Namespace Neon.Kube.Resources.Istio
Classes
Abort
Abort specification is used to prematurely abort a request with a pre-specified error code. The following example will return an HTTP 400 error code for 1 out of every 1000 requests to the “ratings” service “v1”.
AuthorizationPolicyOperation
Specifies the operations of a request. Fields in the operation are ANDed together.
AuthorizationPolicyRule
Matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, one operation and all conditions matches the request. An empty rule is always matched.
AuthorizationPolicyRule.From
Includes a list of sources.
AuthorizationPolicyRule.To
Includes a list of operations.
AuthorizationPolicySource
Matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, one operation and all conditions matches the request. An empty rule is always matched.
ClientTLSSettings
Describes the properties of the proxy on a given load balancer port.
CorsPolicy
Describes the Cross-Origin Resource Sharing (CORS) policy, for a given service. Refer to CORS for further details about cross origin resource sharing. For example, the following rule restricts cross origin requests to those originating from example.com domain using HTTP POST/GET, and sets the Access-Control-Allow-Credentials header to false. In addition, it only exposes X-Foo-bar header and sets an expiry period of 1 day.Describes the CorsPolicy V1VirtualService.
Delay
Delay specification is used to inject latency into the request forwarding path. The following example will introduce a 5 second delay in 1 out of every 1000 requests to the “v1” version of the “reviews” service from all pods with label env: prod
Delegate
Describes the delegate V1VirtualService.
Destination
Destination indicates the network addressable service to which the request/connection will be sent after processing a routing rule. The destination.host should unambiguously refer to a service in the service registry. Istio’s service registry is composed of all the services found in the platform’s service registry (e.g., Kubernetes services, Consul services), as well as services declared through the ServiceEntry resource.
Note for Kubernetes users: When short names are used(e.g. “reviews” instead of “reviews.default.svc.cluster.local”), Istio will interpret the short name based on the namespace of the rule, not the service.A rule in the “default” namespace containing a host “reviews will be interpreted as “reviews.default.svc.cluster.local”, irrespective of the actual namespace associated with the reviews service.To avoid potential misconfigurations, it is recommended to always use fully qualified domain names over short names.
The following Kubernetes example routes all traffic by default to pods of the reviews service with label “version: v1” (i.e., subset v1), and some to subset v2, in a Kubernetes environment.
ExtensionProvider
Identifies an Extension Provider.
HTTPFaultInjection
HTTPFaultInjection can be used to specify one or more faults to inject while forwarding HTTP requests to the destination specified in a route. Fault specification is part of a V1VirtualService rule. Faults include aborting the Http request from downstream service, and/or delaying proxying of requests. A fault rule MUST HAVE delay or abort or both.
HTTPMatchRequest
HttpMatchRequest specifies a set of criterion to be met in order for the rule to be applied to the HTTP request. For example, the following restricts the rule to match only requests where the URL path starts with /ratings/v2/ and the request contains a custom end-user header with value jason.
HTTPRedirect
HTTPRedirect can be used to send a 301 redirect response to the caller, where the Authority/Host and the URI in the response can be swapped with the specified values. For example, the following rule redirects requests for /v1/getProductRatings API on the ratings service to /v1/bookRatings provided by the bookratings service.
HTTPRetry
Describes the retry policy to use when a HTTP request fails. For example, the following rule sets the maximum number of retries to 3 when calling ratings:v1 service, with a 2s timeout per retry attempt.
HTTPRewrite
HTTPRewrite can be used to rewrite specific parts of a HTTP request before forwarding the request to the destination. Rewrite primitive can be used only with HTTPRouteDestination. The following example demonstrates how to rewrite the URL prefix for api call (/ratings) to ratings service before making the actual API call.
HTTPRoute
Describes the properties of a specific HTTPRoute of a service.
HTTPRouteDestination
Each routing rule is associated with one or more service versions (see glossary in beginning of document). Weights associated with the version determine the proportion of traffic it receives. For example, the following rule will route 25% of traffic for the “reviews” service to instances with the “v2” tag and the remaining traffic (i.e., 75%) to “v1”.
HeaderOperations
HeaderOperations Describes the header manipulations to apply.
Headers
Message headers can be manipulated when Envoy forwards requests to, or responses from, a destination service. Header manipulation rules can be specified for a specific route destination or for all destinations. The following V1VirtualService adds a test header with the value true to requests that are routed to any reviews service destination. It also removes the foo response header, but only from responses coming from the v1 subset (version) of the reviews service.
L4MatchAttributes
L4 connection match attributes. Note that L4 connection matching support is incomplete.
Percent
Percent specifies the number of a port to be used for matching or selection for final routing.
Port
Describes the properties of a specific port of a service.
PortSelector
PortSelector specifies the number of a port to be used for matching or selection for final routing.
RouteDestination
L4 routing rule weighted destination.
Server
Describes the properties of the proxy on a given load balancer port.
ServerTLSSettings
ServiceEntry
ServiceEntry enables adding additional entries into Istio’s internal service registry.
StringMatch
Describes how to match a given string in HTTP headers. Match is case-sensitive.
TCPRoute
Describes match conditions and actions for routing TCP traffic. The following routing rule forwards traffic arriving at port 27017 for mongo.prod.svc.cluster.local to another Mongo server on port 5555.
TLSMatchAttributes
TLS connection match attributes.
TLSRoute
Describes match conditions and actions for routing unterminated TLS traffic (TLS/HTTPS) The following routing rule forwards unterminated TLS traffic arriving at port 443 of gateway called “mygateway” to internal services in the mesh based on the SNI value.
Tracing
Describes tracing configuration.
TracingProvider
Descrribes a tracing provider.
TrafficPolicy
Describes the properties of the proxy on a given load balancer port.
UInt32Value
Wrapper message for uint32.
The JSON representation for UInt32Value is JSON number.
V1AuthorizationPolicy
Enables access control on workloads.
V1AuthorizationPolicySpec
Describes the V1AuthorizationPolicy spec.
V1DestinationRule
Enables access control on workloads.
V1DestinationRuleSpec
Describes the V1AuthorizationPolicy spec.
V1Gateway
V1GatewaySpec
Describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections.
V1ServiceEntrySpec
ServiceEntry enables adding additional entries into Istio’s internal service registry.
V1Telemetry
CRD that controls Istio tracing.
V1TelemetrySpec
Describes a Telemetry spec.
V1VirtualService
V1VirtualServiceSpec
Describes a load balancer operating at the edge of the mesh receiving incoming or outgoing HTTP/TCP connections.
WorkloadEntry
Enables specifying the properties of a single non-Kubernetes workload such a VM or a bare metal services that can be referred to by service entries.
WorkloadSelector
WorkloadSelector specifies the criteria used to determine if the Gateway, Sidecar, EnvoyFilter, or ServiceEntry configuration can be applied to a proxy. The matching criteria includes the metadata associated with a proxy, workload instance info such as labels attached to the pod/VM, or any other info that the proxy provides to Istio during the initial handshake. If multiple conditions are specified, all conditions need to match in order for the workload instance to be selected. Currently, only label based selection mechanism is supported.
Enums
AuthorizationPolicyAction
Action specifies the operation to take for an V1AuthorizationPolicy.
HTTPMethod
Enumerates HTTP method types.
Location
Location specifies whether the service is part of Istio mesh or outside the mesh. Location determines the behavior of several features, such as service-to-service mTLS authentication, policy enforcement, etc. When communicating with services outside the mesh, Istio’s mTLS authentication is disabled, and policy enforcement is performed on the client-side as opposed to server-side.
PortProtocol
The protocol exposed on the port.
Resolution
Resolution determines how the proxy will resolve the IP addresses of the network endpoints associated with the service, so that it can route to one of them. The resolution mode specified here has no impact on how the application resolves the IP address associated with the service. The application may still have to use DNS to resolve the service to an IP so that the outbound traffic can be captured by the Proxy. Alternatively, for HTTP services, the application could directly communicate with the proxy (e.g., by setting HTTP_PROXY) to talk to these services.
TLSMode
TLS modes enforced by the proxy.
TLSProtocol
TLSProtocol controls how private keys should be regenerated when a re-issuance is being processed.