherment" | "key agreement" | "data encipherment" | "cert sign" | "crl sign" | "encipher only" | "decipher only" | "any" | "server auth" | "client auth" | "code signing" | "email protection" | "s/mime" | "ipsec end system" | "ipsec tunnel" | "ipsec user" | "timestamping" | "ocsp signing" | "microsoft sgc" | "netscape sgc"]
// Username contains the name of the user that created the
// CertificateRequest. Populated by the cert-manager webhook on
// creation and immutable.
username?: string
}

1590
docs/examples/cue.mod/gen/cert-manager.io/clusterissuer/v1/types_gen.cue Normal file
View File

File diff suppressed because it is too large Load Diff

1589
docs/examples/cue.mod/gen/cert-manager.io/issuer/v1/types_gen.cue Normal file
View File

File diff suppressed because it is too large Load Diff

123
docs/examples/cue.mod/gen/extensions.istio.io/wasmplugin/v1alpha1/types_gen.cue Normal file
View File

@@ -0,0 +1,123 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha1
import (
"strings"
"list"
)
#WasmPlugin: {
// Extend the functionality provided by the Istio proxy through
// WebAssembly filters. See more details at:
// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
spec!: #WasmPluginSpec
apiVersion: "extensions.istio.io/v1alpha1"
kind: "WasmPlugin"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Extend the functionality provided by the Istio proxy through
// WebAssembly filters. See more details at:
// https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html
#WasmPluginSpec: {
// Specifies the failure behavior for the plugin due to fatal
// errors.
failStrategy?: "FAIL_CLOSE" | "FAIL_OPEN"
// The pull behaviour to be applied when fetching Wasm module by
// either OCI image or http/https.
imagePullPolicy?: "UNSPECIFIED_POLICY" | "IfNotPresent" | "Always"
// Credentials to use for OCI image pulling.
imagePullSecret?: strings.MaxRunes(253) & strings.MinRunes(1)
// Specifies the criteria to determine which traffic is passed to
// WasmPlugin.
match?: [...{
// Criteria for selecting traffic by their direction.
mode?: "UNDEFINED" | "CLIENT" | "SERVER" | "CLIENT_AND_SERVER"
// Criteria for selecting traffic by their destination port.
ports?: [...{
number: uint16 & >=1
}]
}]
// Determines where in the filter chain this `WasmPlugin` is to be
// injected.
phase?: "UNSPECIFIED_PHASE" | "AUTHN" | "AUTHZ" | "STATS"
// The configuration that will be passed on to the plugin.
pluginConfig?: {
...
}
// The plugin name to be used in the Envoy configuration (used to
// be called `rootID`).
pluginName?: strings.MaxRunes(256) & strings.MinRunes(1)
// Determines ordering of `WasmPlugins` in the same `phase`.
priority?: null | int
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// SHA256 checksum that will be used to verify Wasm module or OCI
// container.
sha256?: =~"(^$|^[a-f0-9]{64}$)"
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
// Specifies the type of Wasm Extension to be used.
type?: "UNSPECIFIED_PLUGIN_TYPE" | "HTTP" | "NETWORK"
// URL of a Wasm module or OCI container.
url: strings.MinRunes(1)
verificationKey?: string
vmConfig?: {
// Specifies environment variables to be injected to this VM.
env?: list.MaxItems(256) & [...{
// Name of the environment variable.
name: strings.MaxRunes(256) & strings.MinRunes(1)
// Value for the environment variable.
value?: strings.MaxRunes(2048)
// Source for the environment variable's value.
valueFrom?: "INLINE" | "HOST"
}]
}
}

27
docs/examples/cue.mod/gen/install.istio.io/istiooperator/v1alpha1/types_gen.cue Normal file
View File

@@ -0,0 +1,27 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha1
import "strings"
#IstioOperator: {
apiVersion: "install.istio.io/v1alpha1"
kind: "IstioOperator"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
...
}

967
docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,967 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#DestinationRule: {
// Configuration affecting load balancing, outlier detection, etc.
// See more details at:
// https://istio.io/docs/reference/config/networking/destination-rule.html
spec!: #DestinationRuleSpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "DestinationRule"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting load balancing, outlier detection, etc.
// See more details at:
// https://istio.io/docs/reference/config/networking/destination-rule.html
#DestinationRuleSpec: {
// A list of namespaces to which this destination rule is
// exported.
exportTo?: [...string]
// The name of a service from the service registry.
host: string
// One or more named sets that represent individual versions of a
// service.
subsets?: [...{
// Labels apply a filter over the endpoints of a service in the
// service registry.
labels?: {
[string]: string
}
// Name of the subset.
name: string
// Traffic policies that apply to this subset.
trafficPolicy?: {
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
// Traffic policies specific to individual ports.
portLevelSettings?: [...{
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
port?: {
number?: int
}
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
}]
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
// Configuration of tunneling TCP over other transport or
// application layers for the host configured in the
// DestinationRule.
tunnel?: {
// Specifies which protocol to use for tunneling the downstream
// connection.
protocol?: string
// Specifies a host to which the downstream connection is
// tunneled.
targetHost: string
// Specifies a port to which the downstream connection is
// tunneled.
targetPort: int
}
}
}]
// Traffic policies to apply (load balancing policy, connection
// pool sizes, outlier detection).
trafficPolicy?: {
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
// Traffic policies specific to individual ports.
portLevelSettings?: [...{
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
port?: {
number?: int
}
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
}]
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
// Configuration of tunneling TCP over other transport or
// application layers for the host configured in the
// DestinationRule.
tunnel?: {
// Specifies which protocol to use for tunneling the downstream
// connection.
protocol?: string
// Specifies a host to which the downstream connection is
// tunneled.
targetHost: string
// Specifies a port to which the downstream connection is
// tunneled.
targetPort: int
}
}
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
}

967
docs/examples/cue.mod/gen/networking.istio.io/destinationrule/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,967 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#DestinationRule: {
// Configuration affecting load balancing, outlier detection, etc.
// See more details at:
// https://istio.io/docs/reference/config/networking/destination-rule.html
spec!: #DestinationRuleSpec
apiVersion: "networking.istio.io/v1beta1"
kind: "DestinationRule"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting load balancing, outlier detection, etc.
// See more details at:
// https://istio.io/docs/reference/config/networking/destination-rule.html
#DestinationRuleSpec: {
// A list of namespaces to which this destination rule is
// exported.
exportTo?: [...string]
// The name of a service from the service registry.
host: string
// One or more named sets that represent individual versions of a
// service.
subsets?: [...{
// Labels apply a filter over the endpoints of a service in the
// service registry.
labels?: {
[string]: string
}
// Name of the subset.
name: string
// Traffic policies that apply to this subset.
trafficPolicy?: {
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
// Traffic policies specific to individual ports.
portLevelSettings?: [...{
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
port?: {
number?: int
}
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
}]
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
// Configuration of tunneling TCP over other transport or
// application layers for the host configured in the
// DestinationRule.
tunnel?: {
// Specifies which protocol to use for tunneling the downstream
// connection.
protocol?: string
// Specifies a host to which the downstream connection is
// tunneled.
targetHost: string
// Specifies a port to which the downstream connection is
// tunneled.
targetPort: int
}
}
}]
// Traffic policies to apply (load balancing policy, connection
// pool sizes, outlier detection).
trafficPolicy?: {
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
// Traffic policies specific to individual ports.
portLevelSettings?: [...{
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Settings controlling the load balancer algorithms.
loadBalancer?: ({} | {
simple: _
} | {
consistentHash: _
}) & {
consistentHash?: ({} | {
httpHeaderName: _
} | {
httpCookie: _
} | {
useSourceIp: _
} | {
httpQueryParameterName: _
}) & ({} | {
ringHash: _
} | {
maglev: _
}) & {
// Hash based on HTTP cookie.
httpCookie?: {
// Name of the cookie.
name: string
// Path to set for the cookie.
path?: string
// Lifetime of the cookie.
ttl?: string
}
// Hash based on a specific HTTP header.
httpHeaderName?: string
// Hash based on a specific HTTP query parameter.
httpQueryParameterName?: string
maglev?: {
// The table size for Maglev hashing.
tableSize?: int
}
// Deprecated.
minimumRingSize?: int
ringHash?: {
// The minimum number of virtual nodes to use for the hash ring.
minimumRingSize?: int
}
// Hash based on the source IP address.
useSourceIp?: bool
}
localityLbSetting?: {
// Optional: only one of distribute, failover or failoverPriority
// can be set.
distribute?: [...{
// Originating locality, '/' separated, e.g.
from?: string
// Map of upstream localities to traffic distribution weights.
to?: {
[string]: int
}
}]
// enable locality load balancing, this is DestinationRule-level
// and will override mesh wide settings in entirety.
enabled?: null | bool
// Optional: only one of distribute, failover or failoverPriority
// can be set.
failover?: [...{
// Originating region.
from?: string
// Destination region the traffic will fail over to when endpoints
// in the 'from' region becomes unhealthy.
to?: string
}]
// failoverPriority is an ordered list of labels used to sort
// endpoints to do priority based load balancing.
failoverPriority?: [...string]
}
simple?: "UNSPECIFIED" | "LEAST_CONN" | "RANDOM" | "PASSTHROUGH" | "ROUND_ROBIN" | "LEAST_REQUEST"
// Represents the warmup duration of Service.
warmupDurationSecs?: string
}
outlierDetection?: {
// Minimum ejection duration.
baseEjectionTime?: string
// Number of 5xx errors before a host is ejected from the
// connection pool.
consecutive5xxErrors?: null | int
consecutiveErrors?: int
// Number of gateway errors before a host is ejected from the
// connection pool.
consecutiveGatewayErrors?: null | int
// The number of consecutive locally originated failures before
// ejection occurs.
consecutiveLocalOriginFailures?: null | int
// Time interval between ejection sweep analysis.
interval?: string
// Maximum % of hosts in the load balancing pool for the upstream
// service that can be ejected.
maxEjectionPercent?: int
// Outlier detection will be enabled as long as the associated
// load balancing pool has at least min_health_percent hosts in
// healthy mode.
minHealthPercent?: int
// Determines whether to distinguish local origin failures from
// external errors.
splitExternalLocalOriginErrors?: bool
}
port?: {
number?: int
}
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
}]
// TLS related settings for connections to the upstream service.
tls?: {
// OPTIONAL: The path to the file containing certificate authority
// certificates to use in verifying a presented server
// certificate.
caCertificates?: string
// REQUIRED if mode is `MUTUAL`.
clientCertificate?: string
// The name of the secret that holds the TLS certs for the client
// including the CA certificates.
credentialName?: string
// `insecureSkipVerify` specifies whether the proxy should skip
// verifying the CA signature and SAN for the server certificate
// corresponding to the host.
insecureSkipVerify?: null | bool
// Indicates whether connections to this port should be secured
// using TLS.
mode?: "DISABLE" | "SIMPLE" | "MUTUAL" | "ISTIO_MUTUAL"
// REQUIRED if mode is `MUTUAL`.
privateKey?: string
// SNI string to present to the server during TLS handshake.
sni?: string
// A list of alternate names to verify the subject identity in the
// certificate.
subjectAltNames?: [...string]
}
// Configuration of tunneling TCP over other transport or
// application layers for the host configured in the
// DestinationRule.
tunnel?: {
// Specifies which protocol to use for tunneling the downstream
// connection.
protocol?: string
// Specifies a host to which the downstream connection is
// tunneled.
targetHost: string
// Specifies a port to which the downstream connection is
// tunneled.
targetPort: int
}
}
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
}

185
docs/examples/cue.mod/gen/networking.istio.io/envoyfilter/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,185 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#EnvoyFilter: {
// Customizing Envoy configuration generated by Istio. See more
// details at:
// https://istio.io/docs/reference/config/networking/envoy-filter.html
spec!: #EnvoyFilterSpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "EnvoyFilter"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Customizing Envoy configuration generated by Istio. See more
// details at:
// https://istio.io/docs/reference/config/networking/envoy-filter.html
#EnvoyFilterSpec: {
// One or more patches with match conditions.
configPatches?: [...{
// Specifies where in the Envoy configuration, the patch should be
// applied.
applyTo?: "INVALID" | "LISTENER" | "FILTER_CHAIN" | "NETWORK_FILTER" | "HTTP_FILTER" | "ROUTE_CONFIGURATION" | "VIRTUAL_HOST" | "HTTP_ROUTE" | "CLUSTER" | "EXTENSION_CONFIG" | "BOOTSTRAP" | "LISTENER_FILTER"
// Match on listener/route configuration/cluster.
match?: ({} | {
listener: _
} | {
routeConfiguration: _
} | {
cluster: _
}) & {
// Match on envoy cluster attributes.
cluster?: {
// The exact name of the cluster to match.
name?: string
// The service port for which this cluster was generated.
portNumber?: int
// The fully qualified service name for this cluster.
service?: string
// The subset associated with the service.
subset?: string
}
// The specific config generation context to match on.
context?: "ANY" | "SIDECAR_INBOUND" | "SIDECAR_OUTBOUND" | "GATEWAY"
// Match on envoy listener attributes.
listener?: {
// Match a specific filter chain in a listener.
filterChain?: {
// Applies only to sidecars.
applicationProtocols?: string
// The destination_port value used by a filter chain's match
// condition.
destinationPort?: int
// The name of a specific filter to apply the patch to.
filter?: {
// The filter name to match on.
name?: string
subFilter?: {
// The filter name to match on.
name?: string
}
}
// The name assigned to the filter chain.
name?: string
// The SNI value used by a filter chain's match condition.
sni?: string
// Applies only to `SIDECAR_INBOUND` context.
transportProtocol?: string
}
// Match a specific listener filter.
listenerFilter?: string
// Match a specific listener by its name.
name?: string
portName?: string
// The service port/gateway port to which traffic is being
// sent/received.
portNumber?: int
}
// Match on properties associated with a proxy.
proxy?: {
// Match on the node metadata supplied by a proxy when connecting
// to Istio Pilot.
metadata?: {
[string]: string
}
// A regular expression in golang regex format (RE2) that can be
// used to select proxies using a specific version of istio
// proxy.
proxyVersion?: string
}
// Match on envoy HTTP route configuration attributes.
routeConfiguration?: {
// The Istio gateway config's namespace/name for which this route
// configuration was generated.
gateway?: string
// Route configuration name to match on.
name?: string
// Applicable only for GATEWAY context.
portName?: string
// The service port number or gateway server port number for which
// this route configuration was generated.
portNumber?: int
// Match a specific virtual host in a route configuration and
// apply the patch to the virtual host.
vhost?: {
// The VirtualHosts objects generated by Istio are named as
// host:port, where the host typically corresponds to the
// VirtualService's host field or the hostname of a service in
// the registry.
name?: string
// Match a specific route within the virtual host.
route?: {
// Match a route with specific action type.
action?: "ANY" | "ROUTE" | "REDIRECT" | "DIRECT_RESPONSE"
// The Route objects generated by default are named as default.
name?: string
}
}
}
}
// The patch to apply along with the operation.
patch?: {
// Determines the filter insertion order.
filterClass?: "UNSPECIFIED" | "AUTHN" | "AUTHZ" | "STATS"
// Determines how the patch should be applied.
operation?: "INVALID" | "MERGE" | "ADD" | "REMOVE" | "INSERT_BEFORE" | "INSERT_AFTER" | "INSERT_FIRST" | "REPLACE"
// The JSON config of the object being patched.
value?: {}
}
}]
// Priority defines the order in which patch sets are applied
// within a context.
priority?: int
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which the configuration should be applied.
labels?: {
[string]: string
}
}
}

115
docs/examples/cue.mod/gen/networking.istio.io/gateway/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,115 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#Gateway: {
// Configuration affecting edge load balancer. See more details
// at:
// https://istio.io/docs/reference/config/networking/gateway.html
spec!: #GatewaySpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "Gateway"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting edge load balancer. See more details
// at:
// https://istio.io/docs/reference/config/networking/gateway.html
#GatewaySpec: {
// One or more labels that indicate a specific set of pods/VMs on
// which this gateway configuration should be applied.
selector?: {
[string]: string
}
// A list of server specifications.
servers?: [...{
// The ip or the Unix domain socket to which the listener should
// be bound to.
bind?: string
defaultEndpoint?: string
// One or more hosts exposed by this gateway.
hosts: [...string]
// An optional name of the server, when set must be unique across
// all servers.
name?: string
// The Port on which the proxy should listen for incoming
// connections.
port: {
// Label assigned to the port.
name: string
// A valid non-negative integer port number.
number: int
// The protocol exposed on the port.
protocol: string
targetPort?: int
}
// Set of TLS related options that govern the server's behavior.
tls?: {
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
caCertificates?: string
// Optional: If specified, only support the specified cipher list.
cipherSuites?: [...string]
// For gateways running on Kubernetes, the name of the secret that
// holds the TLS certs including the CA certificates.
credentialName?: string
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
httpsRedirect?: bool
// Optional: Maximum TLS protocol version.
maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Minimum TLS protocol version.
minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Indicates whether connections to this port should be
// secured using TLS.
mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
privateKey?: string
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
serverCertificate?: string
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
subjectAltNames?: [...string]
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates.
verifyCertificateHash?: [...string]
// An optional list of base64-encoded SHA-256 hashes of the SPKIs
// of authorized client certificates.
verifyCertificateSpki?: [...string]
}
}]
}

115
docs/examples/cue.mod/gen/networking.istio.io/gateway/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,115 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#Gateway: {
// Configuration affecting edge load balancer. See more details
// at:
// https://istio.io/docs/reference/config/networking/gateway.html
spec!: #GatewaySpec
apiVersion: "networking.istio.io/v1beta1"
kind: "Gateway"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting edge load balancer. See more details
// at:
// https://istio.io/docs/reference/config/networking/gateway.html
#GatewaySpec: {
// One or more labels that indicate a specific set of pods/VMs on
// which this gateway configuration should be applied.
selector?: {
[string]: string
}
// A list of server specifications.
servers?: [...{
// The ip or the Unix domain socket to which the listener should
// be bound to.
bind?: string
defaultEndpoint?: string
// One or more hosts exposed by this gateway.
hosts: [...string]
// An optional name of the server, when set must be unique across
// all servers.
name?: string
// The Port on which the proxy should listen for incoming
// connections.
port: {
// Label assigned to the port.
name: string
// A valid non-negative integer port number.
number: int
// The protocol exposed on the port.
protocol: string
targetPort?: int
}
// Set of TLS related options that govern the server's behavior.
tls?: {
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
caCertificates?: string
// Optional: If specified, only support the specified cipher list.
cipherSuites?: [...string]
// For gateways running on Kubernetes, the name of the secret that
// holds the TLS certs including the CA certificates.
credentialName?: string
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
httpsRedirect?: bool
// Optional: Maximum TLS protocol version.
maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Minimum TLS protocol version.
minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Indicates whether connections to this port should be
// secured using TLS.
mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
privateKey?: string
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
serverCertificate?: string
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
subjectAltNames?: [...string]
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates.
verifyCertificateHash?: [...string]
// An optional list of base64-encoded SHA-256 hashes of the SPKIs
// of authorized client certificates.
verifyCertificateSpki?: [...string]
}
}]
}

54
docs/examples/cue.mod/gen/networking.istio.io/proxyconfig/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,54 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#ProxyConfig: {
// Provides configuration for individual workloads. See more
// details at:
// https://istio.io/docs/reference/config/networking/proxy-config.html
spec!: #ProxyConfigSpec
apiVersion: "networking.istio.io/v1beta1"
kind: "ProxyConfig"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Provides configuration for individual workloads. See more
// details at:
// https://istio.io/docs/reference/config/networking/proxy-config.html
#ProxyConfigSpec: {
// The number of worker threads to run.
concurrency?: null | int
// Additional environment variables for the proxy.
environmentVariables?: {
[string]: string
}
image?: {
// The image type of the image.
imageType?: string
}
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
}

107
docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,107 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#ServiceEntry: {
// Configuration affecting service registry. See more details at:
// https://istio.io/docs/reference/config/networking/service-entry.html
spec!: #ServiceEntrySpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "ServiceEntry"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting service registry. See more details at:
// https://istio.io/docs/reference/config/networking/service-entry.html
#ServiceEntrySpec: {
// The virtual IP addresses associated with the service.
addresses?: [...string]
// One or more endpoints associated with the service.
endpoints?: [...{
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}]
// A list of namespaces to which this service is exported.
exportTo?: [...string]
// The hosts associated with the ServiceEntry.
hosts: [...string]
// Specify whether the service should be considered external to
// the mesh or part of the mesh.
location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
// The ports associated with the external service.
ports?: [...{
// Label assigned to the port.
name: string
// A valid non-negative integer port number.
number: int
// The protocol exposed on the port.
protocol?: string
// The port number on the endpoint where the traffic will be
// received.
targetPort?: int
}]
// Service resolution mode for the hosts.
resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
// If specified, the proxy will verify that the server
// certificate's subject alternate name matches one of the
// specified values.
subjectAltNames?: [...string]
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which the configuration should be applied.
labels?: {
[string]: string
}
}
}

107
docs/examples/cue.mod/gen/networking.istio.io/serviceentry/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,107 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#ServiceEntry: {
// Configuration affecting service registry. See more details at:
// https://istio.io/docs/reference/config/networking/service-entry.html
spec!: #ServiceEntrySpec
apiVersion: "networking.istio.io/v1beta1"
kind: "ServiceEntry"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting service registry. See more details at:
// https://istio.io/docs/reference/config/networking/service-entry.html
#ServiceEntrySpec: {
// The virtual IP addresses associated with the service.
addresses?: [...string]
// One or more endpoints associated with the service.
endpoints?: [...{
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}]
// A list of namespaces to which this service is exported.
exportTo?: [...string]
// The hosts associated with the ServiceEntry.
hosts: [...string]
// Specify whether the service should be considered external to
// the mesh or part of the mesh.
location?: "MESH_EXTERNAL" | "MESH_INTERNAL"
// The ports associated with the external service.
ports?: [...{
// Label assigned to the port.
name: string
// A valid non-negative integer port number.
number: int
// The protocol exposed on the port.
protocol?: string
// The port number on the endpoint where the traffic will be
// received.
targetPort?: int
}]
// Service resolution mode for the hosts.
resolution?: "NONE" | "STATIC" | "DNS" | "DNS_ROUND_ROBIN"
// If specified, the proxy will verify that the server
// certificate's subject alternate name matches one of the
// specified values.
subjectAltNames?: [...string]
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which the configuration should be applied.
labels?: {
[string]: string
}
}
}

280
docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,280 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#Sidecar: {
// Configuration affecting network reachability of a sidecar. See
// more details at:
// https://istio.io/docs/reference/config/networking/sidecar.html
spec!: #SidecarSpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "Sidecar"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting network reachability of a sidecar. See
// more details at:
// https://istio.io/docs/reference/config/networking/sidecar.html
#SidecarSpec: {
// Egress specifies the configuration of the sidecar for
// processing outbound traffic from the attached workload
// instance to other services in the mesh.
egress?: [...{
// The IP(IPv4 or IPv6) or the Unix domain socket to which the
// listener should be bound to.
bind?: string
// When the bind address is an IP, the captureMode option dictates
// how traffic to the listener is expected to be captured (or
// not).
captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
// One or more service hosts exposed by the listener in
// `namespace/dnsName` format.
hosts: [...string]
// The port associated with the listener.
port?: {
// Label assigned to the port.
name?: string
// A valid non-negative integer port number.
number?: int
// The protocol exposed on the port.
protocol?: string
targetPort?: int
}
}]
// Settings controlling the volume of connections Envoy will
// accept from the network.
inboundConnectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Ingress specifies the configuration of the sidecar for
// processing inbound traffic to the attached workload instance.
ingress?: [...{
// The IP(IPv4 or IPv6) to which the listener should be bound.
bind?: string
// The captureMode option dictates how traffic to the listener is
// expected to be captured (or not).
captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
// Settings controlling the volume of connections Envoy will
// accept from the network.
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// The IP endpoint or Unix domain socket to which traffic should
// be forwarded to.
defaultEndpoint?: string
// The port associated with the listener.
port: {
// Label assigned to the port.
name?: string
// A valid non-negative integer port number.
number?: int
// The protocol exposed on the port.
protocol?: string
targetPort?: int
}
// Set of TLS related options that will enable TLS termination on
// the sidecar for requests originating from outside the mesh.
tls?: {
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
caCertificates?: string
// Optional: If specified, only support the specified cipher list.
cipherSuites?: [...string]
// For gateways running on Kubernetes, the name of the secret that
// holds the TLS certs including the CA certificates.
credentialName?: string
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
httpsRedirect?: bool
// Optional: Maximum TLS protocol version.
maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Minimum TLS protocol version.
minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Indicates whether connections to this port should be
// secured using TLS.
mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
privateKey?: string
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
serverCertificate?: string
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
subjectAltNames?: [...string]
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates.
verifyCertificateHash?: [...string]
// An optional list of base64-encoded SHA-256 hashes of the SPKIs
// of authorized client certificates.
verifyCertificateSpki?: [...string]
}
}]
// Configuration for the outbound traffic policy.
outboundTrafficPolicy?: {
egressProxy?: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
}
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which the configuration should be applied.
labels?: {
[string]: string
}
}
}

280
docs/examples/cue.mod/gen/networking.istio.io/sidecar/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,280 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#Sidecar: {
// Configuration affecting network reachability of a sidecar. See
// more details at:
// https://istio.io/docs/reference/config/networking/sidecar.html
spec!: #SidecarSpec
apiVersion: "networking.istio.io/v1beta1"
kind: "Sidecar"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting network reachability of a sidecar. See
// more details at:
// https://istio.io/docs/reference/config/networking/sidecar.html
#SidecarSpec: {
// Egress specifies the configuration of the sidecar for
// processing outbound traffic from the attached workload
// instance to other services in the mesh.
egress?: [...{
// The IP(IPv4 or IPv6) or the Unix domain socket to which the
// listener should be bound to.
bind?: string
// When the bind address is an IP, the captureMode option dictates
// how traffic to the listener is expected to be captured (or
// not).
captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
// One or more service hosts exposed by the listener in
// `namespace/dnsName` format.
hosts: [...string]
// The port associated with the listener.
port?: {
// Label assigned to the port.
name?: string
// A valid non-negative integer port number.
number?: int
// The protocol exposed on the port.
protocol?: string
targetPort?: int
}
}]
// Settings controlling the volume of connections Envoy will
// accept from the network.
inboundConnectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// Ingress specifies the configuration of the sidecar for
// processing inbound traffic to the attached workload instance.
ingress?: [...{
// The IP(IPv4 or IPv6) to which the listener should be bound.
bind?: string
// The captureMode option dictates how traffic to the listener is
// expected to be captured (or not).
captureMode?: "DEFAULT" | "IPTABLES" | "NONE"
// Settings controlling the volume of connections Envoy will
// accept from the network.
connectionPool?: {
// HTTP connection pool settings.
http?: {
// Specify if http1.1 connection should be upgraded to http2 for
// the associated destination.
h2UpgradePolicy?: "DEFAULT" | "DO_NOT_UPGRADE" | "UPGRADE"
// Maximum number of requests that will be queued while waiting
// for a ready connection pool connection.
http1MaxPendingRequests?: int
// Maximum number of active requests to a destination.
http2MaxRequests?: int
// The idle timeout for upstream connection pool connections.
idleTimeout?: string
// Maximum number of requests per connection to a backend.
maxRequestsPerConnection?: int
// Maximum number of retries that can be outstanding to all hosts
// in a cluster at a given time.
maxRetries?: int
// If set to true, client protocol will be preserved while
// initiating connection to backend.
useClientProtocol?: bool
}
// Settings common to both HTTP and TCP upstream connections.
tcp?: {
// TCP connection timeout.
connectTimeout?: string
// The maximum duration of a connection.
maxConnectionDuration?: string
// Maximum number of HTTP1 /TCP connections to a destination host.
maxConnections?: int
// If set then set SO_KEEPALIVE on the socket to enable TCP
// Keepalives.
tcpKeepalive?: {
// The time duration between keep-alive probes.
interval?: string
// Maximum number of keepalive probes to send without response
// before deciding the connection is dead.
probes?: int
// The time duration a connection needs to be idle before
// keep-alive probes start being sent.
time?: string
}
}
}
// The IP endpoint or Unix domain socket to which traffic should
// be forwarded to.
defaultEndpoint?: string
// The port associated with the listener.
port: {
// Label assigned to the port.
name?: string
// A valid non-negative integer port number.
number?: int
// The protocol exposed on the port.
protocol?: string
targetPort?: int
}
// Set of TLS related options that will enable TLS termination on
// the sidecar for requests originating from outside the mesh.
tls?: {
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
caCertificates?: string
// Optional: If specified, only support the specified cipher list.
cipherSuites?: [...string]
// For gateways running on Kubernetes, the name of the secret that
// holds the TLS certs including the CA certificates.
credentialName?: string
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS.
httpsRedirect?: bool
// Optional: Maximum TLS protocol version.
maxProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Minimum TLS protocol version.
minProtocolVersion?: "TLS_AUTO" | "TLSV1_0" | "TLSV1_1" | "TLSV1_2" | "TLSV1_3"
// Optional: Indicates whether connections to this port should be
// secured using TLS.
mode?: "PASSTHROUGH" | "SIMPLE" | "MUTUAL" | "AUTO_PASSTHROUGH" | "ISTIO_MUTUAL" | "OPTIONAL_MUTUAL"
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
privateKey?: string
// REQUIRED if mode is `SIMPLE` or `MUTUAL`.
serverCertificate?: string
// A list of alternate names to verify the subject identity in the
// certificate presented by the client.
subjectAltNames?: [...string]
// An optional list of hex-encoded SHA-256 hashes of the
// authorized client certificates.
verifyCertificateHash?: [...string]
// An optional list of base64-encoded SHA-256 hashes of the SPKIs
// of authorized client certificates.
verifyCertificateSpki?: [...string]
}
}]
// Configuration for the outbound traffic policy.
outboundTrafficPolicy?: {
egressProxy?: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
mode?: "REGISTRY_ONLY" | "ALLOW_ANY"
}
workloadSelector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which the configuration should be applied.
labels?: {
[string]: string
}
}
}

594
docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,594 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#VirtualService: {
// Configuration affecting label/content routing, sni routing,
// etc. See more details at:
// https://istio.io/docs/reference/config/networking/virtual-service.html
spec!: #VirtualServiceSpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "VirtualService"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting label/content routing, sni routing,
// etc. See more details at:
// https://istio.io/docs/reference/config/networking/virtual-service.html
#VirtualServiceSpec: {
// A list of namespaces to which this virtual service is exported.
exportTo?: [...string]
// The names of gateways and sidecars that should apply these
// routes.
gateways?: [...string]
// The destination hosts to which traffic is being sent.
hosts?: [...string]
// An ordered list of route rules for HTTP traffic.
http?: [...{
// Cross-Origin Resource Sharing policy (CORS).
corsPolicy?: {
// Indicates whether the caller is allowed to send the actual
// request (not the preflight) using credentials.
allowCredentials?: null | bool
// List of HTTP headers that can be used when requesting the
// resource.
allowHeaders?: [...string]
// List of HTTP methods allowed to access the resource.
allowMethods?: [...string]
allowOrigin?: [...string]
// String patterns that match allowed origins.
allowOrigins?: [...({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}]
// A list of HTTP headers that the browsers are allowed to access.
exposeHeaders?: [...string]
// Specifies how long the results of a preflight request can be
// cached.
maxAge?: string
}
// Delegate is used to specify the particular VirtualService which
// can be used to define delegate HTTPRoute.
delegate?: {
// Name specifies the name of the delegate VirtualService.
name?: string
// Namespace specifies the namespace where the delegate
// VirtualService resides.
namespace?: string
}
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
directResponse?: {
// Specifies the content of the response body.
body?: ({} | {
string: _
} | {
bytes: _
}) & {
// response body as base64 encoded bytes.
bytes?: string
string?: string
}
// Specifies the HTTP response status to be returned.
status: int
}
// Fault injection policy to apply on HTTP traffic at the client
// side.
fault?: {
// Abort Http request attempts and return error codes back to
// downstream service, giving the impression that the upstream
// service is faulty.
abort?: ({} | {
httpStatus: _
} | {
grpcStatus: _
} | {
http2Error: _
}) & {
// GRPC status code to use to abort the request.
grpcStatus?: string
http2Error?: string
// HTTP status code to use to abort the Http request.
httpStatus?: int
percentage?: {
value?: number
}
}
// Delay requests before forwarding, emulating various failures
// such as network issues, overloaded upstream service, etc.
delay?: ({} | {
fixedDelay: _
} | {
exponentialDelay: _
}) & {
exponentialDelay?: string
// Add a fixed delay before forwarding the request.
fixedDelay?: string
// Percentage of requests on which the delay will be injected
// (0-100).
percent?: int
percentage?: {
value?: number
}
}
}
headers?: {
request?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
response?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
}
// Match conditions to be satisfied for the rule to be activated.
match?: [...{
// HTTP Authority values are case-sensitive and formatted as
// follows: - `exact: "value"` for exact string match - `prefix:
// "value"` for prefix-based match - `regex: "value"` for RE2
// style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
authority?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// Names of gateways where the rule should be applied.
gateways?: [...string]
// The header keys must be lowercase and use hyphen as the
// separator, e.g.
headers?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
// Flag to specify whether the URI matching should be
// case-insensitive.
ignoreUriCase?: bool
// HTTP Method values are case-sensitive and formatted as follows:
// - `exact: "value"` for exact string match - `prefix: "value"`
// for prefix-based match - `regex: "value"` for RE2 style
// regex-based match (https://github.com/google/re2/wiki/Syntax).
method?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// The name assigned to a match.
name?: string
// Specifies the ports on the host that is being addressed.
port?: int
// Query parameters for matching.
queryParams?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
// URI Scheme values are case-sensitive and formatted as follows:
// - `exact: "value"` for exact string match - `prefix: "value"`
// for prefix-based match - `regex: "value"` for RE2 style
// regex-based match (https://github.com/google/re2/wiki/Syntax).
scheme?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// One or more labels that constrain the applicability of a rule
// to source (client) workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
// The human readable prefix to use when emitting statistics for
// this route.
statPrefix?: string
// URI to match values are case-sensitive and formatted as
// follows: - `exact: "value"` for exact string match - `prefix:
// "value"` for prefix-based match - `regex: "value"` for RE2
// style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
uri?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// withoutHeader has the same syntax with the header, but has
// opposite meaning.
withoutHeaders?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
}]
// Mirror HTTP traffic to a another destination in addition to
// forwarding the requests to the intended destination.
mirror?: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
mirror_percent?: null | int
mirrorPercent?: null | int
mirrorPercentage?: {
value?: number
}
// Specifies the destinations to mirror HTTP traffic in addition
// to the original destination.
mirrors?: [...{
// Destination specifies the target of the mirror operation.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
percentage?: {
value?: number
}
}]
// The name assigned to the route for debugging purposes.
name?: string
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
redirect?: ({} | {
port: _
} | {
derivePort: _
}) & {
// On a redirect, overwrite the Authority/Host portion of the URL
// with this value.
authority?: string
// On a redirect, dynamically set the port: *
// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
// 443 for HTTPS.
derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
// On a redirect, overwrite the port portion of the URL with this
// value.
port?: int
// On a redirect, Specifies the HTTP status code to use in the
// redirect response.
redirectCode?: int
// On a redirect, overwrite the scheme portion of the URL with
// this value.
scheme?: string
// On a redirect, overwrite the Path portion of the URL with this
// value.
uri?: string
}
// Retry policy for HTTP requests.
retries?: {
// Number of retries to be allowed for a given request.
attempts?: int
// Timeout per attempt for a given request, including the initial
// call and any retries.
perTryTimeout?: string
// Specifies the conditions under which retry takes place.
retryOn?: string
// Flag to specify whether the retries should retry to other
// localities.
retryRemoteLocalities?: null | bool
}
// Rewrite HTTP URIs and Authority headers.
rewrite?: {
// rewrite the Authority/Host header with this value.
authority?: string
// rewrite the path (or the prefix) portion of the URI with this
// value.
uri?: string
// rewrite the path portion of the URI with the specified regex.
uriRegexRewrite?: {
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
match?: string
// The string that should replace into matching portions of
// original URI.
rewrite?: string
}
}
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
headers?: {
request?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
response?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
// Timeout for HTTP requests, default is disabled.
timeout?: string
}]
// An ordered list of route rules for opaque TCP traffic.
tcp?: [...{
// Match conditions to be satisfied for the rule to be activated.
match?: [...{
// IPv4 or IPv6 ip addresses of destination with optional subnet.
destinationSubnets?: [...string]
// Names of gateways where the rule should be applied.
gateways?: [...string]
// Specifies the port on the host that is being addressed.
port?: int
// One or more labels that constrain the applicability of a rule
// to workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
sourceSubnet?: string
}]
// The destination to which the connection should be forwarded to.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
}]
// An ordered list of route rule for non-terminated TLS & HTTPS
// traffic.
tls?: [...{
// Match conditions to be satisfied for the rule to be activated.
match: [...{
// IPv4 or IPv6 ip addresses of destination with optional subnet.
destinationSubnets?: [...string]
// Names of gateways where the rule should be applied.
gateways?: [...string]
// Specifies the port on the host that is being addressed.
port?: int
// SNI (server name indicator) to match on.
sniHosts: [...string]
// One or more labels that constrain the applicability of a rule
// to workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
}]
// The destination to which the connection should be forwarded to.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
}]
}

594
docs/examples/cue.mod/gen/networking.istio.io/virtualservice/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,594 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#VirtualService: {
// Configuration affecting label/content routing, sni routing,
// etc. See more details at:
// https://istio.io/docs/reference/config/networking/virtual-service.html
spec!: #VirtualServiceSpec
apiVersion: "networking.istio.io/v1beta1"
kind: "VirtualService"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting label/content routing, sni routing,
// etc. See more details at:
// https://istio.io/docs/reference/config/networking/virtual-service.html
#VirtualServiceSpec: {
// A list of namespaces to which this virtual service is exported.
exportTo?: [...string]
// The names of gateways and sidecars that should apply these
// routes.
gateways?: [...string]
// The destination hosts to which traffic is being sent.
hosts?: [...string]
// An ordered list of route rules for HTTP traffic.
http?: [...{
// Cross-Origin Resource Sharing policy (CORS).
corsPolicy?: {
// Indicates whether the caller is allowed to send the actual
// request (not the preflight) using credentials.
allowCredentials?: null | bool
// List of HTTP headers that can be used when requesting the
// resource.
allowHeaders?: [...string]
// List of HTTP methods allowed to access the resource.
allowMethods?: [...string]
allowOrigin?: [...string]
// String patterns that match allowed origins.
allowOrigins?: [...({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}]
// A list of HTTP headers that the browsers are allowed to access.
exposeHeaders?: [...string]
// Specifies how long the results of a preflight request can be
// cached.
maxAge?: string
}
// Delegate is used to specify the particular VirtualService which
// can be used to define delegate HTTPRoute.
delegate?: {
// Name specifies the name of the delegate VirtualService.
name?: string
// Namespace specifies the namespace where the delegate
// VirtualService resides.
namespace?: string
}
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
directResponse?: {
// Specifies the content of the response body.
body?: ({} | {
string: _
} | {
bytes: _
}) & {
// response body as base64 encoded bytes.
bytes?: string
string?: string
}
// Specifies the HTTP response status to be returned.
status: int
}
// Fault injection policy to apply on HTTP traffic at the client
// side.
fault?: {
// Abort Http request attempts and return error codes back to
// downstream service, giving the impression that the upstream
// service is faulty.
abort?: ({} | {
httpStatus: _
} | {
grpcStatus: _
} | {
http2Error: _
}) & {
// GRPC status code to use to abort the request.
grpcStatus?: string
http2Error?: string
// HTTP status code to use to abort the Http request.
httpStatus?: int
percentage?: {
value?: number
}
}
// Delay requests before forwarding, emulating various failures
// such as network issues, overloaded upstream service, etc.
delay?: ({} | {
fixedDelay: _
} | {
exponentialDelay: _
}) & {
exponentialDelay?: string
// Add a fixed delay before forwarding the request.
fixedDelay?: string
// Percentage of requests on which the delay will be injected
// (0-100).
percent?: int
percentage?: {
value?: number
}
}
}
headers?: {
request?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
response?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
}
// Match conditions to be satisfied for the rule to be activated.
match?: [...{
// HTTP Authority values are case-sensitive and formatted as
// follows: - `exact: "value"` for exact string match - `prefix:
// "value"` for prefix-based match - `regex: "value"` for RE2
// style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
authority?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// Names of gateways where the rule should be applied.
gateways?: [...string]
// The header keys must be lowercase and use hyphen as the
// separator, e.g.
headers?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
// Flag to specify whether the URI matching should be
// case-insensitive.
ignoreUriCase?: bool
// HTTP Method values are case-sensitive and formatted as follows:
// - `exact: "value"` for exact string match - `prefix: "value"`
// for prefix-based match - `regex: "value"` for RE2 style
// regex-based match (https://github.com/google/re2/wiki/Syntax).
method?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// The name assigned to a match.
name?: string
// Specifies the ports on the host that is being addressed.
port?: int
// Query parameters for matching.
queryParams?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
// URI Scheme values are case-sensitive and formatted as follows:
// - `exact: "value"` for exact string match - `prefix: "value"`
// for prefix-based match - `regex: "value"` for RE2 style
// regex-based match (https://github.com/google/re2/wiki/Syntax).
scheme?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// One or more labels that constrain the applicability of a rule
// to source (client) workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
// The human readable prefix to use when emitting statistics for
// this route.
statPrefix?: string
// URI to match values are case-sensitive and formatted as
// follows: - `exact: "value"` for exact string match - `prefix:
// "value"` for prefix-based match - `regex: "value"` for RE2
// style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
uri?: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
// withoutHeader has the same syntax with the header, but has
// opposite meaning.
withoutHeaders?: {
[string]: ({} | {
exact: _
} | {
prefix: _
} | {
regex: _
}) & {
exact?: string
prefix?: string
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
regex?: string
}
}
}]
// Mirror HTTP traffic to a another destination in addition to
// forwarding the requests to the intended destination.
mirror?: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
mirror_percent?: null | int
mirrorPercent?: null | int
mirrorPercentage?: {
value?: number
}
// Specifies the destinations to mirror HTTP traffic in addition
// to the original destination.
mirrors?: [...{
// Destination specifies the target of the mirror operation.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
percentage?: {
value?: number
}
}]
// The name assigned to the route for debugging purposes.
name?: string
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
redirect?: ({} | {
port: _
} | {
derivePort: _
}) & {
// On a redirect, overwrite the Authority/Host portion of the URL
// with this value.
authority?: string
// On a redirect, dynamically set the port: *
// FROM_PROTOCOL_DEFAULT: automatically set to 80 for HTTP and
// 443 for HTTPS.
derivePort?: "FROM_PROTOCOL_DEFAULT" | "FROM_REQUEST_PORT"
// On a redirect, overwrite the port portion of the URL with this
// value.
port?: int
// On a redirect, Specifies the HTTP status code to use in the
// redirect response.
redirectCode?: int
// On a redirect, overwrite the scheme portion of the URL with
// this value.
scheme?: string
// On a redirect, overwrite the Path portion of the URL with this
// value.
uri?: string
}
// Retry policy for HTTP requests.
retries?: {
// Number of retries to be allowed for a given request.
attempts?: int
// Timeout per attempt for a given request, including the initial
// call and any retries.
perTryTimeout?: string
// Specifies the conditions under which retry takes place.
retryOn?: string
// Flag to specify whether the retries should retry to other
// localities.
retryRemoteLocalities?: null | bool
}
// Rewrite HTTP URIs and Authority headers.
rewrite?: {
// rewrite the Authority/Host header with this value.
authority?: string
// rewrite the path (or the prefix) portion of the URI with this
// value.
uri?: string
// rewrite the path portion of the URI with the specified regex.
uriRegexRewrite?: {
// RE2 style regex-based match
// (https://github.com/google/re2/wiki/Syntax).
match?: string
// The string that should replace into matching portions of
// original URI.
rewrite?: string
}
}
// A HTTP rule can either return a direct_response, redirect or
// forward (default) traffic.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
headers?: {
request?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
response?: {
add?: {
[string]: string
}
remove?: [...string]
set?: {
[string]: string
}
}
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
// Timeout for HTTP requests, default is disabled.
timeout?: string
}]
// An ordered list of route rules for opaque TCP traffic.
tcp?: [...{
// Match conditions to be satisfied for the rule to be activated.
match?: [...{
// IPv4 or IPv6 ip addresses of destination with optional subnet.
destinationSubnets?: [...string]
// Names of gateways where the rule should be applied.
gateways?: [...string]
// Specifies the port on the host that is being addressed.
port?: int
// One or more labels that constrain the applicability of a rule
// to workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
sourceSubnet?: string
}]
// The destination to which the connection should be forwarded to.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
}]
// An ordered list of route rule for non-terminated TLS & HTTPS
// traffic.
tls?: [...{
// Match conditions to be satisfied for the rule to be activated.
match: [...{
// IPv4 or IPv6 ip addresses of destination with optional subnet.
destinationSubnets?: [...string]
// Names of gateways where the rule should be applied.
gateways?: [...string]
// Specifies the port on the host that is being addressed.
port?: int
// SNI (server name indicator) to match on.
sniHosts: [...string]
// One or more labels that constrain the applicability of a rule
// to workloads with the given labels.
sourceLabels?: {
[string]: string
}
// Source namespace constraining the applicability of a rule to
// workloads in that namespace.
sourceNamespace?: string
}]
// The destination to which the connection should be forwarded to.
route?: [...{
// Destination uniquely identifies the instances of a service to
// which the request/connection should be forwarded to.
destination: {
// The name of a service from the service registry.
host: string
port?: {
number?: int
}
// The name of a subset within the service.
subset?: string
}
// Weight specifies the relative proportion of traffic to be
// forwarded to the destination.
weight?: int
}]
}]
}

62
docs/examples/cue.mod/gen/networking.istio.io/workloadentry/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,62 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#WorkloadEntry: {
// Configuration affecting VMs onboarded into the mesh. See more
// details at:
// https://istio.io/docs/reference/config/networking/workload-entry.html
spec!: #WorkloadEntrySpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "WorkloadEntry"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting VMs onboarded into the mesh. See more
// details at:
// https://istio.io/docs/reference/config/networking/workload-entry.html
#WorkloadEntrySpec: {
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}

62
docs/examples/cue.mod/gen/networking.istio.io/workloadentry/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,62 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#WorkloadEntry: {
// Configuration affecting VMs onboarded into the mesh. See more
// details at:
// https://istio.io/docs/reference/config/networking/workload-entry.html
spec!: #WorkloadEntrySpec
apiVersion: "networking.istio.io/v1beta1"
kind: "WorkloadEntry"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration affecting VMs onboarded into the mesh. See more
// details at:
// https://istio.io/docs/reference/config/networking/workload-entry.html
#WorkloadEntrySpec: {
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}

136
docs/examples/cue.mod/gen/networking.istio.io/workloadgroup/v1alpha3/types_gen.cue Normal file
View File

@@ -0,0 +1,136 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha3
import "strings"
#WorkloadGroup: {
// Describes a collection of workload instances. See more details
// at:
// https://istio.io/docs/reference/config/networking/workload-group.html
spec!: #WorkloadGroupSpec
apiVersion: "networking.istio.io/v1alpha3"
kind: "WorkloadGroup"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Describes a collection of workload instances. See more details
// at:
// https://istio.io/docs/reference/config/networking/workload-group.html
#WorkloadGroupSpec: {
// Metadata that will be used for all corresponding
// `WorkloadEntries`.
metadata?: {
annotations?: {
[string]: string
}
labels?: {
[string]: string
}
}
// `ReadinessProbe` describes the configuration the user must
// provide for healthchecking on their workload.
probe?: ({} | {
httpGet: _
} | {
tcpSocket: _
} | {
exec: _
}) & {
exec?: {
// Command to run.
command?: [...string]
}
// Minimum consecutive failures for the probe to be considered
// failed after having succeeded.
failureThreshold?: int
// `httpGet` is performed to a given endpoint and the status/able
// to connect determines health.
httpGet?: {
// Host name to connect to, defaults to the pod IP.
host?: string
// Headers the proxy will pass on to make the request.
httpHeaders?: [...{
name?: string
value?: string
}]
// Path to access on the HTTP server.
path?: string
// Port on which the endpoint lives.
port: int
scheme?: string
}
// Number of seconds after the container has started before
// readiness probes are initiated.
initialDelaySeconds?: int
// How often (in seconds) to perform the probe.
periodSeconds?: int
// Minimum consecutive successes for the probe to be considered
// successful after having failed.
successThreshold?: int
// Health is determined by if the proxy is able to connect.
tcpSocket?: {
host?: string
port: int
}
// Number of seconds after which the probe times out.
timeoutSeconds?: int
}
// Template to be used for the generation of `WorkloadEntry`
// resources that belong to this `WorkloadGroup`.
template: {
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}
}

138
docs/examples/cue.mod/gen/networking.istio.io/workloadgroup/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,138 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#WorkloadGroup: {
// `WorkloadGroup` enables specifying the properties of a single
// workload for bootstrap and provides a template for
// `WorkloadEntry`, similar to how `Deployment` specifies
// properties of workloads via `Pod` templates.
spec!: #WorkloadGroupSpec
apiVersion: "networking.istio.io/v1beta1"
kind: "WorkloadGroup"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// `WorkloadGroup` enables specifying the properties of a single
// workload for bootstrap and provides a template for
// `WorkloadEntry`, similar to how `Deployment` specifies
// properties of workloads via `Pod` templates.
#WorkloadGroupSpec: {
// Metadata that will be used for all corresponding
// `WorkloadEntries`.
metadata?: {
annotations?: {
[string]: string
}
labels?: {
[string]: string
}
}
// `ReadinessProbe` describes the configuration the user must
// provide for healthchecking on their workload.
probe?: ({} | {
httpGet: _
} | {
tcpSocket: _
} | {
exec: _
}) & {
exec?: {
// Command to run.
command?: [...string]
}
// Minimum consecutive failures for the probe to be considered
// failed after having succeeded.
failureThreshold?: int
// `httpGet` is performed to a given endpoint and the status/able
// to connect determines health.
httpGet?: {
// Host name to connect to, defaults to the pod IP.
host?: string
// Headers the proxy will pass on to make the request.
httpHeaders?: [...{
name?: string
value?: string
}]
// Path to access on the HTTP server.
path?: string
// Port on which the endpoint lives.
port: int
scheme?: string
}
// Number of seconds after the container has started before
// readiness probes are initiated.
initialDelaySeconds?: int
// How often (in seconds) to perform the probe.
periodSeconds?: int
// Minimum consecutive successes for the probe to be considered
// successful after having failed.
successThreshold?: int
// Health is determined by if the proxy is able to connect.
tcpSocket?: {
host?: string
port: int
}
// Number of seconds after which the probe times out.
timeoutSeconds?: int
}
// Template to be used for the generation of `WorkloadEntry`
// resources that belong to this `WorkloadGroup`.
template: {
// Address associated with the network endpoint without the port.
address?: string
// One or more labels associated with the endpoint.
labels?: {
[string]: string
}
// The locality associated with the endpoint.
locality?: string
// Network enables Istio to group endpoints resident in the same
// L3 domain/network.
network?: string
// Set of ports associated with the endpoint.
ports?: {
[string]: int
}
// The service account associated with the workload if a sidecar
// is present in the workload.
serviceAccount?: string
// The load balancing weight associated with the endpoint.
weight?: int
}
}

147
docs/examples/cue.mod/gen/security.istio.io/authorizationpolicy/v1/types_gen.cue Normal file
View File

@@ -0,0 +1,147 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1
import "strings"
#AuthorizationPolicy: {
// Configuration for access control on workloads. See more details
// at:
// https://istio.io/docs/reference/config/security/authorization-policy.html
spec!: #AuthorizationPolicySpec
apiVersion: "security.istio.io/v1"
kind: "AuthorizationPolicy"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration for access control on workloads. See more details
// at:
// https://istio.io/docs/reference/config/security/authorization-policy.html
#AuthorizationPolicySpec: ({} | {
provider: _
}) & {
// Optional.
action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
provider?: {
// Specifies the name of the extension provider.
name?: string
}
// Optional.
rules?: [...{
// Optional.
from?: [...{
// Source specifies the source of a request.
source?: {
// Optional.
ipBlocks?: [...string]
// Optional.
namespaces?: [...string]
// Optional.
notIpBlocks?: [...string]
// Optional.
notNamespaces?: [...string]
// Optional.
notPrincipals?: [...string]
// Optional.
notRemoteIpBlocks?: [...string]
// Optional.
notRequestPrincipals?: [...string]
// Optional.
principals?: [...string]
// Optional.
remoteIpBlocks?: [...string]
// Optional.
requestPrincipals?: [...string]
}
}]
// Optional.
to?: [...{
// Operation specifies the operation of a request.
operation?: {
// Optional.
hosts?: [...string]
// Optional.
methods?: [...string]
// Optional.
notHosts?: [...string]
// Optional.
notMethods?: [...string]
// Optional.
notPaths?: [...string]
// Optional.
notPorts?: [...string]
// Optional.
paths?: [...string]
// Optional.
ports?: [...string]
}
}]
// Optional.
when?: [...{
// The name of an Istio attribute.
key: string
// Optional.
notValues?: [...string]
// Optional.
values?: [...string]
}]
}]
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
}

147
docs/examples/cue.mod/gen/security.istio.io/authorizationpolicy/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,147 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#AuthorizationPolicy: {
// Configuration for access control on workloads. See more details
// at:
// https://istio.io/docs/reference/config/security/authorization-policy.html
spec!: #AuthorizationPolicySpec
apiVersion: "security.istio.io/v1beta1"
kind: "AuthorizationPolicy"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Configuration for access control on workloads. See more details
// at:
// https://istio.io/docs/reference/config/security/authorization-policy.html
#AuthorizationPolicySpec: ({} | {
provider: _
}) & {
// Optional.
action?: "ALLOW" | "DENY" | "AUDIT" | "CUSTOM"
provider?: {
// Specifies the name of the extension provider.
name?: string
}
// Optional.
rules?: [...{
// Optional.
from?: [...{
// Source specifies the source of a request.
source?: {
// Optional.
ipBlocks?: [...string]
// Optional.
namespaces?: [...string]
// Optional.
notIpBlocks?: [...string]
// Optional.
notNamespaces?: [...string]
// Optional.
notPrincipals?: [...string]
// Optional.
notRemoteIpBlocks?: [...string]
// Optional.
notRequestPrincipals?: [...string]
// Optional.
principals?: [...string]
// Optional.
remoteIpBlocks?: [...string]
// Optional.
requestPrincipals?: [...string]
}
}]
// Optional.
to?: [...{
// Operation specifies the operation of a request.
operation?: {
// Optional.
hosts?: [...string]
// Optional.
methods?: [...string]
// Optional.
notHosts?: [...string]
// Optional.
notMethods?: [...string]
// Optional.
notPaths?: [...string]
// Optional.
notPorts?: [...string]
// Optional.
paths?: [...string]
// Optional.
ports?: [...string]
}
}]
// Optional.
when?: [...{
// The name of an Istio attribute.
key: string
// Optional.
notValues?: [...string]
// Optional.
values?: [...string]
}]
}]
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
}

55
docs/examples/cue.mod/gen/security.istio.io/peerauthentication/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,55 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#PeerAuthentication: {
// Peer authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/peer_authentication.html
spec!: #PeerAuthenticationSpec
apiVersion: "security.istio.io/v1beta1"
kind: "PeerAuthentication"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Peer authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/peer_authentication.html
#PeerAuthenticationSpec: {
mtls?: {
// Defines the mTLS mode used for peer authentication.
mode?: "UNSET" | "DISABLE" | "PERMISSIVE" | "STRICT"
}
// Port specific mutual TLS settings.
portLevelMtls?: {
[string]: {
// Defines the mTLS mode used for peer authentication.
mode?: "UNSET" | "DISABLE" | "PERMISSIVE" | "STRICT"
}
}
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
}

111
docs/examples/cue.mod/gen/security.istio.io/requestauthentication/v1/types_gen.cue Normal file
View File

@@ -0,0 +1,111 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1
import "strings"
#RequestAuthentication: {
// Request authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/request_authentication.html
spec!: #RequestAuthenticationSpec
apiVersion: "security.istio.io/v1"
kind: "RequestAuthentication"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Request authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/request_authentication.html
#RequestAuthenticationSpec: {
// Define the list of JWTs that can be validated at the selected
// workloads' proxy.
jwtRules?: [...{
// The list of JWT
// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
// that are allowed to access.
audiences?: [...string]
// If set to true, the original token will be kept for the
// upstream request.
forwardOriginalToken?: bool
// List of header locations from which JWT is expected.
fromHeaders?: [...{
// The HTTP header name.
name: string
// The prefix that should be stripped before decoding the token.
prefix?: string
}]
// List of query parameters from which JWT is expected.
fromParams?: [...string]
// Identifies the issuer that issued the JWT.
issuer: string
// JSON Web Key Set of public keys to validate signature of the
// JWT.
jwks?: string
// URL of the provider's public key set to validate signature of
// the JWT.
jwks_uri?: string
// URL of the provider's public key set to validate signature of
// the JWT.
jwksUri?: string
// This field specifies a list of operations to copy the claim to
// HTTP headers on a successfully verified token.
outputClaimToHeaders?: [...{
// The name of the claim to be copied from.
claim?: string
// The name of the header to be created.
header?: string
}]
// This field specifies the header name to output a successfully
// verified JWT payload to the backend.
outputPayloadToHeader?: string
}]
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
}

111
docs/examples/cue.mod/gen/security.istio.io/requestauthentication/v1beta1/types_gen.cue Normal file
View File

@@ -0,0 +1,111 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1beta1
import "strings"
#RequestAuthentication: {
// Request authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/request_authentication.html
spec!: #RequestAuthenticationSpec
apiVersion: "security.istio.io/v1beta1"
kind: "RequestAuthentication"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Request authentication configuration for workloads. See more
// details at:
// https://istio.io/docs/reference/config/security/request_authentication.html
#RequestAuthenticationSpec: {
// Define the list of JWTs that can be validated at the selected
// workloads' proxy.
jwtRules?: [...{
// The list of JWT
// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
// that are allowed to access.
audiences?: [...string]
// If set to true, the original token will be kept for the
// upstream request.
forwardOriginalToken?: bool
// List of header locations from which JWT is expected.
fromHeaders?: [...{
// The HTTP header name.
name: string
// The prefix that should be stripped before decoding the token.
prefix?: string
}]
// List of query parameters from which JWT is expected.
fromParams?: [...string]
// Identifies the issuer that issued the JWT.
issuer: string
// JSON Web Key Set of public keys to validate signature of the
// JWT.
jwks?: string
// URL of the provider's public key set to validate signature of
// the JWT.
jwks_uri?: string
// URL of the provider's public key set to validate signature of
// the JWT.
jwksUri?: string
// This field specifies a list of operations to copy the claim to
// HTTP headers on a successfully verified token.
outputClaimToHeaders?: [...{
// The name of the claim to be copied from.
claim?: string
// The name of the header to be created.
header?: string
}]
// This field specifies the header name to output a successfully
// verified JWT payload to the backend.
outputPayloadToHeader?: string
}]
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
}

184
docs/examples/cue.mod/gen/telemetry.istio.io/telemetry/v1alpha1/types_gen.cue Normal file
View File

@@ -0,0 +1,184 @@
// Code generated by timoni. DO NOT EDIT.
//timoni:generate timoni vendor crd -f /home/jeff/workspace/holos-run/holos-infra/deploy/clusters/k2/components/prod-mesh-istio-base/prod-mesh-istio-base.gen.yaml
package v1alpha1
import "strings"
#Telemetry: {
// Telemetry configuration for workloads. See more details at:
// https://istio.io/docs/reference/config/telemetry.html
spec!: #TelemetrySpec
apiVersion: "telemetry.istio.io/v1alpha1"
kind: "Telemetry"
metadata!: {
name!: strings.MaxRunes(253) & strings.MinRunes(1) & {
string
}
namespace!: strings.MaxRunes(63) & strings.MinRunes(1) & {
string
}
labels?: {
[string]: string
}
annotations?: {
[string]: string
}
}
}
// Telemetry configuration for workloads. See more details at:
// https://istio.io/docs/reference/config/telemetry.html
#TelemetrySpec: {
// Optional.
accessLogging?: [...{
// Controls logging.
disabled?: null | bool
filter?: {
// CEL expression for selecting when requests/connections should
// be logged.
expression?: string
}
match?: {
// This determines whether or not to apply the access logging
// configuration based on the direction of traffic relative to
// the proxied workload.
mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
}
// Optional.
providers?: [...{
// Required.
name: string
}]
}]
// Optional.
metrics?: [...{
// Optional.
overrides?: [...{
// Optional.
disabled?: null | bool
// Match allows provides the scope of the override.
match?: ({} | {
metric: _
} | {
customMetric: _
}) & {
// Allows free-form specification of a metric.
customMetric?: string
// One of the well-known Istio Standard Metrics.
metric?: "ALL_METRICS" | "REQUEST_COUNT" | "REQUEST_DURATION" | "REQUEST_SIZE" | "RESPONSE_SIZE" | "TCP_OPENED_CONNECTIONS" | "TCP_CLOSED_CONNECTIONS" | "TCP_SENT_BYTES" | "TCP_RECEIVED_BYTES" | "GRPC_REQUEST_MESSAGES" | "GRPC_RESPONSE_MESSAGES"
// Controls which mode of metrics generation is selected: CLIENT
// and/or SERVER.
mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
}
// Optional.
tagOverrides?: {
[string]: {
// Operation controls whether or not to update/add a tag, or to
// remove it.
operation?: "UPSERT" | "REMOVE"
// Value is only considered if the operation is `UPSERT`.
value?: string
}
}
}]
// Optional.
providers?: [...{
// Required.
name: string
}]
// Optional.
reportingInterval?: string
}]
selector?: {
// One or more labels that indicate a specific set of pods/VMs on
// which a policy should be applied.
matchLabels?: {
[string]: string
}
}
// Optional.
targetRef?: {
// group is the group of the target resource.
group?: string
// kind is kind of the target resource.
kind?: string
// name is the name of the target resource.
name?: string
// namespace is the namespace of the referent.
namespace?: string
}
// Optional.
tracing?: [...{
// Optional.
customTags?: {
[string]: ({} | {
literal: _
} | {
environment: _
} | {
header: _
}) & {
// Environment adds the value of an environment variable to each
// span.
environment?: {
// Optional.
defaultValue?: string
// Name of the environment variable from which to extract the tag
// value.
name?: string
}
// RequestHeader adds the value of an header from the request to
// each span.
header?: {
// Optional.
defaultValue?: string
// Name of the header from which to extract the tag value.
name?: string
}
literal?: {
// The tag value to use.
value?: string
}
}
}
// Controls span reporting.
disableSpanReporting?: null | bool
match?: {
// This determines whether or not to apply the tracing
// configuration based on the direction of traffic relative to
// the proxied workload.
mode?: "CLIENT_AND_SERVER" | "CLIENT" | "SERVER"
}
// Optional.
providers?: [...{
// Required.
name: string
}]
// Controls the rate at which traffic will be selected for tracing
// if no prior sampling decision has been made.
randomSamplingPercentage?: null | number
useRequestIdForTraceSampling?: null | bool
}]
}

61
docs/examples/platforms/reference/clusters/workload/cloud/mesh/certissuers/issuers.cue Normal file
View File

@@ -0,0 +1,61 @@
package holos
// Lets Encrypt certificate issuers for public tls certs
#InputKeys: component: "certissuers"
#TargetNamespace: "cert-manager"
let Name = "letsencrypt"
// The cloudflare api token is platform scoped, not cluster scoped.
#SecretName: "cloudflare-api-token-secret"
// Depends on cert manager
#DependsOn: _CertManager
#KubernetesObjects & {
apiObjects: {
ClusterIssuer: {
letsencrypt: #ClusterIssuer & {
metadata: name: Name
spec: {
acme: {
email: #Platform.org.contact.email
server: "https://acme-v02.api.letsencrypt.org/directory"
privateKeySecretRef: name: Name + "-istio"
solvers: [{http01: ingress: class: "istio"}]
}
}
}
letsencryptStaging: #ClusterIssuer & {
metadata: name: Name + "-staging"
spec: {
acme: {
email: #Platform.org.contact.email
server: "https://acme-staging-v02.api.letsencrypt.org/directory"
privateKeySecretRef: name: Name + "-staging-istio"
solvers: [{http01: ingress: class: "istio"}]
}
}
}
letsencryptDns: #ClusterIssuer & {
metadata: name: Name + "-dns"
spec: {
acme: {
email: #Platform.org.contact.email
server: "https://acme-v02.api.letsencrypt.org/directory"
privateKeySecretRef: name: Name + "-istio"
solvers: [{
dns01: cloudflare: {
email: #Platform.org.cloudflare.email
apiTokenSecretRef: name: #SecretName
apiTokenSecretRef: key: "api_token"
}}]
}
}
}
}
ExternalSecret: "\(#SecretName)": #ExternalSecret & {
_name: #SecretName
}
}
}

23
docs/examples/platforms/reference/clusters/workload/cloud/mesh/certmanager/certmanager.cue Normal file
View File

@@ -0,0 +1,23 @@
package holos
// https://cert-manager.io/docs/
#TargetNamespace: "cert-manager"
#InputKeys: {
component: "certmanager"
service: "cert-manager"
}
#HelmChart & {
values: installCRDs: true
namespace: #TargetNamespace
chart: {
name: "cert-manager"
version: "1.14.3"
repository: {
name: "jetstack"
url: "https://charts.jetstack.io"
}
}
}

42
docs/examples/platforms/reference/clusters/workload/cloud/mesh/istio/base/istiobase.cue Normal file
View File

@@ -0,0 +1,42 @@
package holos
#InputKeys: component: "istio-base"
#TargetNamespace: "istio-system"
#HelmChart & {
namespace: #TargetNamespace
chart: {
name: "base"
version: "1.20.3"
repository: {
name: "istio"
url: "https://istio-release.storage.googleapis.com/charts"
}
}
values: {
global: {
// Used to locate istiod.
istioNamespace: #TargetNamespace
// Switch the hub away from the default docker.io to avoid rate limits
hub: "gcr.io/istio-release"
// ImagePullSecrets for control plane ServiceAccount, list of secrets in the same namespace
// to use for pulling any images in pods that reference this ServiceAccount.
// Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
istiod: enableAnalysis: false
configValidation: true
externalIstiod: false
remotePilotAddress: ""
}
base: {
// Include the CRDs in the helm template output
enableCRDTemplates: true
// Validation webhook configuration url
// For example: https://$remotePilotAddress:15017/validate
validationURL: ""
// For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true
}
defaultRevision: "default"
}
}

12
docs/examples/platforms/reference/clusters/workload/cloud/mesh/mesh.cue Normal file
View File

@@ -0,0 +1,12 @@
package holos
// Components under this directory are part of this collection
#InputKeys: project: "mesh"
// Shared dependencies for all components in this collection.
#Kustomization: spec: targetNamespace: #TargetNamespace
#DependsOn: _Namespaces
// Common Dependencies
_CertManager: CertManager: name: "\(#InstancePrefix)-certmanager"
_Namespaces: Namespaces: name: "\(#StageName)-secrets-namespaces"

4
docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/eso-creds-refresher/component.cue
View File

@@ -20,9 +20,7 @@ import "encoding/json"
#TargetNamespace: #CredsRefresher.namespace
#Kustomization: spec: {
dependsOn: [{name: #InstancePrefix + "-namespaces"}]
}
#DependsOn: Namespaces: name: #InstancePrefix + "-namespaces"
let NAME = #CredsRefresher.name
let AUD = "//iam.googleapis.com/projects/\(#InputKeys.gcpProjectNumber)/locations/global/workloadIdentityPools/holos/providers/k8s-\(#InputKeys.cluster)"

6
docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/eso/eso.cue
View File

@@ -11,10 +11,8 @@ package holos
service: "eso"
}
#Kustomization: spec: {
dependsOn: [{name: #InstancePrefix + "-namespaces"}]
targetNamespace: #TargetNamespace
}
#Kustomization: spec: targetNamespace: #TargetNamespace
#DependsOn: Namespaces: name: #InstancePrefix + "-namespaces"
#HelmChart & {
values: installCrds: true

10
docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/namespaces/component.cue
View File

@@ -12,7 +12,12 @@ package holos
_ns: #PlatformNamespace
objects: [
#Namespace & {metadata: _ns},
#Namespace & {
metadata: _ns
},
#SecretStore & {
_namespace: _ns.name
},
]
}
@@ -21,8 +26,9 @@ package holos
for ns in #PlatformNamespaces {
for obj in (#PlatformNamespaceObjects & {_ns: ns}).objects {
let Kind = obj.kind
let NS = ns.name
let Name = obj.metadata.name
"\(Kind)": "\(Name)": obj
"\(Kind)": "\(NS)/\(Name)": obj
}
}
}

5
docs/examples/platforms/reference/clusters/workload/cloud/secrets/components/validate/component.cue
View File

@@ -9,13 +9,10 @@ package holos
component: "validate"
}
#Kustomization: spec: dependsOn: [{name: #InstancePrefix + "-eso"}]
#DependsOn: Namespaces: name: #InstancePrefix + "-eso"
#KubernetesObjects & {
apiObjects: {
SecretStore: default: #SecretStore
ExternalSecret: validate: #ExternalSecret & {
_name: "validate"
}

7
docs/examples/platforms/reference/clusters/workload/metal/ceph/ceph.cue
View File

@@ -12,10 +12,8 @@ package holos
component: "ceph"
}
#Kustomization: spec: {
dependsOn: [{name: "prod-secrets-namespaces"}]
targetNamespace: #TargetNamespace
}
#Kustomization: spec: targetNamespace: #TargetNamespace
#DependsOn: Namespaces: name: "\(#StageName)-secrets-namespaces"
#HelmChart & {
namespace: #TargetNamespace
@@ -29,7 +27,6 @@ package holos
}
apiObjects: {
SecretStore: default: #SecretStore
ExternalSecret: "\(#SecretName)": #ExternalSecret & {
_name: #SecretName
}

11
docs/examples/platforms/reference/namespaces.cue
View File

@@ -1,17 +1,16 @@
package holos
let Privileged = {labels: "pod-security.kubernetes.io/enforce": "privileged"}
// #PlatformNamespaces is the union of all namespaces across all cluster types. Namespaces are created in all clusters regardless of if they're
// used within the cluster or not. The is important for security and consistency with IAM, RBAC, and Secrets sync between clusters.
#PlatformNamespaces: [
{name: "external-secrets"},
{name: "holos-system"},
{name: "flux-system"},
{
name: "ceph-system"
labels: "pod-security.kubernetes.io/enforce": "privileged"
},
{name: "istio-system"},
{name: "istio-ingress"},
{name: "ceph-system"} & Privileged,
{name: "istio-system"} & Privileged,
{name: "istio-ingress"} & Privileged,
{name: "cert-manager"},
{name: "argocd"},
]

110
docs/examples/schema.cue
View File

@@ -8,37 +8,42 @@ import (
batchv1 "k8s.io/api/batch/v1"
es "external-secrets.io/externalsecret/v1beta1"
ss "external-secrets.io/secretstore/v1beta1"
cm "cert-manager.io/clusterissuer/v1"
"encoding/yaml"
)
// _apiVersion is the version of this schema. Defines the interface between CUE output and the holos cli.
_apiVersion: "holos.run/v1alpha1"
// #ClusterName is the cluster name for cluster scoped resources.
#ClusterName: #InputKeys.cluster
_apiVersion: "holos.run/v1alpha1"
// #StageName is prod, dev, stage, etc... Usually prod for platform components.
#StageName: #InputKeys.stage
// #Name defines the name: string key value pair used all over the place.
#Name: name: string
// #CollectionName is the preferred handle to the collection element of the instance name. A collection name mapes to an "application name" as described in the kubernetes recommended labels documentation. Refer to https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/
#CollectionName: #InputKeys.project
// #ComponentName is the name of the holos component.
#ComponentName: #InputKeys.component
// #InstanceName is the name of the holos component instance being managed varying by stage, project, and component names.
#InstanceName: "\(#StageName)-\(#CollectionName)-\(#ComponentName)"
// #InstancePrefix is the stage and project without the component name. Useful for dependency management among multiple components for a project stage.
#InstancePrefix: "\(#StageName)-\(#CollectionName)"
// #TargetNamespace is the target namespace for a holos component.
#TargetNamespace: string
// #InstanceName is the name of the holos component instance being managed varying by stage, project, and component names.
#InstanceName: "\(#InputKeys.stage)-\(#InputKeys.project)-\(#InputKeys.component)"
// #InstancePrefix is the stage and project without the component name. Useful for dependency management among multiple components for a project stage.
#InstancePrefix: "\(#InputKeys.stage)-\(#InputKeys.project)"
// TypeMeta indicates a kubernetes api object
#TypeMeta: metav1.#TypeMeta
// #CommonLabels are mixed into every kubernetes api object.
#CommonLabels: {
"holos.run/stage.name": #InputKeys.stage
"holos.run/project.name": #InputKeys.project
"holos.run/component.name": #InputKeys.component
"app.kubernetes.io/part-of": #InputKeys.stage
"app.kubernetes.io/name": #InputKeys.project
"app.kubernetes.io/component": #InputKeys.component
"holos.run/stage.name": #StageName
"holos.run/project.name": #CollectionName
"holos.run/component.name": #ComponentName
"app.kubernetes.io/part-of": #StageName
"app.kubernetes.io/name": #CollectionName
"app.kubernetes.io/component": #ComponentName
"app.kubernetes.io/instance": #InstanceName
...
}
@@ -63,13 +68,14 @@ _apiVersion: "holos.run/v1alpha1"
}
#ClusterRole: #ClusterObject & rbacv1.#ClusterRole
#ClusterRoleBinding: #ClusterObject & rbacv1.#ClusterRoleBinding
#Role: #NamespaceObject & rbacv1.#Role
#RoleBinding: #NamespaceObject & rbacv1.#RoleBinding
#ConfigMap: #NamespaceObject & corev1.#ConfigMap
#ServiceAccount: #NamespaceObject & corev1.#ServiceAccount
#Pod: #NamespaceObject & corev1.#Pod
#Job: #NamespaceObject & batchv1.#Job
#CronJob: #NamespaceObject & batchv1.#CronJob
#ClusterIssuer: #ClusterObject & cm.#ClusterIssuer & {...}
#Role: #NamespaceObject & rbacv1.#Role
#RoleBinding: #NamespaceObject & rbacv1.#RoleBinding
#ConfigMap: #NamespaceObject & corev1.#ConfigMap
#ServiceAccount: #NamespaceObject & corev1.#ServiceAccount
#Pod: #NamespaceObject & corev1.#Pod
#Job: #NamespaceObject & batchv1.#Job
#CronJob: #NamespaceObject & batchv1.#CronJob
// Flux Kustomization CRDs
#Kustomization: #NamespaceObject & ksv1.#Kustomization & {
@@ -90,9 +96,18 @@ _apiVersion: "holos.run/v1alpha1"
targetNamespace?: string
timeout: string | *"3m0s"
wait: bool | *true
dependsOn: [for k, v in #DependsOn {v}]
}
}
// #DependsOn stores all of the dependencies between components. It's a struct to support merging across levels in the tree.
#DependsOn: {
[NAME=_]: {
name: string
}
...
}
// External Secrets CRDs
#ExternalSecret: #NamespaceObject & es.#ExternalSecret & {
_name: string
@@ -117,13 +132,14 @@ _apiVersion: "holos.run/v1alpha1"
}
#SecretStore: #NamespaceObject & ss.#SecretStore & {
_namespace: string
metadata: {
name: string | *"default"
namespace: #TargetNamespace
namespace: _namespace
}
spec: provider: {
kubernetes: {
remoteNamespace: #TargetNamespace
remoteNamespace: _namespace
auth: token: bearerToken: {
name: string | *"eso-reader"
key: string | *"token"
@@ -142,10 +158,8 @@ _apiVersion: "holos.run/v1alpha1"
cluster: string @tag(cluster, type=string)
// stage is usually set by the platform or project.
stage: *"prod" | string @tag(stage, type=string)
// project is usually set by the platform or project.
project: string @tag(project, type=string)
// service is usually set by the component.
service: string @tag(service, type=string)
service: *component | string @tag(service, type=string)
// component is the name of the component
component: string @tag(component, type=string)
@@ -165,6 +179,8 @@ _apiVersion: "holos.run/v1alpha1"
org: {
name: string
domain: string
contact: email: string
cloudflare: email: string
}
clusters: [ID=_]: {
name: string & ID
@@ -172,7 +188,7 @@ _apiVersion: "holos.run/v1alpha1"
}
stages: [ID=_]: {
name: string & ID
environments: [...#Name]
environments: [...{name: string}]
}
projects: [ID=_]: {
name: string & ID
@@ -202,6 +218,7 @@ _apiVersion: "holos.run/v1alpha1"
}
}
}
...
}
}
@@ -210,34 +227,33 @@ _apiVersion: "holos.run/v1alpha1"
// apiVersion is the output api version
apiVersion: _apiVersion
// kind is a discriminator of the type of output
kind: #PlatformSpec.kind | #KubernetesObjects.kind | #HelmChart.kind
kind: #PlatformSpec.kind | #KubernetesObjects.kind | #HelmChart.kind | #NoOutput.kind
// name holds a unique name suitable for a filename
metadata: name: string
// contentType is the standard MIME type indicating the content type of the content field
contentType: *"application/yaml" | "application/json"
// content holds the content text output
content: string | *""
// debug returns arbitrary debug output.
debug?: _
}
#NoOutput: {
#OutputTypeMeta
kind: string | *"Skip"
metadata: name: string | *"skipped"
}
// #KubernetesObjectOutput is the output schema of a single component.
#KubernetesObjects: {
#OutputTypeMeta
#APIObjects
// kind KubernetesObjects provides a yaml text stream of kubernetes api objects in the out field.
kind: "KubernetesObjects"
metadata: name: #InstanceName
// ksObjects holds the flux Kustomization objects for gitops
ksObjects: [...#Kustomization] | *[#Kustomization]
// ksContent is the yaml representation of kustomization
ksContent: yaml.MarshalStream(ksObjects)
ksContent: yaml.Marshal(#Kustomization)
// platform returns the platform data structure for visibility / troubleshooting.
platform: #Platform
}
objects: "not allowed"
// #Chart defines an upstream helm chart
#Chart: {
name: string
@@ -255,8 +271,8 @@ objects: "not allowed"
#HelmChart: {
#OutputTypeMeta
#APIObjects
kind: "HelmChart"
metadata: name: #InstanceName
// ksObjects holds the flux Kustomization objects for gitops.
ksObjects: [...#Kustomization] | *[#Kustomization]
// ksContent is the yaml representation of kustomization.
@@ -281,10 +297,10 @@ objects: "not allowed"
kind: "PlatformSpec"
}
#Output: #PlatformSpec | #KubernetesObjects | #HelmChart
// Holos component name
metadata: name: #InstanceName
// #SecretName is the name of a Secret, ususally coupling a Deployment to an ExternalSecret
#SecretName: string
// By default, render kind: Skipped so holos knows to skip over intermediate cue files.
// This enables the use of holos render ./foo/bar/baz/... when bar contains intermediary constraints which are not complete components.
// Holos skips over these intermediary cue instances.
{} & #NoOutput

2
docs/provisioner/readme.md
View File

@@ -49,7 +49,7 @@ PROJECT_NUMBER="$(gcloud projects describe $PROJECT_ID --format='value(projectNu
ORG_DOMAIN="example.com"
```
## Seed Cluster
## Provisioner Cluster
```shell
gcloud container clusters create-auto provisioner \

3
pkg/cli/build/build.go
View File

@@ -20,6 +20,9 @@ func makeBuildRunFunc(cfg *holos.Config) command.RunFunc {
}
outs := make([]string, 0, len(results))
for _, result := range results {
if result.Skip {
continue
}
outs = append(outs, result.FinalOutput())
}
out := strings.Join(outs, "---\n")

3
pkg/cli/render/render.go
View File

@@ -27,6 +27,9 @@ func makeRenderRunFunc(cfg *holos.Config) command.RunFunc {
// the same file path. Write files into a blank temporary directory, error if a
// file exists, then move the directory into place.
for _, result := range results {
if result.Skip {
continue
}
// API Objects
path := result.Filename(cfg.WriteTo(), cfg.ClusterName())
if err := result.Save(ctx, path, result.FinalOutput()); err != nil {

8
pkg/internal/builder/builder.go
View File

@@ -29,6 +29,8 @@ const (
// Helm is the value of the kind field of holos build output indicating helm
// values and helm command information.
Helm = "HelmChart"
// Skip is the value when the instance should be skipped
Skip = "Skip"
// ChartDir is the chart cache directory name.
ChartDir = "vendor"
)
@@ -85,6 +87,7 @@ type Result struct {
KsContent string `json:"ksContent,omitempty"`
APIObjectMap apiObjectMap `json:"apiObjectMap,omitempty"`
finalOutput string
Skip bool
}
type Repository struct {
@@ -251,6 +254,8 @@ func (b *Builder) Run(ctx context.Context) (results []*Result, err error) {
log.DebugContext(ctx, "cue: processing holos component kind "+info.Kind)
switch kind := info.Kind; kind {
case Skip:
result.Skip = true
case Kube:
// CUE directly provides the kubernetes api objects in result.Content
if err := value.Decode(&result); err != nil {
@@ -272,7 +277,6 @@ func (b *Builder) Run(ctx context.Context) (results []*Result, err error) {
return nil, err
}
result.addOverlayObjects(log)
default:
return nil, wrapper.Wrap(fmt.Errorf("build kind not implemented: %v", kind))
}
@@ -400,7 +404,7 @@ func isNotExist(path string) bool {
return os.IsNotExist(err)
}
// cacheChart stores a cached copy of Chart in the chart sub-directory of path.
// cacheChart stores a cached copy of Chart in the chart subdirectory of path.
func cacheChart(ctx context.Context, path holos.PathComponent, chartDir string, chart Chart) error {
log := logger.FromContext(ctx)

2
pkg/version/embedded/minor
View File

@@ -1 +1 @@
48
49

2
pkg/version/embedded/patch
View File

@@ -1 +1 @@
1
0