asm.alauda.io group
CanaryTemplate is the Schema for the Canarytemplates API
v1alpha1 versionspec object
CanaryTemplateSpec defines the desired state of CanaryTemplate
analysis object
Analysis defines the validation process of a release
interval string required
Schedule interval for this canary analysis
iterations integer
Number of checks to run for A/B Testing and Blue/Green
match []object
HttpMatchRequest specifies a set of criterion to be met in order for the rule to be applied to the HTTP request. For example, the following restricts the rule to match only requests where the URL path starts with /ratings/v2/ and the request contains a "cookie" with value "user=jason". apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings-route spec: hosts: - ratings http: - match: - headers: cookie: regex: "^(.?;)?(user=jason)(;.)?" uri: prefix: "/ratings/v2/" route: - destination: host: ratings HTTPMatchRequest CANNOT be empty.
authority object
HTTP Authority values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
gateways []string
Names of gateways where the rule should be applied to. Gateway names at the top of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.
headers object
The header keys must be lowercase and use hyphen as the separator, e.g. x-request-id. Header values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match Note: The keysuri,scheme,method, andauthoritywill be ignored.
method object
HTTP Method values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
port integer
Specifies the ports on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.
scheme object
URI Scheme values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
sourceLabels object
One or more labels that constrain the applicability of a rule to workloads with the given labels. If the VirtualService has a list of gateways specified at the top, it should include the reserved gateway mesh in order for this field to be applicable.
uri object
URI to match values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
maxWeight integer
Max traffic percentage routed to canary
metrics []object
CanaryMetric holds the reference to metrics used for canary analysis
interval string
Interval represents the windows size
name string required
Name of the metric
query string
Prometheus query for this metric (deprecated in favor of TemplateRef)
templateRef object
TemplateRef references a metric template object
apiVersion string
API version of the referent
kind string
Kind of the referent
name string required
Name of the referent
namespace string
Namespace of the referent
threshold number
Max value accepted for this metric
thresholdRange object
Range value accepted for this metric
max number
Maximum value
min number
Minimum value
mirror boolean
Enable traffic mirroring for Blue/Green
stepWeight integer
Incremental traffic percentage step
stepWeightPromotion integer
Incremental traffic percentage step for promotion phase
threshold integer
Max number of failed checks before the canary is terminated
webhooks []object
CanaryWebhook holds the reference to external checks used for canary analysis
metadata object
Metadata (key-value pairs) for this webhook
name string required
Name of this webhook
timeout string
Request timeout for this webhook
type string required
Type of this webhook
url string required
URL address of this webhook
autoscalerRef object
AutoscalerRef references an autoscaling resource
apiVersion string
API version of the referent
kind string
Kind of the referent
name string required
Name of the referent
namespace string
Namespace of the referent
canaryAnalysis object
Deprecated: replaced by Analysis
interval string required
Schedule interval for this canary analysis
iterations integer
Number of checks to run for A/B Testing and Blue/Green
match []object
HttpMatchRequest specifies a set of criterion to be met in order for the rule to be applied to the HTTP request. For example, the following restricts the rule to match only requests where the URL path starts with /ratings/v2/ and the request contains a "cookie" with value "user=jason". apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings-route spec: hosts: - ratings http: - match: - headers: cookie: regex: "^(.?;)?(user=jason)(;.)?" uri: prefix: "/ratings/v2/" route: - destination: host: ratings HTTPMatchRequest CANNOT be empty.
authority object
HTTP Authority values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
gateways []string
Names of gateways where the rule should be applied to. Gateway names at the top of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.
headers object
The header keys must be lowercase and use hyphen as the separator, e.g. x-request-id. Header values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match Note: The keysuri,scheme,method, andauthoritywill be ignored.
method object
HTTP Method values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
port integer
Specifies the ports on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.
scheme object
URI Scheme values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
sourceLabels object
One or more labels that constrain the applicability of a rule to workloads with the given labels. If the VirtualService has a list of gateways specified at the top, it should include the reserved gateway mesh in order for this field to be applicable.
uri object
URI to match values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
maxWeight integer
Max traffic percentage routed to canary
metrics []object
CanaryMetric holds the reference to metrics used for canary analysis
interval string
Interval represents the windows size
name string required
Name of the metric
query string
Prometheus query for this metric (deprecated in favor of TemplateRef)
templateRef object
TemplateRef references a metric template object
apiVersion string
API version of the referent
kind string
Kind of the referent
name string required
Name of the referent
namespace string
Namespace of the referent
threshold number
Max value accepted for this metric
thresholdRange object
Range value accepted for this metric
max number
Maximum value
min number
Minimum value
mirror boolean
Enable traffic mirroring for Blue/Green
stepWeight integer
Incremental traffic percentage step
stepWeightPromotion integer
Incremental traffic percentage step for promotion phase
threshold integer
Max number of failed checks before the canary is terminated
webhooks []object
CanaryWebhook holds the reference to external checks used for canary analysis
metadata object
Metadata (key-value pairs) for this webhook
name string required
Name of this webhook
timeout string
Request timeout for this webhook
type string required
Type of this webhook
url string required
URL address of this webhook
failFallBack boolean
if set true,we will rollback canary workload modify
ingressRef object
Reference to NGINX ingress resource
apiVersion string
API version of the referent
kind string
Kind of the referent
name string required
Name of the referent
namespace string
Namespace of the referent
maxResponseTime number
metricsServer string
MetricsServer overwrites the -metrics-server flag for this particular canary
minSuccessRate number
progressDeadlineSeconds integer
ProgressDeadlineSeconds represents the maximum time in seconds for a canary deployment to make progress before it is considered to be failed
service object
Service defines how ClusterIP services, service mesh or ingress routing objects are generated
backends []string
Backends of the generated App Mesh virtual nodes
corsPolicy object
Cross-Origin Resource Sharing policy for the generated Istio virtual service
allowCredentials boolean
Indicates whether the caller is allowed to send the actual request (not the preflight) using credentials. Translates to Access-Control-Allow-Credentials header.
allowHeaders []string
List of HTTP headers that can be used when requesting the resource. Serialized to Access-Control-Allow-Methods header.
allowMethods []string
List of HTTP methods allowed to access the resource. The content will be serialized into the Access-Control-Allow-Methods header.
allowOrigin []string
The list of origins that are allowed to perform CORS requests. The content will be serialized into the Access-Control-Allow-Origin header. Wildcard * will allow all origins.
exposeHeaders []string
A white list of HTTP headers that the browsers are allowed to access. Serialized into Access-Control-Expose-Headers header.
maxAge string
Specifies how long the the results of a preflight request can be cached. Translates to the Access-Control-Max-Age header.
gateways []string
Gateways attached to the generated Istio virtual service Defaults to the internal mesh gateway
headers object
Headers operations for the generated Istio virtual service
request object
Header manipulation rules to apply before forwarding a request to the destination service
add object
Append the given values to the headers specified by keys (will create a comma-separated list of values)
remove []string
Remove the specified headers
set object
Overwrite the headers specified by key with the given values
response object
Header manipulation rules to apply before returning a response to the caller
add object
Append the given values to the headers specified by keys (will create a comma-separated list of values)
remove []string
Remove the specified headers
set object
Overwrite the headers specified by key with the given values
hosts []string
Hosts attached to the generated Istio virtual service Defaults to the service name
match []object
HttpMatchRequest specifies a set of criterion to be met in order for the rule to be applied to the HTTP request. For example, the following restricts the rule to match only requests where the URL path starts with /ratings/v2/ and the request contains a "cookie" with value "user=jason". apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: ratings-route spec: hosts: - ratings http: - match: - headers: cookie: regex: "^(.?;)?(user=jason)(;.)?" uri: prefix: "/ratings/v2/" route: - destination: host: ratings HTTPMatchRequest CANNOT be empty.
authority object
HTTP Authority values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
gateways []string
Names of gateways where the rule should be applied to. Gateway names at the top of the VirtualService (if any) are overridden. The gateway match is independent of sourceLabels.
headers object
The header keys must be lowercase and use hyphen as the separator, e.g. x-request-id. Header values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match Note: The keysuri,scheme,method, andauthoritywill be ignored.
method object
HTTP Method values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
port integer
Specifies the ports on the host that is being addressed. Many services only expose a single port or label ports with the protocols they support, in these cases it is not required to explicitly select the port.
scheme object
URI Scheme values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
sourceLabels object
One or more labels that constrain the applicability of a rule to workloads with the given labels. If the VirtualService has a list of gateways specified at the top, it should include the reserved gateway mesh in order for this field to be applicable.
uri object
URI to match values are case-sensitive and formatted as follows:
exact: "value"for exact string matchprefix: "value"for prefix-based matchregex: "value"for ECMAscript style regex-based match
exact string
exact string match
prefix string
prefix-based match
regex string
ECMAscript style regex-based match
suffix string
suffix-based match.
meshName string
Mesh name of the generated App Mesh virtual nodes and virtual service
name string
Name of the Kubernetes service generated by Flagger Defaults to CanarySpec.TargetRef.Name
port integer required
Port of the generated Kubernetes service
portDiscovery boolean required
PortDiscovery adds all container ports to the generated Kubernetes service
portName string
Port name of the generated Kubernetes service Defaults to http
retries object
Retries policy for the generated virtual service
attempts integer
REQUIRED. Number of retries for a given request. The interval between retries will be determined automatically (25ms+). Actual number of retries attempted depends on the httpReqTimeout.
perTryTimeout string
Timeout per retry attempt for a given request. format: 1h/1m/1s/1ms. MUST BE >=1ms.
retryOn string
Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. The supported policies can be found in https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on and https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on
rewrite object
Rewrite HTTP URIs for the generated service
authority string
rewrite the Authority/Host header with this value.
uri string
rewrite the path (or the prefix) portion of the URI with this value. If the original URI was matched based on prefix, the value provided in this field will replace the corresponding matched prefix.
targetPort
Target port number or name of the generated Kubernetes service Defaults to CanaryService.Port
timeout string
Timeout of the HTTP or gRPC request
trafficPolicy object
TrafficPolicy attached to the generated Istio destination rules
connectionPool object
Settings controlling the volume of connections to an upstream service
http object
HTTP connection pool settings.
h2UpgradePolicy string
Specify if http1.1 connection should be upgraded to http2 for the associated destination. DEFAULT - Use the global default. DO_NOT_UPGRADE - Do not upgrade the connection to http2. UPGRADE - Upgrade the connection to http2.
http1MaxPendingRequests integer
Maximum number of pending HTTP requests to a destination. Default 2^32-1.
http2MaxRequests integer
Maximum number of requests to a backend. Default 2^32-1.
idleTimeout string
The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. If not set, the default is 1 hour. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
maxRequestsPerConnection integer
Maximum number of requests per connection to a backend. Setting this parameter to 1 disables keep alive. Default 0, meaning "unlimited", up to 2^29.
maxRetries integer
Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. Defaults to 2^32-1.
tcp object
Settings common to both HTTP and TCP upstream connections.
connectTimeout string
TCP connection timeout.
maxConnections integer
Maximum number of HTTP1 /TCP connections to a destination host.
loadBalancer object
Settings controlling the load balancer algorithms.
consistentHash object
Consistent Hash-based load balancing can be used to provide soft session affinity based on HTTP headers, cookies or other properties. This load balancing policy is applicable only for HTTP connections. The affinity to a particular destination host will be lost when one or more hosts are added/removed from the destination service.
httpCookie object
Hash based on HTTP cookie.
name string required
REQUIRED. Name of the cookie.
path string
Path to set for the cookie.
ttl string required
REQUIRED. Lifetime of the cookie.
httpHeaderName string
It is required to specify exactly one of the fields as hash key: HTTPHeaderName, HTTPCookie, or UseSourceIP. Hash based on a specific HTTP header.
minimumRingSize integer
The minimum number of virtual nodes to use for the hash ring. Defaults to 1024. Larger ring sizes result in more granular load distributions. If the number of hosts in the load balancing pool is larger than the ring size, each host will be assigned a single virtual node.
useSourceIp boolean
Hash based on the source IP address.
simple string
It is required to specify exactly one of the fields: Simple or ConsistentHash
outlierDetection object
Settings controlling eviction of unhealthy hosts from the load balancing pool
baseEjectionTime string
Minimum ejection duration. A host will remain ejected for a period equal to the product of minimum ejection duration and the number of times the host has been ejected. This technique allows the system to automatically increase the ejection period for unhealthy upstream servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.
consecutive5xxErrors integer
Number of 5xx errors before a host is ejected from the connection pool. When the upstream host is accessed over an opaque TCP connection, connect timeouts, connection error/failure and request failure events qualify as a 5xx error. This feature defaults to 5 but can be disabled by setting the value to 0. Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect.
consecutiveErrors integer
Number of errors before a host is ejected from the connection pool. Defaults to 5. When the upstream host is accessed over HTTP, a 5xx return code qualifies as an error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as an error.
consecutiveGatewayErrors integer
Number of gateway errors before a host is ejected from the connection pool. When the upstream host is accessed over HTTP, a 502, 503, or 504 return code qualifies as a gateway error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as a gateway error. This feature is disabled by default or when set to the value 0. Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect.
interval string
Time interval between ejection sweep analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
maxEjectionPercent integer
Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. Defaults to 10%.
minHealthPercent integer
Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. When the percentage of healthy hosts in the load balancing pool drops below this threshold, outlier detection will be disabled and the proxy will load balance across all hosts in the pool (healthy and unhealthy). The threshold can be disabled by setting it to 0%. The default is 0% as it's not typically applicable in k8s environments with few pods per service.
portLevelSettings []object
Traffic policies that apply to specific ports of the service
connectionPool object
Settings controlling the volume of connections to an upstream service
http object
HTTP connection pool settings.
h2UpgradePolicy string
Specify if http1.1 connection should be upgraded to http2 for the associated destination. DEFAULT - Use the global default. DO_NOT_UPGRADE - Do not upgrade the connection to http2. UPGRADE - Upgrade the connection to http2.
http1MaxPendingRequests integer
Maximum number of pending HTTP requests to a destination. Default 2^32-1.
http2MaxRequests integer
Maximum number of requests to a backend. Default 2^32-1.
idleTimeout string
The idle timeout for upstream connection pool connections. The idle timeout is defined as the period in which there are no active requests. If not set, the default is 1 hour. When the idle timeout is reached the connection will be closed. Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
maxRequestsPerConnection integer
Maximum number of requests per connection to a backend. Setting this parameter to 1 disables keep alive. Default 0, meaning "unlimited", up to 2^29.
maxRetries integer
Maximum number of retries that can be outstanding to all hosts in a cluster at a given time. Defaults to 2^32-1.
tcp object
Settings common to both HTTP and TCP upstream connections.
connectTimeout string
TCP connection timeout.
maxConnections integer
Maximum number of HTTP1 /TCP connections to a destination host.
loadBalancer object
Settings controlling the load balancer algorithms.
consistentHash object
Consistent Hash-based load balancing can be used to provide soft session affinity based on HTTP headers, cookies or other properties. This load balancing policy is applicable only for HTTP connections. The affinity to a particular destination host will be lost when one or more hosts are added/removed from the destination service.
httpCookie object
Hash based on HTTP cookie.
name string required
REQUIRED. Name of the cookie.
path string
Path to set for the cookie.
ttl string required
REQUIRED. Lifetime of the cookie.
httpHeaderName string
It is required to specify exactly one of the fields as hash key: HTTPHeaderName, HTTPCookie, or UseSourceIP. Hash based on a specific HTTP header.
minimumRingSize integer
The minimum number of virtual nodes to use for the hash ring. Defaults to 1024. Larger ring sizes result in more granular load distributions. If the number of hosts in the load balancing pool is larger than the ring size, each host will be assigned a single virtual node.
useSourceIp boolean
Hash based on the source IP address.
simple string
It is required to specify exactly one of the fields: Simple or ConsistentHash
outlierDetection object
Settings controlling eviction of unhealthy hosts from the load balancing pool
baseEjectionTime string
Minimum ejection duration. A host will remain ejected for a period equal to the product of minimum ejection duration and the number of times the host has been ejected. This technique allows the system to automatically increase the ejection period for unhealthy upstream servers. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 30s.
consecutive5xxErrors integer
Number of 5xx errors before a host is ejected from the connection pool. When the upstream host is accessed over an opaque TCP connection, connect timeouts, connection error/failure and request failure events qualify as a 5xx error. This feature defaults to 5 but can be disabled by setting the value to 0. Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect.
consecutiveErrors integer
Number of errors before a host is ejected from the connection pool. Defaults to 5. When the upstream host is accessed over HTTP, a 5xx return code qualifies as an error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as an error.
consecutiveGatewayErrors integer
Number of gateway errors before a host is ejected from the connection pool. When the upstream host is accessed over HTTP, a 502, 503, or 504 return code qualifies as a gateway error. When the upstream host is accessed over an opaque TCP connection, connect timeouts and connection error/failure events qualify as a gateway error. This feature is disabled by default or when set to the value 0. Note that consecutive_gateway_errors and consecutive_5xx_errors can be used separately or together. Because the errors counted by consecutive_gateway_errors are also included in consecutive_5xx_errors, if the value of consecutive_gateway_errors is greater than or equal to the value of consecutive_5xx_errors, consecutive_gateway_errors will have no effect.
interval string
Time interval between ejection sweep analysis. format: 1h/1m/1s/1ms. MUST BE >=1ms. Default is 10s.
maxEjectionPercent integer
Maximum % of hosts in the load balancing pool for the upstream service that can be ejected. Defaults to 10%.
minHealthPercent integer
Outlier detection will be enabled as long as the associated load balancing pool has at least min_health_percent hosts in healthy mode. When the percentage of healthy hosts in the load balancing pool drops below this threshold, outlier detection will be disabled and the proxy will load balance across all hosts in the pool (healthy and unhealthy). The threshold can be disabled by setting it to 0%. The default is 0% as it's not typically applicable in k8s environments with few pods per service.
port object required
Specifies the port name or number of a port on the destination service on which this policy is being applied. Names must comply with DNS label syntax (rfc1035) and therefore cannot collide with numbers. If there are multiple ports on a service with the same protocol the names should be of the form -.
name string
Valid port name
number integer
Valid port number
tls object
TLS related settings for connections to the upstream service.
caCertificates string
OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will not verify the server's certificate. Should be empty if mode is ISTIO_MUTUAL.
clientCertificate string
REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.
mode string required
REQUIRED: Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.
privateKey string
REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.
sni string
SNI string to present to the server during TLS handshake. Should be empty if mode is ISTIO_MUTUAL.
subjectAltNames []string
A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. Should be empty if mode is ISTIO_MUTUAL.
tls object
TLS related settings for connections to the upstream service.
caCertificates string
OPTIONAL: The path to the file containing certificate authority certificates to use in verifying a presented server certificate. If omitted, the proxy will not verify the server's certificate. Should be empty if mode is ISTIO_MUTUAL.
clientCertificate string
REQUIRED if mode is MUTUAL. The path to the file holding the client-side TLS certificate to use. Should be empty if mode is ISTIO_MUTUAL.
mode string required
REQUIRED: Indicates whether connections to this port should be secured using TLS. The value of this field determines how TLS is enforced.
privateKey string
REQUIRED if mode is MUTUAL. The path to the file holding the client's private key. Should be empty if mode is ISTIO_MUTUAL.
sni string
SNI string to present to the server during TLS handshake. Should be empty if mode is ISTIO_MUTUAL.
subjectAltNames []string
A list of alternate names to verify the subject identity in the certificate. If specified, the proxy will verify that the server certificate's subject alt name matches one of the specified values. Should be empty if mode is ISTIO_MUTUAL.
skipAnalysis boolean
SkipAnalysis promotes the canary without analysing it
targetRef object
TargetRef references a target resource
apiVersion string
API version of the referent
kind string
Kind of the referent
name string required
Name of the referent
namespace string
Namespace of the referent