ServiceCertValidityDuration defines the service certificate validity duration.

CertKeyBitSize defines the certicate key bit size.

IngressGateway defines the certificate specification for an ingress gateway.

Name defines the name of cluster property.

Value defines the name of cluster property.

Properties defines properties for cluster.

Enable defines a boolean indicating if the external authorization policy is to be enabled.

Address defines the remote address of the external authorization endpoint.

Port defines the destination port of the remote external authorization endpoint.

StatPrefix defines a prefix for the stats sink for this external authorization policy.

Timeout defines the timeout in which a response from the external authorization endpoint. is expected to execute.

FailureModeAllow defines a boolean indicating if traffic should be allowed on a failure to get a response against the external authorization endpoint.

EnableEgressPolicy defines if FSM’s Egress policy is enabled.

EnableSnapshotCacheMode defines if XDS server starts with snapshot cache.

EnableAsyncProxyServiceMapping defines if FSM will map proxies to services asynchronously.

EnableIngressBackendPolicy defines if FSM will use the IngressBackend API to allow ingress traffic to service mesh backends.

EnableAccessControlPolicy defines if FSM will use the AccessControl API to allow access control traffic to service mesh backends.

EnableAccessCertPolicy defines if FSM can issue certificates for external services..

EnableSidecarActiveHealthChecks defines if FSM will sidecar active health checks between services allowed to communicate.

EnableRetryPolicy defines if retry policy is enabled.

EnablePluginPolicy defines if plugin policy is enabled.

EnableAutoDefaultRoute defines if auto default route is enabled.

SubjectAltNames defines the Subject Alternative Names (domain names and IP addresses) secured by the certificate.

ValidityDuration defines the validity duration of the certificate.

Secret defines the secret in which the certificate is stored.

Object’s metadata.

Spec is the MeshConfig specification.

ClusterSetSpec defines the configurations of cluster.

Sidecar defines the configurations of the proxy sidecar in a mesh.

RepoServer defines the configurations of pipy repo server.

Traffic defines the traffic management configurations for a mesh instance.

Observalility defines the observability configurations for a mesh instance.

Certificate defines the certificate management configurations for a mesh instance.

FeatureFlags defines the feature flags for a mesh instance.

PluginChains defines the default plugin chains.

FSMLogLevel defines the log level for FSM control plane logs.

EnableDebugServer defines if the debug endpoint on the FSM controller pod is enabled.

Tracing defines FSM’s tracing configuration.

RemoteLogging defines FSM’s remot logging configuration.

Plugin defines the name of plugin

Priority defines the priority of plugin

Disable defines the visibility of plugin

InboundTCPChains defines inbound tcp chains

InboundHTTPChains defines inbound http chains

OutboundTCPChains defines outbound tcp chains

OutboundHTTPChains defines outbound http chains

Enable defines a boolean indicating if the sidecars are enabled for remote logging.

Level defines the remote logging’s level.

Port defines the remote loggings port.

Address defines the remote logging’s hostname.

Endpoint defines the API endpoint for remote logging requests sent to the collector.

Authorization defines the access entity that allows to authorize someone in remote logging service.

SampledFraction defines the sampled fraction.

IPAddr of the pipy repo server

Codebase is the folder used by fsmController

SidecarName defines the name of the sidecar driver.

SidecarImage defines the container image used for the proxy sidecar.

InitContainerImage defines the container image used for the init container injected to meshed pods.

ProxyServerPort is the port on which the Discovery Service listens for new connections from Sidecars

SidecarDisabledMTLS defines if mTLS are disabled.

EnablePrivilegedInitContainer defines a boolean indicating whether the init container for a meshed pod should run as privileged.

LogLevel defines the logging level for the sidecar’s logs. Non developers should generally never set this value. In production environments the LogLevel should be set to error.

SidecarClass defines the container provider used for the proxy sidecar.

SidecarImage defines the container image used for the proxy sidecar.

SidecarDisabledMTLS defines whether mTLS is disabled.

InitContainerImage defines the container image used for the init container injected to meshed pods.

SidecarDrivers defines the sidecar supported.

MaxDataPlaneConnections defines the maximum allowed data plane connections from a proxy sidecar to the FSM controller.

ConfigResyncInterval defines the resync interval for regular proxy broadcast updates.

SidecarTimeout defines the connect/idle/read/write timeout.

Resources defines the compute resources for the sidecar.

Enable defines a boolean indicating if the sidecars are enabled for tracing.

Port defines the tracing collector’s port.

Address defines the tracing collectio’s hostname.

Endpoint defines the API endpoint for tracing requests sent to the collector.

SampledFraction defines the sampled fraction.

InterceptionMode defines a string indicating which traffic interception mode is used.

EnableEgress defines a boolean indicating if mesh-wide Egress is enabled.

OutboundIPRangeExclusionList defines a global list of IP address ranges to exclude from outbound traffic interception by the sidecar proxy.

OutboundPortExclusionList defines a global list of ports to exclude from outbound traffic interception by the sidecar proxy.

InboundPortExclusionList defines a global list of ports to exclude from inbound traffic interception by the sidecar proxy.

EnablePermissiveTrafficPolicyMode defines a boolean indicating if permissive traffic policy mode is enabled mesh-wide.

ServiceAccessMode defines a string indicating service access mode.

InboundExternalAuthorization defines a ruleset that, if enabled, will configure a remote external authorization endpoint for all inbound and ingress traffic in the mesh.

HTTP1PerRequestLoadBalancing defines a boolean indicating if load balancing based on request is enabled for http1.

HTTP1PerRequestLoadBalancing defines a boolean indicating if load balancing based on request is enabled for http2.

IssuerName specifies the name of the Issuer resource

IssuerKind specifies the kind of Issuer

IssuerGroup specifies the group the Issuer belongs to

ServiceCertValidityDuration defines the service certificate validity duration.

CertKeyBitSize defines the certicate key bit size.

IngressGateway defines the certificate specification for an ingress gateway.

Name defines the name of cluster property.

Value defines the name of cluster property.

Properties defines properties for cluster.

Enable defines a boolean indicating if the external authorization policy is to be enabled.

Address defines the remote address of the external authorization endpoint.

Port defines the destination port of the remote external authorization endpoint.

StatPrefix defines a prefix for the stats sink for this external authorization policy.

Timeout defines the timeout in which a response from the external authorization endpoint. is expected to execute.

FailureModeAllow defines a boolean indicating if traffic should be allowed on a failure to get a response against the external authorization endpoint.

EnableEgressPolicy defines if FSM’s Egress policy is enabled.

EnableSnapshotCacheMode defines if XDS server starts with snapshot cache.

EnableAsyncProxyServiceMapping defines if FSM will map proxies to services asynchronously.

EnableIngressBackendPolicy defines if FSM will use the IngressBackend API to allow ingress traffic to service mesh backends.

EnableAccessControlPolicy defines if FSM will use the AccessControl API to allow access control traffic to service mesh backends.

EnableAccessCertPolicy defines if FSM can issue certificates for external services..

EnableSidecarActiveHealthChecks defines if FSM will Sidecar active health checks between services allowed to communicate.

EnableRetryPolicy defines if retry policy is enabled.

EnablePluginPolicy defines if plugin policy is enabled.

EnableAutoDefaultRoute defines if auto default route is enabled.

SubjectAltNames defines the Subject Alternative Names (domain names and IP addresses) secured by the certificate.

ValidityDuration defines the validity duration of the certificate.

Secret defines the secret in which the certificate is stored.

Enable defines a boolean indicating if the sidecars are enabled for local DNS Proxy.

PrimaryUpstreamDNSServerIPAddr defines a primary upstream DNS server for local DNS Proxy.

SecondaryUpstreamDNSServerIPAddr defines a secondary upstream DNS server for local DNS Proxy.

"Localhost"

LocalProxyModeLocalhost indicates the the sidecar should communicate with the main application over localhost

"PodIP"

LocalProxyModePodIP indicates that the sidecar should communicate with the main application via the pod ip

Object’s metadata.

Spec is the MeshConfig specification.

ClusterSetSpec defines the configurations of cluster.

Sidecar defines the configurations of the proxy sidecar in a mesh.

RepoServer defines the configurations of pipy repo server.

Traffic defines the traffic management configurations for a mesh instance.

Observalility defines the observability configurations for a mesh instance.

Certificate defines the certificate management configurations for a mesh instance.

FeatureFlags defines the feature flags for a mesh instance.

PluginChains defines the default plugin chains.

Object’s metadata

Spec is the MeshRootCertificate config specification

Status of the MeshRootCertificate resource

Provider specifies the mesh certificate provider

TrustDomain is the trust domain to use as a suffix in Common Names for new certificates.

State specifies the state of the certificate provider All states are specified in constants.go

FSMLogLevel defines the log level for FSM control plane logs.

EnableDebugServer defines if the debug endpoint on the FSM controller pod is enabled.

Tracing defines FSM’s tracing configuration.

RemoteLogging defines FSM’s remote logging configuration.

Plugin defines the name of plugin

Priority defines the priority of plugin

Disable defines the visibility of plugin

InboundTCPChains defines inbound tcp chains

InboundHTTPChains defines inbound http chains

OutboundTCPChains defines outbound tcp chains

OutboundHTTPChains defines outbound http chains

CertManager specifies the cert-manager provider configuration

Vault specifies the vault provider configuration

Tresor specifies the Tresor provider configuration

Enable defines a boolean indicating if the sidecars are enabled for remote logging.

Level defines the remote logging’s level.

Port defines the remote logging’s port.

Address defines the remote logging’s hostname.

Endpoint defines the API endpoint for remote logging requests sent to the collector.

Authorization defines the access entity that allows to authorize someone in remote logging service.

SampledFraction defines the sampled fraction.

IPAddr of the pipy repo server

Codebase is the folder used by fsmController

Name specifies the name of the secret in which the Vault token is stored

Key specifies the key whose value is the Vault token

Namespace specifies the namespace of the secret in which the Vault token is stored

SidecarName defines the name of the sidecar driver.

SidecarImage defines the container image used for the proxy sidecar.

InitContainerImage defines the container image used for the init container injected to meshed pods.

ProxyServerPort is the port on which the Discovery Service listens for new connections from Sidecars

SidecarDisabledMTLS defines whether mTLS is disabled.

EnablePrivilegedInitContainer defines a boolean indicating whether the init container for a meshed pod should run as privileged.

LogLevel defines the logging level for the sidecar’s logs. Non developers should generally never set this value. In production environments the LogLevel should be set to error.

SidecarClass defines the class used for the proxy sidecar.

SidecarImage defines the container image used for the proxy sidecar.

SidecarDisabledMTLS defines whether mTLS is disabled.

InitContainerImage defines the container image used for the init container injected to meshed pods.

SidecarDrivers defines the sidecar supported.

MaxDataPlaneConnections defines the maximum allowed data plane connections from a proxy sidecar to the FSM controller.

ConfigResyncInterval defines the resync interval for regular proxy broadcast updates.

SidecarTimeout defines the connect/idle/read/write timeout.

Resources defines the compute resources for the sidecar.

TLSMinProtocolVersion defines the minimum TLS protocol version that the sidecar supports. Valid TLS protocol versions are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2 and TLSv1_3.

TLSMaxProtocolVersion defines the maximum TLS protocol version that the sidecar supports. Valid TLS protocol versions are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2 and TLSv1_3.

CipherSuites defines a list of ciphers that listener supports when negotiating TLS 1.0-1.2. This setting has no effect when negotiating TLS 1.3. For valid cipher names, see the latest OpenSSL ciphers manual page. E.g. https://www.openssl.org/docs/man1.1.1/apps/ciphers.html.

ECDHCurves defines a list of ECDH curves that TLS connection supports. If not specified, the curves are [X25519, P-256] for non-FIPS build and P-256 for builds using BoringSSL FIPS.

LocalProxyMode defines the network interface the proxy will use to send traffic to the backend service application. Acceptable values are [Localhost, PodIP]. The default is Localhost

LocalDNSProxy improves the performance of your computer by caching the responses coming from your DNS servers

Enable defines a boolean indicating if the sidecars are enabled for tracing.

Port defines the tracing collector’s port.

Address defines the tracing collectio’s hostname.

Endpoint defines the API endpoint for tracing requests sent to the collector.

SampledFraction defines the sampled fraction.

InterceptionMode defines a string indicating which traffic interception mode is used.

EnableEgress defines a boolean indicating if mesh-wide Egress is enabled.

OutboundIPRangeExclusionList defines a global list of IP address ranges to exclude from outbound traffic interception by the sidecar proxy.

OutboundIPRangeInclusionList defines a global list of IP address ranges to include for outbound traffic interception by the sidecar proxy. IP addresses outside this range will be excluded from outbound traffic interception by the sidecar proxy.

OutboundPortExclusionList defines a global list of ports to exclude from outbound traffic interception by the sidecar proxy.

InboundPortExclusionList defines a global list of ports to exclude from inbound traffic interception by the sidecar proxy.

EnablePermissiveTrafficPolicyMode defines a boolean indicating if permissive traffic policy mode is enabled mesh-wide.

ServiceAccessMode defines a string indicating service access mode.

InboundExternalAuthorization defines a ruleset that, if enabled, will configure a remote external authorization endpoint for all inbound and ingress traffic in the mesh.

NetworkInterfaceExclusionList defines a global list of network interface names to exclude from inbound and outbound traffic interception by the sidecar proxy.

HTTP1PerRequestLoadBalancing defines a boolean indicating if load balancing based on request is enabled for http1.

HTTP1PerRequestLoadBalancing defines a boolean indicating if load balancing based on request is enabled for http2.

SecretRef specifies the secret in which the root certificate is stored

CA specifies Tresor’s ca configuration

Host specifies the name of the Vault server

Port specifies the port of the Vault server

Role specifies the name of the role for use by mesh control plane

Protocol specifies the protocol for connections to Vault

Token specifies the configuration of the token to be used by mesh control plane to connect to Vault

SecretKeyRef specifies the secret in which the Vault token is stored

IssuerName specifies the name of the Issuer resource

IssuerKind specifies the kind of Issuer

IssuerGroup specifies the group the Issuer belongs to

ServiceCertValidityDuration defines the service certificate validity duration.

CertKeyBitSize defines the certicate key bit size.

IngressGateway defines the certificate specification for an ingress gateway.

Name defines the name of cluster property.

Value defines the name of cluster property.

IsManaged defines if the cluster is managed.

UID defines Unique ID of cluster.

Region defines Region of cluster.

Zone defines Zone of cluster.

Group defines Group of cluster.

Name defines Name of cluster.

ControlPlaneUID defines the unique ID of the control plane cluster, in case it’s managed

Properties defines properties for cluster.

Enabled defines if flb is enabled.

LogLevel defines the log level of gateway api.

Mode defines the mode of egress gateway.

Port defines the port of egress gateway.

AdminPort defines the admin port of egress gateway.

Replicas defines the replicas of egress gateway.

Enable defines a boolean indicating if the external authorization policy is to be enabled.

Address defines the remote address of the external authorization endpoint.

Port defines the destination port of the remote external authorization endpoint.

StatPrefix defines a prefix for the stats sink for this external authorization policy.

Timeout defines the timeout in which a response from the external authorization endpoint. is expected to execute.

FailureModeAllow defines a boolean indicating if traffic should be allowed on a failure to get a response against the external authorization endpoint.

Enabled defines if flb is enabled.

StrictMode defines if flb is in strict mode.

UpstreamMode defines the upstream mode of flb.

SecretName defines the secret name of flb.

"Endpoint"

"NodePort"

EnableEgressPolicy defines if FSM’s Egress policy is enabled.

EnableSnapshotCacheMode defines if XDS server starts with snapshot cache.

EnableAsyncProxyServiceMapping defines if FSM will map proxies to services asynchronously.

EnableIngressBackendPolicy defines if FSM will use the IngressBackend API to allow ingress traffic to service mesh backends.

EnableAccessControlPolicy defines if FSM will use the AccessControl API to allow access control traffic to service mesh backends.

EnableAccessCertPolicy defines if FSM can issue certificates for external services..

EnableSidecarActiveHealthChecks defines if FSM will Sidecar active health checks between services allowed to communicate.

EnableRetryPolicy defines if retry policy is enabled.

EnablePluginPolicy defines if plugin policy is enabled.

EnableAutoDefaultRoute defines if auto default route is enabled.

EnableValidateGatewayListenerHostname defines if validate gateway listener hostname is enabled.

EnableValidateHTTPRouteHostnames defines if validate http route hostnames is enabled.

EnableValidateGRPCRouteHostnames defines if validate grpc route hostnames is enabled.

EnableValidateTCPRouteHostnames defines if validate tcp route hostnames is enabled.

EnableGatewayAgentService defines if agent service is enabled.

EnableGatewayProxyTag defines if gateway proxy-tag header is enabled.

Enabled defines if gateway api is enabled.

LogLevel defines the log level of gateway api.

FGWLogLevel defines the log level of FGW.

StripAnyHostPort defines if strip any host port is enabled.

SSLPassthroughUpstreamPort defines the default upstream port of SSL passthrough.

HTTP1PerRequestLoadBalancing defines if load balancing based on per-request is enabled for http1.

HTTP2PerRequestLoadBalancing defines if load balancing based on per-request is enabled for http2.

ProxyTag defines the proxy tag configuration of gateway api.

Enabled defines if http is enabled.

Bind defines the bind port of http.

Listen defines the listen port of http.

NodePort defines the node port of http.

Registry defines the registry of docker image.

Tag defines the tag of docker image.

PullPolicy defines the pull policy of docker image.

SubjectAltNames defines the Subject Alternative Names (domain names and IP addresses) secured by the certificate.

ValidityDuration defines the validity duration of the certificate.

Secret defines the secret in which the certificate is stored.

Enabled defines if ingress is enabled.

Namespaced defines if ingress is namespaced.

Type defines the type of ingress service.

LogLevel defines the log level of ingress.

HTTP defines the http configuration of ingress.

TLS defines the tls configuration of ingress.

Enable defines a boolean indicating if the sidecars are enabled for local DNS Proxy.

PrimaryUpstreamDNSServerIPAddr defines a primary upstream DNS server for local DNS Proxy.

SecondaryUpstreamDNSServerIPAddr defines a secondary upstream DNS server for local DNS Proxy.

Wildcard defines Wildcard DN.

DB defines Resolve DB.

"Localhost"

LocalProxyModeLocalhost indicates the the sidecar should communicate with the main application over localhost

"PodIP"

LocalProxyModePodIP indicates that the sidecar should communicate with the main application via the pod ip

Object’s metadata.

Spec is the MeshConfig specification.

ClusterSetSpec defines the configurations of cluster.

Sidecar defines the configurations of the proxy sidecar in a mesh.

RepoServer defines the configurations of pipy repo server.

Traffic defines the traffic management configurations for a mesh instance.

Observalility defines the observability configurations for a mesh instance.

Certificate defines the certificate management configurations for a mesh instance.

FeatureFlags defines the feature flags for a mesh instance.

PluginChains defines the default plugin chains.

Ingress defines the configurations of Ingress features.

GatewayAPI defines the configurations of GatewayAPI features.

ServiceLB defines the configurations of ServiceLBServiceLB features.

FLB defines the configurations of FLB features.

EgressGateway defines the configurations of EgressGateway features.

Image defines the configurations of Image info

Misc defines the configurations of misc info

Object’s metadata

Spec is the MeshRootCertificate config specification

Status of the MeshRootCertificate resource

Provider specifies the mesh certificate provider

TrustDomain is the trust domain to use as a suffix in Common Names for new certificates.

State specifies the state of the certificate provider All states are specified in constants.go

CurlImage defines the image of curl.

RepoServerImage defines the image of repo server.

FSMLogLevel defines the log level for FSM control plane logs.

EnableDebugServer defines if the debug endpoint on the FSM controller pod is enabled.

Tracing defines FSM’s tracing configuration.

RemoteLogging defines FSM’s remote logging configuration.

Plugin defines the name of plugin

Priority defines the priority of plugin

Disable defines the visibility of plugin

InboundTCPChains defines inbound tcp chains

InboundHTTPChains defines inbound http chains

OutboundTCPChains defines outbound tcp chains

OutboundHTTPChains defines outbound http chains

CertManager specifies the cert-manager provider configuration

Vault specifies the vault provider configuration

Tresor specifies the Tresor provider configuration

SrcHostHeader defines the src host header.

DstHostHeader defines the dst host header.

Enable defines a boolean indicating if the sidecars are enabled for remote logging.

Level defines the remote logging’s level.

Port defines the remote logging’s port.

Address defines the remote logging’s hostname.

Endpoint defines the API endpoint for remote logging requests sent to the collector.

Authorization defines the access entity that allows to authorize someone in remote logging service.

SampledFraction defines the sampled fraction.

SecretName defines the name of the secret that contains the configuration for remote logging.

IPAddr of the pipy repo server

Port defines the pipy repo server’s port.

Codebase is the folder used by fsmController

DN defines resolve DN.

IPv4 defines a ipv4 address for resolve DN.

Enabled defines if ssl passthrough is enabled.

UpstreamPort defines the upstream port of ssl passthrough.

Name specifies the name of the secret in which the Vault token is stored

Key specifies the key whose value is the Vault token

Namespace specifies the namespace of the secret in which the Vault token is stored

Enabled defines if service lb is enabled.

Image defines the service lb image.

EnablePrivilegedInitContainer defines a boolean indicating whether the init container for a meshed pod should run as privileged.

LogLevel defines the logging level for the sidecar’s logs. Non developers should generally never set this value. In production environments the LogLevel should be set to error.

SidecarImage defines the container image used for the proxy sidecar.

SidecarDisabledMTLS defines whether mTLS is disabled.

MaxDataPlaneConnections defines the maximum allowed data plane connections from a proxy sidecar to the FSM controller.

ConfigResyncInterval defines the resync interval for regular proxy broadcast updates.

SidecarTimeout defines the connect/idle/read/write timeout.

Resources defines the compute resources for the sidecar.

TLSMinProtocolVersion defines the minimum TLS protocol version that the sidecar supports. Valid TLS protocol versions are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2 and TLSv1_3.

TLSMaxProtocolVersion defines the maximum TLS protocol version that the sidecar supports. Valid TLS protocol versions are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2 and TLSv1_3.

CipherSuites defines a list of ciphers that listener supports when negotiating TLS 1.0-1.2. This setting has no effect when negotiating TLS 1.3. For valid cipher names, see the latest OpenSSL ciphers manual page. E.g. https://www.openssl.org/docs/man1.1.1/apps/ciphers.html.

ECDHCurves defines a list of ECDH curves that TLS connection supports. If not specified, the curves are [X25519, P-256] for non-FIPS build and P-256 for builds using BoringSSL FIPS.

LocalProxyMode defines the network interface the proxy will use to send traffic to the backend service application. Acceptable values are [Localhost, PodIP]. The default is Localhost

LocalDNSProxy improves the performance of your computer by caching the responses coming from your DNS servers

Enabled defines if tls is enabled.

Bind defines the bind port of tls.

Listen defines the listen port of tls.

NodePort defines the node port of tls.

MTLS defines if mTLS is enabled.

SSLPassthrough defines the ssl passthrough configuration of tls.

Enable defines a boolean indicating if the sidecars are enabled for tracing.

Port defines the tracing collector’s port.

Address defines the tracing collectio’s hostname.

Endpoint defines the API endpoint for tracing requests sent to the collector.

SampledFraction defines the sampled fraction.

InterceptionMode defines a string indicating which traffic interception mode is used.

EnableEgress defines a boolean indicating if mesh-wide Egress is enabled.

OutboundIPRangeExclusionList defines a global list of IP address ranges to exclude from outbound traffic interception by the sidecar proxy.

OutboundIPRangeInclusionList defines a global list of IP address ranges to include for outbound traffic interception by the sidecar proxy. IP addresses outside this range will be excluded from outbound traffic interception by the sidecar proxy.

OutboundPortExclusionList defines a global list of ports to exclude from outbound traffic interception by the sidecar proxy.

InboundPortExclusionList defines a global list of ports to exclude from inbound traffic interception by the sidecar proxy.

EnablePermissiveTrafficPolicyMode defines a boolean indicating if permissive traffic policy mode is enabled mesh-wide.

ServiceAccessMode defines a string indicating service access mode.

InboundExternalAuthorization defines a ruleset that, if enabled, will configure a remote external authorization endpoint for all inbound and ingress traffic in the mesh.

NetworkInterfaceExclusionList defines a global list of network interface names to exclude from inbound and outbound traffic interception by the sidecar proxy.

HTTP1PerRequestLoadBalancing defines a boolean indicating if load balancing based on request is enabled for http1.

HTTP1PerRequestLoadBalancing defines a boolean indicating if load balancing based on request is enabled for http2.

SecretRef specifies the secret in which the root certificate is stored

CA specifies Tresor’s ca configuration

Host specifies the name of the Vault server

Port specifies the port of the Vault server

Role specifies the name of the role for use by mesh control plane

Protocol specifies the protocol for connections to Vault

Token specifies the configuration of the token to be used by mesh control plane to connect to Vault

SecretKeyRef specifies the secret in which the Vault token is stored

Enable defines a boolean indicating if wildcard are enabled for local DNS Proxy.

IPv4 defines a ipv4 address for wildcard DN.

"Managed"

ClusterManaged means that the cluster has joined the CLusterSet successfully and is managed by Control Plane.

Region, the locality information of this cluster

Zone, the locality information of this cluster

Group, the locality information of this cluster

GatewayHost, the Full Qualified Domain Name or IP of the gateway/ingress of this cluster If it’s an IP address, only IPv4 is supported

The port number of the gateway

Kubeconfig, The kubeconfig of the cluster you want to connnect to This’s not needed if ClusterMode is InCluster, it will use InCluster config

FsmMeshConfigName, defines the name of the MeshConfig of managed cluster

FsmNamespace, defines the namespace of managed cluster in which fsm is installed

Type of global load distribution

"ActiveActive"

ActiveActiveLbType is the type of load balancer that distributes traffic to all targets

"FailOver"

FailOverLbType is the type of load balancer that distributes traffic to the first available target

"Locality"

LocalityLbType is the type of load balancer that distributes traffic to targets in the same locality

"Conflict"

ServiceExportConflict means that there is a conflict between two exports for the same Service. When “True”, the condition message should contain enough information to diagnose the conflict: field(s) under contention, which cluster won, and why. Users should not expect detailed per-cluster information in the conflict message.

"Valid"

ServiceExportValid means that the service referenced by this service export has been recognized as valid by controller. This will be false if the service is found to be unexportable (ExternalName, not found).

The port number of service

Path is matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional “path” part of a URL as defined by RFC 3986. Paths must begin with a ‘/’ and must be present when using PathType with value “Exact” or “Prefix”.

PathRewrite, it shares ONE rewrite rule for the same ServiceExport

Indicates if session sticky is enabled

The LoadBalancer Type applied to the Ingress Rules those created by the ServiceExport

The paths for accessing the service via Ingress controller

If empty, service is exported to all managed clusters. If not empty, service is exported to specified clusters, must be in format [region]/[zone]/[group]/[cluster]

The ServiceAccount associated with this service

ip will be used as the VIP for this service when type is ClusterSetIP.

type defines the type of this service. Must be ClusterSetIP or Headless.

Supports “ClientIP” and “None”. Used to maintain session affinity. Enable client IP based session affinity. Must be ClientIP or None. Defaults to None. Ignored when type is Headless More info: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies

sessionAffinityConfig contains session affinity configuration.

The ServiceAccount associated with this service

clusters is the list of exporting clusters from which this service was derived.

"ClusterSetIP"

ClusterSetIP are only accessible via the ClusterSet IP.

"Headless"

Headless services allow backend pods to be addressed directly.

The name of this port within the service. This must be a DNS_LABEL. All ports within a ServiceSpec must have unique names. When considering the endpoints for a Service, this must match the ‘name’ field in the EndpointPort. Optional if only one ServicePort is defined on this service.

The IP protocol for this port. Supports “TCP”, “UDP”, and “SCTP”. Default is TCP.

The application protocol for this port. This field follows standard Kubernetes label syntax. Un-prefixed names are reserved for IANA standard service names (as per RFC-6335 and http://www.iana.org/assignments/service-names). Non-standard protocols should use prefixed names such as mycompany.com/my-custom-protocol. Field can be enabled with ServiceAppProtocol feature gate.

The port that will be exposed by this service.

The address of accessing the service

cluster is the name of the exporting cluster. Must be a valid RFC-1123 DNS label.

in-cluster service, it’s the cluster IPs otherwise, it’s the url of accessing that service in remote cluster for example, http(s)://[Ingress IP/domain name]:[port]/[path]

Format: [region]/[zone]/[group]/[cluster]

Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

Spec is the desired state of the IngressClass. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status

Name defines the name of chain.

Plugins defines the plugins within chain.

PodSelector for pods. Existing pods are selected by this will be the ones affected by this plugin chain.

NamespaceSelector for namespaces. Existing pods are selected by this will be the ones affected by this plugin chain.

Object’s metadata

Spec is the PlugIn specification

Status is the status of the Plugin configuration.

Object’s metadata

Spec is the PluginChain specification

Status is the status of the PluginChain configuration.

Chains defines the plugins within chains

Selectors defines the selectors of chains.

CurrentStatus defines the current status of a PluginChain resource.

Reason defines the reason for the current status of a PluginChain resource.

Object’s metadata

Spec is the PlugIn specification

Status is the status of the plugin config configuration.

Plugin is the name of plugin.

DestinationRefs is the destination references of plugin.

Config is the config of plugin.

CurrentStatus defines the current status of a PluginConfig resource.

Reason defines the reason for the current status of a PluginConfig resource.

priority defines the priority of the plugin.

Script defines the Script of the plugin.

CurrentStatus defines the current status of a Plugin resource.

Reason defines the reason for the current status of a Plugin resource.

Object’s metadata

Spec is the Access Cert specification

Status is the status of the AccessCert configuration.

SubjectAltNames defines the Subject Alternative Names (domain names and IP addresses) secured by the certificate.

Secret defines the secret in which the certificate is stored.

CurrentStatus defines the current status of an AccessCert resource.

Reason defines the reason for the current status of an AccessCert resource.

Object’s metadata

Spec is the Ingress backend policy specification

Status is the status of the AccessControl configuration.

Name defines the name of the backend.

Port defines the specification for the backend’s port.

TLS defines the specification for the backend’s TLS configuration.

Kind defines the kind for the source in the AccessControl policy. Must be one of: Service, AuthenticatedPrincipal, IPRange

Name defines the name of the source for the given Kind.

Namespace defines the namespace for the given source.

Backends defines the list of backends the AccessControl policy applies to.

Sources defines the list of sources the AccessControl policy applies to.

Matches defines the list of object references the AccessControl policy should match on.

CurrentStatus defines the current status of an AccessControl resource.

Reason defines the reason for the current status of an AccessControl resource.

Name defines the name of the backend.

Port defines the specification for the backend’s port.

TLS defines the specification for the backend’s TLS configuration.

TCP specifies the TCP level connection settings. Applies to both TCP and HTTP connections.

HTTP specifies the HTTP level connection settings.

Object’s metadata

Spec is the Egress policy specification

Object’s metadata

Spec is the EgressGateway policy specification

GlobalEgressGateways defines the list of Global egress gateway.

SerialNumber defines the serial number of the certificate.

SubjectAltNames defines the Subject Alternative Names (domain names and IP addresses) secured by the certificate.

Expiration defines the expiration of the certificate.

Secret defines the secret in which the certificate is stored.

Kind defines the kind for the source in the Egress policy, ex. ServiceAccount.

Name defines the name of the source for the given Kind.

Namespace defines the namespace for the given source.

MTLS defines the certificate specification for the egress source.

Sources defines the list of sources the Egress policy applies to.

Hosts defines the list of external hosts the Egress policy will allow access to.

• For HTTP traffic, the HTTP Host/Authority header is matched against the list of Hosts specified.

• For HTTPS traffic, the Server Name Indication (SNI) indicated by the client in the TLS handshake is matched against the list of Hosts specified.

• For non-HTTP(s) based protocols, the Hosts field is ignored.

IPAddresses defines the list of external IP address ranges the Egress policy applies to. The destination IP address of the traffic is matched against the list of IPAddresses specified as a CIDR range.

Ports defines the list of ports the Egress policy is applies to. The destination port of the traffic is matched against the list of Ports specified.

Matches defines the list of object references the Egress policy should match on.

StatTimeWindow specifies statistical time period of circuit breaking

MinRequestAmount specifies minimum number of requests (in an active statistic time span) that can trigger circuit breaking.

DegradedTimeWindow specifies recovery timeout (in seconds) when circuit breaker opens.

SlowTimeThreshold specifies the time threshold of slow request

SlowAmountThreshold specifies the amount threshold of slow request

SlowRatioThreshold specifies the ratio threshold of slow request

ErrorAmountThreshold specifies the amount threshold of error request

ErrorRatioThreshold specifies the ratio threshold of error request

DegradedStatusCode specifies the degraded http status code of circuit breaking

DegradedResponseContent specifies the degraded http response content of circuit breaking

MaxRequests specifies the maximum number of parallel requests allowed to the upstream host. Defaults to 4294967295 (2^32 - 1) if not specified.

MaxRequestsPerConnection specifies the maximum number of requests per connection allowed to the upstream host. Defaults to unlimited if not specified.

MaxPendingRequests specifies the maximum number of pending HTTP requests allowed to the upstream host. For HTTP/2 connections, if maxRequestsPerConnection is not configured, all requests will be multiplexed over the same connection so this circuit breaker will only be hit when no connection is already established. Defaults to 4294967295 (2^32 - 1) if not specified.

MaxRetries specifies the maximum number of parallel retries allowed to the upstream host. Defaults to 4294967295 (2^32 - 1) if not specified.

CircuitBreaking specifies the HTTP connection circuit breaking setting.

Name defines the name of the HTTP header.

Value defines the value of the header corresponding to the name key.

Requests defines the number of requests allowed per unit of time before rate limiting occurs.

Unit defines the period of time within which requests over the limit will be rate limited. Valid values are “second”, “minute” and “hour”.

Burst defines the number of requests above the baseline rate that are allowed in a short period of time.

ResponseStatusCode defines the HTTP status code to use for responses to rate limited requests. Code must be in the 400-599 (inclusive) error range. If not specified, a default of 429 (Too Many Requests) is used.

ResponseHeadersToAdd defines the list of HTTP headers that should be added to each response for requests that have been rate limited.

Local defines the local rate limiting specification applied per HTTP route.

Path defines the HTTP path.

RateLimit defines the HTTP rate limiting specification for the specified HTTP route.

Object’s metadata

Spec is the Ingress backend policy specification

Status is the status of the IngressBackend configuration.

Backends defines the list of backends the IngressBackend policy applies to.

Sources defines the list of sources the IngressBackend policy applies to.

Matches defines the list of object references the IngressBackend policy should match on.

CurrentStatus defines the current status of an IngressBackend resource.

Reason defines the reason for the current status of an IngressBackend resource.

Kind defines the kind for the source in the IngressBackend policy. Must be one of: Service, AuthenticatedPrincipal, IPRange

Name defines the name of the source for the given Kind.

Namespace defines the namespace for the given source.

TCP defines the local rate limiting specification at the network level. This is a token bucket rate limiter where each connection consumes a single token. If the token is available, the connection will be allowed. If no tokens are available, the connection will be immediately closed.

HTTP defines the local rate limiting specification for HTTP traffic. This is a token bucket rate limiter where each request consumes a single token. If the token is available, the request will be allowed. If no tokens are available, the request will receive the configured rate limit status.

Number defines the port number.

Protocol defines the protocol served by the port.

Local specified the local rate limiting specification for the upstream host. Local rate limiting is enforced directly by the upstream host without any involvement of a global rate limiting service. This is applied as a token bucket rate limiter.

Object’s metadata

Spec is the Retry policy specification

RetryOn defines the policies to retry on, delimited by comma.

PerTryTimeout defines the time allowed for a retry before it’s considered a failed attempt.

NumRetries defines the max number of retries to attempt.

RetryBackoffBaseInterval defines the base interval for exponential retry backoff.

Source defines the source the Retry policy applies to.

Destinations defines the list of destinations the Retry policy applies to.

RetryPolicy defines the retry policy the Retry policy applies.

Kind defines the kind for the Src/Dst in the Retry policy.

Name defines the name of the Src/Dst for the given Kind.

Namespace defines the namespace for the given Src/Dst.

MaxConnections specifies the maximum number of TCP connections allowed to the upstream host. Defaults to 4294967295 (2^32 - 1) if not specified.

ConnectTimeout specifies the TCP connection timeout. Defaults to 5s if not specified.

Connections defines the number of connections allowed per unit of time before rate limiting occurs.

Unit defines the period of time within which connections over the limit will be rate limited. Valid values are “second”, “minute” and “hour”.

Burst defines the number of connections above the baseline rate that are allowed in a short period of time.

SkipClientCertValidation defines whether the backend should skip validating the certificate presented by the client.

SNIHosts defines the SNI hostnames that the backend allows the client to connect to.

Object’s metadata

Spec is the UpstreamTrafficSetting policy specification

Status is the status of the UpstreamTrafficSetting resource.

Host the upstream traffic is directed to. Must either be an FQDN corresponding to the upstream service or the name of the upstream service. If only the service name is specified, the FQDN is derived from the service name and the namespace of the UpstreamTrafficSetting rule.

ConnectionSettings specifies the connection settings for traffic directed to the upstream host.

RateLimit specifies the rate limit settings for the traffic directed to the upstream host. If HTTP rate limiting is specified, the rate limiting is applied at the VirtualHost level applicable to all routes within the VirtualHost.

HTTPRoutes defines the list of HTTP routes settings for the upstream host. Settings are applied at a per route level.

CurrentStatus defines the current status of an UpstreamTrafficSetting resource.

Reason defines the reason for the current status of an UpstreamTrafficSetting resource.