IssuerName specifies the name of the Issuer resource

IssuerKind specifies the kind of Issuer

IssuerGroup specifies the group the Issuer belongs to

ServiceCertValidityDuration defines the service certificate validity duration.

CertKeyBitSize defines the certicate key bit size.

IngressGateway defines the certificate specification for an ingress gateway.

Enable defines a boolean indicating if the external authorization policy is to be enabled.

Address defines the remote address of the external authorization endpoint.

Port defines the destination port of the remote external authorization endpoint.

StatPrefix defines a prefix for the stats sink for this external authorization policy.

Timeout defines the timeout in which a response from the external authorization endpoint. is expected to execute.

FailureModeAllow defines a boolean indicating if traffic should be allowed on a failure to get a response against the external authorization endpoint.

EnableWASMStats defines if WASM Stats are enabled.

EnableEgressPolicy defines if OSM’s Egress policy is enabled.

EnableSnapshotCacheMode defines if XDS server starts with snapshot cache.

EnableAsyncProxyServiceMapping defines if OSM will map proxies to services asynchronously.

EnableIngressBackendPolicy defines if OSM will use the IngressBackend API to allow ingress traffic to service mesh backends.

EnableEnvoyActiveHealthChecks defines if OSM will Envoy active health checks between services allowed to communicate.

EnableRetryPolicy defines if retry policy is enabled.

SubjectAltNames defines the Subject Alternative Names (domain names and IP addresses) secured by the certificate.

ValidityDuration defines the validity duration of the certificate.

Secret defines the secret in which the certificate is stored.

"Localhost"

LocalProxyModeLocalhost indicates the the sidecar should communicate with the main application over localhost

"PodIP"

LocalProxyModePodIP indicates that the sidecar should communicate with the main application via the pod ip

Object’s metadata.

Spec is the MeshConfig specification.

Sidecar defines the configurations of the proxy sidecar in a mesh.

Traffic defines the traffic management configurations for a mesh instance.

Observalility defines the observability configurations for a mesh instance.

Certificate defines the certificate management configurations for a mesh instance.

FeatureFlags defines the feature flags for a mesh instance.

Object’s metadata

Spec is the MeshRootCertificate config specification

Status of the MeshRootCertificate resource

Provider specifies the mesh certificate provider

TrustDomain is the trust domain to use as a suffix in Common Names for new certificates.

State specifies the state of the certificate provider All states are specified in constants.go

OSMLogLevel defines the log level for OSM control plane logs.

EnableDebugServer defines if the debug endpoint on the OSM controller pod is enabled.

Tracing defines OSM’s tracing configuration.

CertManager specifies the cert-manager provider configuration

Vault specifies the vault provider configuration

Tresor specifies the Tresor provider configuration

Name specifies the name of the secret in which the Vault token is stored

Key specifies the key whose value is the Vault token

Namespace specifies the namespace of the secret in which the Vault token is stored

EnablePrivilegedInitContainer defines a boolean indicating whether the init container for a meshed pod should run as privileged.

LogLevel defines the logging level for the sidecar’s logs. Non developers should generally never set this value. In production environments the LogLevel should be set to error.

EnvoyImage defines the container image used for the Envoy proxy sidecar.

EnvoyWindowsImage defines the windows container image used for the Envoy proxy sidecar.

InitContainerImage defines the container image used for the init container injected to meshed pods.

MaxDataPlaneConnections defines the maximum allowed data plane connections from a proxy sidecar to the OSM controller.

ConfigResyncInterval defines the resync interval for regular proxy broadcast updates.

Resources defines the compute resources for the sidecar.

TLSMinProtocolVersion defines the minimum TLS protocol version that the sidecar supports. Valid TLS protocol versions are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2 and TLSv1_3.

TLSMaxProtocolVersion defines the maximum TLS protocol version that the sidecar supports. Valid TLS protocol versions are TLS_AUTO, TLSv1_0, TLSv1_1, TLSv1_2 and TLSv1_3.

CipherSuites defines a list of ciphers that listener supports when negotiating TLS 1.0-1.2. This setting has no effect when negotiating TLS 1.3. For valid cipher names, see the latest OpenSSL ciphers manual page. E.g. https://www.openssl.org/docs/man1.1.1/apps/ciphers.html.

ECDHCurves defines a list of ECDH curves that TLS connection supports. If not specified, the curves are [X25519, P-256] for non-FIPS build and P-256 for builds using BoringSSL FIPS.

LocalProxyMode defines the network interface the envoy proxy will use to send traffic to the backend service application. Acceptable values are [Localhost, PodIP]. The default is Localhost

Enable defines a boolean indicating if the sidecars are enabled for tracing.

Port defines the tracing collector’s port.

Address defines the tracing collectio’s hostname.

Endpoint defines the API endpoint for tracing requests sent to the collector.

EnableEgress defines a boolean indicating if mesh-wide Egress is enabled.

OutboundIPRangeExclusionList defines a global list of IP address ranges to exclude from outbound traffic interception by the sidecar proxy.

OutboundIPRangeInclusionList defines a global list of IP address ranges to include for outbound traffic interception by the sidecar proxy. IP addresses outside this range will be excluded from outbound traffic interception by the sidecar proxy.

OutboundPortExclusionList defines a global list of ports to exclude from outbound traffic interception by the sidecar proxy.

InboundPortExclusionList defines a global list of ports to exclude from inbound traffic interception by the sidecar proxy.

EnablePermissiveTrafficPolicyMode defines a boolean indicating if permissive traffic policy mode is enabled mesh-wide.

InboundExternalAuthorization defines a ruleset that, if enabled, will configure a remote external authorization endpoint for all inbound and ingress traffic in the mesh.

NetworkInterfaceExclusionList defines a global list of network interface names to exclude from inbound and outbound traffic interception by the sidecar proxy.

SecretRef specifies the secret in which the root certificate is stored

CA specifies Tresor’s ca configuration

Host specifies the name of the Vault server

Port specifies the port of the Vault server

Role specifies the name of the role for use by mesh control plane

Protocol specifies the protocol for connections to Vault

Token specifies the configuration of the token to be used by mesh control plane to connect to Vault

SecretKeyRef specifies the secret in which the Vault token is stored