istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/zh/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1/index.html

1867 lines
42 KiB
HTML
Raw Permalink Blame History

---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
source_repo: https://github.com/istio/api
title: Rules
description: Describes the rules used to configure Mixer's policy and telemetry features.
location: https://istio.io/docs/reference/config/policy-and-telemetry/istio.policy.v1beta1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
number_of_entries: 26
---
<p>Describes the rules used to configure Mixer&rsquo;s policy and telemetry features.</p>
<h2 id="Action">Action</h2>
<section>
<p>Action describes which <a href="#Handler">Handler</a> to invoke and what data to pass to it for processing.</p>
<p>The following example instructs Mixer to invoke &lsquo;prometheus-handler&rsquo; handler and pass it the object
constructed using the instance &lsquo;RequestCountByService&rsquo;.</p>
<pre><code class="language-yaml"> handler: prometheus-handler
instances:
- RequestCountByService
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Action-handler">
<td><code>handler</code></td>
<td><code>string</code></td>
<td>
<p>Fully qualified name of the handler to invoke.
Must match the <code>name</code> of a <a href="#Handler-name">Handler</a>.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Action-instances">
<td><code>instances</code></td>
<td><code>string[]</code></td>
<td>
<p>Each value must match the fully qualified name of the
<a href="#Instance-name">Instance</a>s.
Referenced instances are evaluated by resolving the attributes/literals for all the fields.
The constructed objects are then passed to the <code>handler</code> referenced within this action.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Action-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>A handle to refer to the results of the action.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AttributeManifest">AttributeManifest</h2>
<section>
<p>AttributeManifest describes a set of Attributes produced by some component
of an Istio deployment.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AttributeManifest-revision">
<td><code>revision</code></td>
<td><code>string</code></td>
<td>
<p>The revision of this document. Assigned by server.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AttributeManifest-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>Name of the component producing these attributes. This can be
the proxy (with the canonical name <code>istio-proxy</code>) or the name of an
<code>attributes</code> kind adapter in Mixer.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="AttributeManifest-attributes">
<td><code>attributes</code></td>
<td><code>map&lt;string,&nbsp;<a href="#AttributeManifest-AttributeInfo">AttributeInfo</a>&gt;</code></td>
<td>
<p>The set of attributes this Istio component will be responsible for producing at runtime.
We map from attribute name to the attribute&rsquo;s specification. The name of an attribute,
which is how attributes are referred to in aspect configuration, must conform to:</p>
<pre><code>Name = IDENT &lbrace; SEPARATOR IDENT };
</code></pre>
<p>Where <code>IDENT</code> must match the regular expression <code>*a-z*+</code> and <code>SEPARATOR</code> must
match the regular expression <code>[\.-]</code>.</p>
<p>Attribute names must be unique within a single Istio deployment. The set of canonical
attributes are described at <a href="/zh/docs/reference/config/policy-and-telemetry/attribute-vocabulary/">here</a>.
Attributes not in that list should be named with a component-specific suffix such as
<code>request.count-my.component</code>.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="AttributeManifest-AttributeInfo">AttributeManifest.AttributeInfo</h2>
<section>
<p>AttributeInfo describes the schema of an Istio <code>Attribute</code>.</p>
<h3 id="istio-attributes">Istio Attributes</h3>
<p>Istio uses <code>attributes</code> to describe runtime activities of Istio services.
An Istio attribute carries a specific piece of information about an activity,
such as the error code of an API request, the latency of an API request, or the
original IP address of a TCP connection. The attributes are often generated
and consumed by different services. For example, a frontend service can
generate an authenticated user attribute and pass it to a backend service for
access control purpose.</p>
<p>To simplify the system and improve developer experience, Istio uses
shared attribute definitions across all components. For example, the same
authenticated user attribute will be used for logging, monitoring, analytics,
billing, access control, auditing. Many Istio components provide their
functionality by collecting, generating, and operating on attributes.
For example, the proxy collects the error code attribute, and the logging
stores it into a log.</p>
<h3 id="design">Design</h3>
<p>Each Istio attribute must conform to an <code>AttributeInfo</code> in an
<code>AttributeManifest</code> in the current Istio deployment at runtime. An
<em><code>AttributeInfo</code></em> is used to define an attribute&rsquo;s
metadata: the type of its value and a detailed description that explains
the semantics of the attribute type. Each attribute&rsquo;s name is globally unique;
in other words an attribute name can only appear once across all manifests.</p>
<p>The runtime presentation of an attribute is intentionally left out of this
specification, because passing attribute using JSON, XML, or Protocol Buffers
does not change the semantics of the attribute. Different implementations
can choose different representations based on their needs.</p>
<h3 id="http-mapping">HTTP Mapping</h3>
<p>Because many systems already have REST APIs, it makes sense to define a
standard HTTP mapping for Istio attributes that are compatible with typical
REST APIs. The design is to map one attribute to one HTTP header, the
attribute name and value becomes the HTTP header name and value. The actual
encoding scheme will be decided later.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="AttributeManifest-AttributeInfo-description">
<td><code>description</code></td>
<td><code>string</code></td>
<td>
<p>A human-readable description of the attribute&rsquo;s purpose.</p>
</td>
<td>
No
</td>
</tr>
<tr id="AttributeManifest-AttributeInfo-value_type">
<td><code>valueType</code></td>
<td><code><a href="#ValueType">ValueType</a></code></td>
<td>
<p>The type of data carried by this attribute.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Authentication">Authentication</h2>
<section>
<p>Authentication allows the operator to specify the authentication of
connections to out-of-process infrastructure backend.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Authentication-tls" class="oneof oneof-start">
<td><code>tls</code></td>
<td><code><a href="#Tls">Tls (oneof)</a></code></td>
<td>
<p>Originate a TLS connection to the adapter and present an auth token
in each call for client authentication.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Authentication-mutual" class="oneof">
<td><code>mutual</code></td>
<td><code><a href="#Mutual">Mutual (oneof)</a></code></td>
<td>
<p>Secure connections to the adapter using mutual TLS by presenting
client certificates for authentication.</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Connection">Connection</h2>
<section>
<p>Connection allows the operator to specify the endpoint for out-of-process infrastructure backend.
Connection is part of the handler custom resource and is specified alongside adapter specific configuration.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Connection-address">
<td><code>address</code></td>
<td><code>string</code></td>
<td>
<p>The address of the backend.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Connection-timeout">
<td><code>timeout</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>Timeout for remote calls to the backend.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Connection-authentication">
<td><code>authentication</code></td>
<td><code><a href="#Authentication">Authentication</a></code></td>
<td>
<p>Auth config for the connection to the backend. If omitted, plain text will
be used.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="DNSName">DNSName</h2>
<section>
<p>An instance field of type DNSName denotes that the expression for the field must evaluate to
<a href="#ValueType-DNS_NAME">ValueType.DNS_NAME</a></p>
<p>Objects of type DNSName are also passed to the adapters during request-time for the instance fields of
type DNSName</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="DNSName-value">
<td><code>value</code></td>
<td><code>string</code></td>
<td>
<p>DNSName encoded as string.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="DirectHttpResponse">DirectHttpResponse</h2>
<section>
<p>Direct HTTP response for a client-facing error message which can be attached
to an RPC error.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="DirectHttpResponse-code">
<td><code>code</code></td>
<td><code><a href="#HttpStatusCode">HttpStatusCode</a></code></td>
<td>
<p>HTTP status code. If not set, RPC error code is used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="DirectHttpResponse-body">
<td><code>body</code></td>
<td><code>string</code></td>
<td>
<p>HTTP response body.</p>
</td>
<td>
No
</td>
</tr>
<tr id="DirectHttpResponse-headers">
<td><code>headers</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>HTTP response headers.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Duration">Duration</h2>
<section>
<p>An instance field of type Duration denotes that the expression for the field must evaluate to
<a href="#ValueType-DURATION">ValueType.DURATION</a></p>
<p>Objects of type Duration are also passed to the adapters during request-time for the instance fields of
type Duration</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Duration-value">
<td><code>value</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#duration">Duration</a></code></td>
<td>
<p>Duration encoded as google.protobuf.Duration.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="EmailAddress">EmailAddress</h2>
<section>
<p>DO NOT USE !! Under Development
An instance field of type EmailAddress denotes that the expression for the field must evaluate to
<a href="#ValueType-EMAIL_ADDRESS">ValueType.EMAIL_ADDRESS</a></p>
<p>Objects of type EmailAddress are also passed to the adapters during request-time for the instance fields of
type EmailAddress</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="EmailAddress-value">
<td><code>value</code></td>
<td><code>string</code></td>
<td>
<p>EmailAddress encoded as string.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="FractionalPercent-DenominatorType">FractionalPercent.DenominatorType</h2>
<section>
<p>Fraction percentages support several fixed denominator values.</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="FractionalPercent-DenominatorType-HUNDRED">
<td><code>HUNDRED</code></td>
<td>
<p>100.</p>
<p><strong>Example</strong>: <sup>1</sup>&frasl;<sub>100</sub> = 1%.</p>
</td>
</tr>
<tr id="FractionalPercent-DenominatorType-TEN_THOUSAND">
<td><code>TEN_THOUSAND</code></td>
<td>
<p>10,000.</p>
<p><strong>Example</strong>: <sup>1</sup>&frasl;<sub>10000</sub> = 0.01%.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Handler">Handler</h2>
<section>
<p>Handler allows the operator to configure a specific adapter implementation.
Each adapter implementation defines its own <code>params</code> proto.</p>
<p>In the following example we define a <code>metrics</code> handler for the <code>prometheus</code> adapter.
The example is in the form of a Kubernetes resource:
* The <code>metadata.name</code> is the name of the handler
* The <code>kind</code> refers to the adapter name
* The <code>spec</code> block represents adapter-specific configuration as well as the connection information</p>
<pre><code class="language-yaml">### Sample-1: No connection specified (for compiled in adapters)
### Note: if connection information is not specified, the adapter configuration is directly inside
### `spec` block. This is going to be DEPRECATED in favor of Sample-2
apiVersion: &quot;config.istio.io/v1alpha2&quot;
kind: handler
metadata:
name: requestcount
namespace: istio-system
spec:
compiledAdapter: prometheus
params:
metrics:
- name: request_count
instance_name: requestcount.metric.istio-system
kind: COUNTER
label_names:
- source_service
- source_version
- destination_service
- destination_version
---
### Sample-2: With connection information (for out-of-process adapters)
### Note: Unlike sample-1, the adapter configuration is parallel to `connection` and is nested inside `param` block.
apiVersion: &quot;config.istio.io/v1alpha2&quot;
kind: handler
metadata:
name: requestcount
namespace: istio-system
spec:
compiledAdapter: prometheus
params:
param:
metrics:
- name: request_count
instance_name: requestcount.metric.istio-system
kind: COUNTER
label_names:
- source_service
- source_version
- destination_service
- destination_version
connection:
address: localhost:8090
---
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Handler-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>Must be unique in the entire Mixer configuration. Used by <a href="#Action-handler">Actions</a>
to refer to this handler.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Handler-compiled_adapter">
<td><code>compiledAdapter</code></td>
<td><code>string</code></td>
<td>
<p>The name of the compiled in adapter this handler instantiates. For referencing non compiled-in
adapters, use the <code>adapter</code> field instead.</p>
<p>The value must match the name of the available adapter Mixer is built with. An adapter&rsquo;s name is typically a
constant in its code.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Handler-adapter">
<td><code>adapter</code></td>
<td><code>string</code></td>
<td>
<p>The name of a specific adapter implementation. For referencing compiled-in
adapters, use the <code>compiled_adapter</code> field instead.</p>
<p>An adapter&rsquo;s implementation name is typically a constant in its code.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Handler-params">
<td><code>params</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
<td>
<p>Depends on adapter implementation. Struct representation of a
proto defined by the adapter implementation; this varies depending on the value of field <code>adapter</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Handler-connection">
<td><code>connection</code></td>
<td><code><a href="#Connection">Connection</a></code></td>
<td>
<p>Information on how to connect to the out-of-process adapter.
This is used if the adapter is not compiled into Mixer binary and is running as a separate process.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="HttpStatusCode">HttpStatusCode</h2>
<section>
<p>HTTP response codes.
For more details: http://www.iana.org/assignments/http-status-codes/http-status-codes.xhtml</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="HttpStatusCode-Empty">
<td><code>Empty</code></td>
<td>
<p>Empty - This code not part of the HTTP status code specification, but it is needed for proto
<code>enum</code> type.</p>
</td>
</tr>
<tr id="HttpStatusCode-Continue">
<td><code>Continue</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-OK">
<td><code>OK</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-Created">
<td><code>Created</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-Accepted">
<td><code>Accepted</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-NonAuthoritativeInformation">
<td><code>NonAuthoritativeInformation</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-NoContent">
<td><code>NoContent</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-ResetContent">
<td><code>ResetContent</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-PartialContent">
<td><code>PartialContent</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-MultiStatus">
<td><code>MultiStatus</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-AlreadyReported">
<td><code>AlreadyReported</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-IMUsed">
<td><code>IMUsed</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-MultipleChoices">
<td><code>MultipleChoices</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-MovedPermanently">
<td><code>MovedPermanently</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-Found">
<td><code>Found</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-SeeOther">
<td><code>SeeOther</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-NotModified">
<td><code>NotModified</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-UseProxy">
<td><code>UseProxy</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-TemporaryRedirect">
<td><code>TemporaryRedirect</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-PermanentRedirect">
<td><code>PermanentRedirect</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-BadRequest">
<td><code>BadRequest</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-Unauthorized">
<td><code>Unauthorized</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-PaymentRequired">
<td><code>PaymentRequired</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-Forbidden">
<td><code>Forbidden</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-NotFound">
<td><code>NotFound</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-MethodNotAllowed">
<td><code>MethodNotAllowed</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-NotAcceptable">
<td><code>NotAcceptable</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-ProxyAuthenticationRequired">
<td><code>ProxyAuthenticationRequired</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-RequestTimeout">
<td><code>RequestTimeout</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-Conflict">
<td><code>Conflict</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-Gone">
<td><code>Gone</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-LengthRequired">
<td><code>LengthRequired</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-PreconditionFailed">
<td><code>PreconditionFailed</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-PayloadTooLarge">
<td><code>PayloadTooLarge</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-URITooLong">
<td><code>URITooLong</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-UnsupportedMediaType">
<td><code>UnsupportedMediaType</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-RangeNotSatisfiable">
<td><code>RangeNotSatisfiable</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-ExpectationFailed">
<td><code>ExpectationFailed</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-MisdirectedRequest">
<td><code>MisdirectedRequest</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-UnprocessableEntity">
<td><code>UnprocessableEntity</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-Locked">
<td><code>Locked</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-FailedDependency">
<td><code>FailedDependency</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-UpgradeRequired">
<td><code>UpgradeRequired</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-PreconditionRequired">
<td><code>PreconditionRequired</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-TooManyRequests">
<td><code>TooManyRequests</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-RequestHeaderFieldsTooLarge">
<td><code>RequestHeaderFieldsTooLarge</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-InternalServerError">
<td><code>InternalServerError</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-NotImplemented">
<td><code>NotImplemented</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-BadGateway">
<td><code>BadGateway</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-ServiceUnavailable">
<td><code>ServiceUnavailable</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-GatewayTimeout">
<td><code>GatewayTimeout</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-HTTPVersionNotSupported">
<td><code>HTTPVersionNotSupported</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-VariantAlsoNegotiates">
<td><code>VariantAlsoNegotiates</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-InsufficientStorage">
<td><code>InsufficientStorage</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-LoopDetected">
<td><code>LoopDetected</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-NotExtended">
<td><code>NotExtended</code></td>
<td>
</td>
</tr>
<tr id="HttpStatusCode-NetworkAuthenticationRequired">
<td><code>NetworkAuthenticationRequired</code></td>
<td>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="IPAddress">IPAddress</h2>
<section>
<p>An instance field of type IPAddress denotes that the expression for the field must evaluate to
<a href="#ValueType-IP_ADDRESS">ValueType.IP_ADDRESS</a></p>
<p>Objects of type IPAddress are also passed to the adapters during request-time for the instance fields of
type IPAddress</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="IPAddress-value">
<td><code>value</code></td>
<td><code>bytes</code></td>
<td>
<p>IPAddress encoded as bytes.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Instance">Instance</h2>
<section>
<p>An Instance tells Mixer how to create instances for particular template.</p>
<p>Instance is defined by the operator. Instance is defined relative to a known
template. Their purpose is to tell Mixer how to use attributes or literals to produce
instances of the specified template at runtime.</p>
<p>The following example instructs Mixer to construct an instance associated with template
&lsquo;istio.mixer.adapter.metric.Metric&rsquo;. It provides a mapping from the template&rsquo;s fields to expressions.
Instances produced with this instance can be referenced by <a href="#Action">Actions</a> using name
&lsquo;RequestCountByService&rsquo;</p>
<pre><code class="language-yaml">- name: RequestCountByService
template: istio.mixer.adapter.metric.Metric
params:
value: 1
dimensions:
source: source.name
destination_ip: destination.ip
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Instance-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>The name of this instance</p>
<p>Must be unique amongst other Instances in scope. Used by <a href="#Action">Action</a> to refer
to an instance produced by this instance.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Instance-compiled_template">
<td><code>compiledTemplate</code></td>
<td><code>string</code></td>
<td>
<p>The name of the compiled in template this instance creates instances for. For referencing non compiled-in
templates, use the <code>template</code> field instead.</p>
<p>The value must match the name of the available template Mixer is built with.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Instance-template">
<td><code>template</code></td>
<td><code>string</code></td>
<td>
<p>The name of the template this instance creates instances for. For referencing compiled-in
templates, use the <code>compiled_template</code> field instead.</p>
<p>The value must match the name of the available template in scope.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Instance-params">
<td><code>params</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#struct">Struct</a></code></td>
<td>
<p>Depends on referenced template. Struct representation of a
proto defined by the template; this varies depending on the value of field <code>template</code>.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Instance-attribute_bindings">
<td><code>attributeBindings</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Defines attribute bindings to map the output of attribute-producing adapters back into
the attribute space. The variable <code>output</code> refers to the output template instance produced
by the adapter.
The following example derives <code>source.namespace</code> from <code>source.uid</code> in the context of Kubernetes:</p>
<pre><code class="language-yaml">params:
# Pass the required attribute data to the adapter
source_uid: source.uid | &quot;&quot;
attribute_bindings:
# Fill the new attributes from the adapter produced output
source.namespace: output.source_namespace
</code></pre>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Mutual">Mutual</h2>
<section>
<p>Mutual let operator specify TLS configuration for Mixer as client if mutual TLS is used to
secure connection to adapter backend.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Mutual-private_key">
<td><code>privateKey</code></td>
<td><code>string</code></td>
<td>
<p>The path to the file holding the private key for mutual TLS. If omitted, the
default Mixer private key will be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Mutual-client_certificate">
<td><code>clientCertificate</code></td>
<td><code>string</code></td>
<td>
<p>The path to the file holding client certificate for mutual TLS. If omitted, the
default Mixer certificates will be used.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Mutual-ca_certificates">
<td><code>caCertificates</code></td>
<td><code>string</code></td>
<td>
<p>The path to the file holding additional CA certificates that are needed to
verify the presented adapter certificates. By default Mixer should already
include Istio CA certificates and system certificates in cert pool.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Mutual-server_name">
<td><code>serverName</code></td>
<td><code>string</code></td>
<td>
<p>Used to configure mixer mutual TLS client to supply server name for SNI.
It is not used to verify the hostname of the peer certificate, since
Istio verifies whitelisted SAN fields in mutual TLS.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="OAuth">OAuth</h2>
<section>
<p>OAuth let operator specify config to fetch access token via oauth when using
TLS for connection to the backend.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="OAuth-client_id">
<td><code>clientId</code></td>
<td><code>string</code></td>
<td>
<p>OAuth client id for mixer.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="OAuth-client_secret">
<td><code>clientSecret</code></td>
<td><code>string</code></td>
<td>
<p>The path to the file holding the client secret for oauth.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="OAuth-token_url">
<td><code>tokenUrl</code></td>
<td><code>string</code></td>
<td>
<p>The Resource server&rsquo;s token endpoint URL.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="OAuth-scopes">
<td><code>scopes</code></td>
<td><code>string[]</code></td>
<td>
<p>List of requested permissions.</p>
</td>
<td>
No
</td>
</tr>
<tr id="OAuth-endpoint_params">
<td><code>endpointParams</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>Additional parameters for requests to the token endpoint.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule">Rule</h2>
<section>
<p>A Rule is a selector and a set of intentions to be executed when the
selector is <code>true</code></p>
<p>The following example instructs Mixer to invoke <code>prometheus-handler</code> handler for all services and pass it the
instance constructed using the &lsquo;RequestCountByService&rsquo; instance.</p>
<pre><code class="language-yaml">- match: match(destination.service.host, &quot;*&quot;)
actions:
- handler: prometheus-handler
instances:
- RequestCountByService
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-match">
<td><code>match</code></td>
<td><code>string</code></td>
<td>
<p>Match is an attribute based predicate. When Mixer receives a
request it evaluates the match expression and executes all the associated <code>actions</code>
if the match evaluates to true.</p>
<p>A few example match:</p>
<ul>
<li>an empty match evaluates to <code>true</code></li>
<li><code>true</code>, a boolean literal; a rule with this match will always be executed</li>
<li><code>match(destination.service.host, &quot;ratings.*&quot;)</code> selects any request targeting a service whose
name starts with &ldquo;ratings&rdquo;</li>
<li><code>attr1 == &quot;20&quot; &amp;&amp; attr2 == &quot;30&quot;</code> logical AND, OR, and NOT are also available</li>
</ul>
</td>
<td>
No
</td>
</tr>
<tr id="Rule-actions">
<td><code>actions</code></td>
<td><code><a href="#Action">Action[]</a></code></td>
<td>
<p>The actions that will be executed when match evaluates to <code>true</code>.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Rule-request_header_operations">
<td><code>requestHeaderOperations</code></td>
<td><code><a href="#Rule-HeaderOperationTemplate">HeaderOperationTemplate[]</a></code></td>
<td>
<p>Templatized operations on the request headers using values produced by the
rule actions. Require the check action result to be OK.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Rule-response_header_operations">
<td><code>responseHeaderOperations</code></td>
<td><code><a href="#Rule-HeaderOperationTemplate">HeaderOperationTemplate[]</a></code></td>
<td>
<p>Templatized operations on the response headers using values produced by the
rule actions. Require the check action result to be OK.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule-HeaderOperationTemplate">Rule.HeaderOperationTemplate</h2>
<section>
<p>A template for an HTTP header manipulation. Values in the template are expressions
that may reference action outputs by name. For example, if an action <code>x</code> produces an output
with a field <code>f</code>, then the header value expressions may use attribute <code>x.output.f</code> to reference
the field value:</p>
<pre><code class="language-yaml">request_header_operations:
- name: x-istio-header
values:
- x.output.f
</code></pre>
<p>If the header value expression evaluates to an empty string, and the operation is to either replace
or append a header, then the operation is not applied. This permits conditional behavior on behalf of the
adapter to optionally modify the headers.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Rule-HeaderOperationTemplate-name">
<td><code>name</code></td>
<td><code>string</code></td>
<td>
<p>Header name literal value.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Rule-HeaderOperationTemplate-values">
<td><code>values</code></td>
<td><code>string[]</code></td>
<td>
<p>Header value expressions.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Rule-HeaderOperationTemplate-operation">
<td><code>operation</code></td>
<td><code><a href="#Rule-HeaderOperationTemplate-Operation">Operation</a></code></td>
<td>
<p>Header operation type. Default operation is to replace the value of the header by name.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Rule-HeaderOperationTemplate-Operation">Rule.HeaderOperationTemplate.Operation</h2>
<section>
<p>Header operation type.</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Rule-HeaderOperationTemplate-Operation-REPLACE">
<td><code>REPLACE</code></td>
<td>
<p>Replace a header by name.</p>
</td>
</tr>
<tr id="Rule-HeaderOperationTemplate-Operation-REMOVE">
<td><code>REMOVE</code></td>
<td>
<p>Remove a header by name. Values are ignored.</p>
</td>
</tr>
<tr id="Rule-HeaderOperationTemplate-Operation-APPEND">
<td><code>APPEND</code></td>
<td>
<p>Append values to the existing header values.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="StringMap">StringMap</h2>
<section>
<p>An instance field of type StringMap denotes that the expression for the field must evaluate to
<a href="#ValueType-STRING_MAP">ValueType.STRING_MAP</a></p>
<p>Objects of type StringMap are also passed to the adapters during request-time for the instance fields of
type StringMap</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="StringMap-value">
<td><code>value</code></td>
<td><code>map&lt;string,&nbsp;string&gt;</code></td>
<td>
<p>StringMap encoded as a map of strings</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="TimeStamp">TimeStamp</h2>
<section>
<p>An instance field of type TimeStamp denotes that the expression for the field must evaluate to
<a href="#ValueType-TIMESTAMP">ValueType.TIMESTAMP</a></p>
<p>Objects of type TimeStamp are also passed to the adapters during request-time for the instance fields of
type TimeStamp</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="TimeStamp-value">
<td><code>value</code></td>
<td><code><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#timestamp">Timestamp</a></code></td>
<td>
<p>TimeStamp encoded as google.protobuf.Timestamp.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Tls">Tls</h2>
<section>
<p>Tls let operator specify client authentication setting when TLS is used for
connection to the backend.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Tls-ca_certificates">
<td><code>caCertificates</code></td>
<td><code>string</code></td>
<td>
<p>The path to the file holding additional CA certificates to well known
public certs.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Tls-token_path" class="oneof oneof-start">
<td><code>tokenPath</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>The path to the file holding the auth token (password, jwt token, api
key, etc).</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Tls-oauth" class="oneof">
<td><code>oauth</code></td>
<td><code><a href="#OAuth">OAuth (oneof)</a></code></td>
<td>
<p>Oauth config to fetch access token from auth provider.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Tls-auth_header" class="oneof oneof-start">
<td><code>authHeader</code></td>
<td><code><a href="#Tls-AuthHeader">AuthHeader (oneof)</a></code></td>
<td>
<p>Access token is passed as authorization header.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Tls-custom_header" class="oneof">
<td><code>customHeader</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>Customized header key to hold access token, e.g. x-api-key. Token will be
passed as what it is.</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Tls-server_name">
<td><code>serverName</code></td>
<td><code>string</code></td>
<td>
<p>Used to configure mixer TLS client to verify the hostname on the returned
certificates. It is also included in the client&rsquo;s handshake to support SNI.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Tls-AuthHeader">Tls.AuthHeader</h2>
<section>
<p>AuthHeader specifies how to pass access token with authorization header.</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="Tls-AuthHeader-PLAIN">
<td><code>PLAIN</code></td>
<td>
<p>Access token is passed in authorization header as what it is
(authorization: some-token).</p>
</td>
</tr>
<tr id="Tls-AuthHeader-BEARER">
<td><code>BEARER</code></td>
<td>
<p>Access token is passed to adapter as bearer token (i.e. authorization:
bearer some-token).</p>
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Uri">Uri</h2>
<section>
<p>DO NOT USE !! Under Development
An instance field of type Uri denotes that the expression for the field must evaluate to
<a href="#ValueType-URI">ValueType.URI</a></p>
<p>Objects of type Uri are also passed to the adapters during request-time for the instance fields of
type Uri</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Uri-value">
<td><code>value</code></td>
<td><code>string</code></td>
<td>
<p>Uri encoded as string.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="Value">Value</h2>
<section>
<p>An instance field of type Value denotes that the expression for the field is of dynamic type and can evaluate to any
<a href="#ValueType">ValueType</a> enum values. For example, when
authoring an instance configuration for a template that has a field <code>data</code> of type <code>istio.policy.v1beta1.Value</code>,
both of the following expressions are valid <code>data: source.ip | ip(&quot;0.0.0.0&quot;)</code>, <code>data: request.id | &quot;&quot;</code>;
the resulting type is either ValueType.IP_ADDRESS or ValueType.STRING for the two cases respectively.</p>
<p>Objects of type Value are also passed to the adapters during request-time. There is a 1:1 mapping between
oneof fields in <code>Value</code> and enum values inside <code>ValueType</code>. Depending on the expression&rsquo;s evaluated <code>ValueType</code>,
the equivalent oneof field in <code>Value</code> is populated by Mixer and passed to the adapters.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="Value-string_value" class="oneof oneof-start">
<td><code>stringValue</code></td>
<td><code>string (oneof)</code></td>
<td>
<p>Used for values of type STRING</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Value-int64_value" class="oneof">
<td><code>int64Value</code></td>
<td><code>int64 (oneof)</code></td>
<td>
<p>Used for values of type INT64</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Value-double_value" class="oneof">
<td><code>doubleValue</code></td>
<td><code>double (oneof)</code></td>
<td>
<p>Used for values of type DOUBLE</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Value-bool_value" class="oneof">
<td><code>boolValue</code></td>
<td><code>bool (oneof)</code></td>
<td>
<p>Used for values of type BOOL</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Value-ip_address_value" class="oneof">
<td><code>ipAddressValue</code></td>
<td><code><a href="#IPAddress">IPAddress (oneof)</a></code></td>
<td>
<p>Used for values of type IPAddress</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Value-timestamp_value" class="oneof">
<td><code>timestampValue</code></td>
<td><code><a href="#TimeStamp">TimeStamp (oneof)</a></code></td>
<td>
<p>Used for values of type TIMESTAMP</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Value-duration_value" class="oneof">
<td><code>durationValue</code></td>
<td><code><a href="#Duration">Duration (oneof)</a></code></td>
<td>
<p>Used for values of type DURATION</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Value-email_address_value" class="oneof">
<td><code>emailAddressValue</code></td>
<td><code><a href="#EmailAddress">EmailAddress (oneof)</a></code></td>
<td>
<p>Used for values of type EmailAddress</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Value-dns_name_value" class="oneof">
<td><code>dnsNameValue</code></td>
<td><code><a href="#DNSName">DNSName (oneof)</a></code></td>
<td>
<p>Used for values of type DNSName</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Value-uri_value" class="oneof">
<td><code>uriValue</code></td>
<td><code><a href="#Uri">Uri (oneof)</a></code></td>
<td>
<p>Used for values of type Uri</p>
</td>
<td>
Yes
</td>
</tr>
<tr id="Value-string_map_value" class="oneof">
<td><code>stringMapValue</code></td>
<td><code><a href="#StringMap">StringMap (oneof)</a></code></td>
<td>
<p>Used for values of type STRING_MAP</p>
</td>
<td>
Yes
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="ValueType">ValueType</h2>
<section>
<p>ValueType describes the types that values in the Istio system can take. These
are used to describe the type of Attributes at run time, describe the type of
the result of evaluating an expression, and to describe the runtime type of
fields of other descriptors.</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ValueType-VALUE_TYPE_UNSPECIFIED">
<td><code>VALUE_TYPE_UNSPECIFIED</code></td>
<td>
<p>Invalid, default value.</p>
</td>
</tr>
<tr id="ValueType-STRING">
<td><code>STRING</code></td>
<td>
<p>An undiscriminated variable-length string.</p>
</td>
</tr>
<tr id="ValueType-INT64">
<td><code>INT64</code></td>
<td>
<p>An undiscriminated 64-bit signed integer.</p>
</td>
</tr>
<tr id="ValueType-DOUBLE">
<td><code>DOUBLE</code></td>
<td>
<p>An undiscriminated 64-bit floating-point value.</p>
</td>
</tr>
<tr id="ValueType-BOOL">
<td><code>BOOL</code></td>
<td>
<p>An undiscriminated boolean value.</p>
</td>
</tr>
<tr id="ValueType-TIMESTAMP">
<td><code>TIMESTAMP</code></td>
<td>
<p>A point in time.</p>
</td>
</tr>
<tr id="ValueType-IP_ADDRESS">
<td><code>IP_ADDRESS</code></td>
<td>
<p>An IP address.</p>
</td>
</tr>
<tr id="ValueType-EMAIL_ADDRESS">
<td><code>EMAIL_ADDRESS</code></td>
<td>
<p>An email address.</p>
</td>
</tr>
<tr id="ValueType-URI">
<td><code>URI</code></td>
<td>
<p>A URI.</p>
</td>
</tr>
<tr id="ValueType-DNS_NAME">
<td><code>DNS_NAME</code></td>
<td>
<p>A DNS name.</p>
</td>
</tr>
<tr id="ValueType-DURATION">
<td><code>DURATION</code></td>
<td>
<p>A span between two points in time.</p>
</td>
</tr>
<tr id="ValueType-STRING_MAP">
<td><code>STRING_MAP</code></td>
<td>
<p>A map string -&gt; string, typically used by headers.</p>
</td>
</tr>
</tbody>
</table>
</section>
Reference in New Issue View Git Blame Copy Permalink